Re: What does FR 2.2.2 fix?
Hi, clarification/agreement from Stefan or others? tried the newest GIT this morning and the proxy issues were gone. I haven't seen your Internal sanity check failed just yet (and am not looking forward to it :-/ ). Stefan alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ipad ssl error in free radius
Hi, is the firmware on that iPad particularly old? Or maybe your OpenSSL on the server side? Things like mismatching cipher requirements or force secure renegotiation might cause some of these issues. Greetings, Stefan Winter Am 19.09.13 06:27, schrieb val john: hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com mailto:u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, We are in feature freeze for 3.0. The configuration format and behaviour for 3.0 will be stable between now and the final release (as it was with release_3_0_0_rc0). If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behavior changes you notice. To provide a single point to test against, the release_3_0_0_rc1 tag has been created. When trying to make install with the custom way of avoiding raddb as suggested on the list earlier (i.e. mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install I now encounter a Makefile error: radius-int-1-new:~/freeradius-server-release_3_0_0_rc1 # make install make: *** No rule to make target `/usr/local/freeradius/config/raddb/mods-config', needed by `/usr/local/freeradius/config/raddb/mods-config/perl'. Stop. As you see, I'm not inside /usr/local/freeradius at all ... I'm in /root/freeradius-server-release_3_0_0_rc1/. The raddb folder is empty except the 0-byte all.mk. Why would it think it needs to do something for /usr/local/freeradius/config/raddb/mods-config/perl ? This is an otherwise fresh rc1. The directory above is the place where the config resides in; but it should leave that one alone, right? configure runs with the following options: ./configure --prefix=/usr/local/freeradius/3.0.0-tagged-rc1 \ --with-raddbdir=/usr/local/freeradius/config/raddb \ --with-openssl \ --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include \ --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib (and that's the reason it knows about /usr/local/freeradius/config/raddb at all) I believe that way to make make install ignore raddb used to work with rc0 and numerous GIT snapshots. Greetings, Stefan Winter Behaviour changes since release_3_0_0_rc0: * Fixed many more compiler warnings. * LDAP schemas to load dynamic clients from LDAP * the control socket is now marked stable * Added RFC 6929 dictionary, along with a few others * Clean up proxy ID allocation / re-allocation * pairbasicfree() has been replaced by talloc_free() * Added %{debug_attr:LIST} to print out at attributes in LIST * The PAP module can now configurably *not* normalize passwords * Remove support for %{#}, and add %{strlen:} expansion Bug fixes: * Corrected more documentation to match the new behavior and config * Corrected many minor typos and spelling mistakes in documentation and config files * If the installation directory exists, don't re-install files * add crlDistributionPoints to certificates for Windows phones. * Use documentation IP addresses everywhere (192.0.2/24) * Build fixes for clang related to the -rdynamic flag * Allow update sections to update outer.reply * Re-write module handler to work, the code is significantly cleaner, and priority overrides work correctly in all cases, #404, #424 * CUI SQL fixes, #412 * Don't die in RB tree re-allocation of proxy ID * Do a second pass over pre-compiled conditions, #421, #423 * Add delete order to rbtree, #416 Also used by the proxy ID re-allocation code * Fixed TCP socket close handlers to be simpler and more robust * Allow ${..} expansion in `strings` * moved EAP destructors to talloc, which wasn't done in -rc0 * Fix LDAP group comparisons, and other pair comparisons * NULL terminate strings copied between VALUE_PAIRs correctly * Fix !* when used with non-string attributes * Fix `` exec in update sections * Load libpython within rlm_python to ensure all required symbols are available * Don't SEGV printing IPv6 Interface ID * Don't SEGV evaluating dates in rlm_expiration * Fix ./configure --with-shared-libs=no * Fix crashes related to opaque request data and regular expressions * Fix heimdal krb5 build The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_rc1.tar.gz Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install do 'mkdir raddb/mods-config' you've 'messed around' with the configuration directory which assumes that mods-config exists... i guess that could be fixed to make dir directory first if it doesnt exist. The idea is that make install is not supposed to touch my production config in any way. I don't want it to generously add directories without me knowing. It was easy to tell it to back off earlier (even easier in v2 - just mv source/raddb/ out of the way), but now for some reason the old v3-style mechanism doesn't work any more. I guess I could create the mods-config/ dir in my production config dir and it would make the symptom go away. I still found it worth reporting that some messing-around with the config dir is going on/attempted even when the source dir is told not to do that. I think I udnerstand from the earlier post that the make install target of rlm_perl wants to do something in raddb/mods-config/ on its own; and bails out when it can't. It's not nice if one module makes assumptions about a part of the directory structure it doesn't control. Nothing stops me from deploying a raddb with the configs lying in raddb/modules-configuration-information/ and it would be very undue if the stock build process bails out on failure then during a subsequent installation. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, Because that all.mk file for the rlm_perl module installs example perl scripts in mod-config, the same with rlm_python and rlm_ruby. I guess we'll have to come up with a proper fix. Does the file need to be created by the rlm's make install? The example scripts could be put into source/raddb/mods-config, and installed from raddb's own part of make install. That way, if I move raddb out of the way, nothing bad will happen; both the current content of raddb and all the script examples will be ignored. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault on [pap] Normalizing SSHA1-Password from base64 encoding
Hi, The fix still needs config changes with a bit of a hackish workaround - read the thread til the end to get all the goodness. I tested some of the hashes that were giving me trouble and they all worked with the current branch version. I also read all the thread, Glad to hear that :-) The remaining issue occurs only when the base64-encoded SSHA password starts with the two characters 0x or 0X. In that case, FreeRADIUS thinks oh, a hex number, let's decode it - while the input is not a number at all. Doesn't lead to crashes, but auths going wrong. And, IIRC, that kind of failed decoding heuristics only happens inside the SQL module, so if you pull your SSHA hashes from elsewhere, it may not apply at all. and some things were not so clear for me (sorry for the noobiness). Could you explain your final configuration state? The problem is that SSHA1-Password's data type triggers the wannabe-decoding. The workaround was to define another attribute myself, with another data type, which stops this from happening; and later re-coding into the original attribute name explicitly in the config. I saw the unlang: update reply { SSHA1-Password := 0x%{base64tohex: %{control:RESTENA-SSHA1-Password1}} } And the SQL syntax: SELECT id, username, 'RESTENA-SSHA1-Password', value, op FROM check_smtp_ssha1 WHERE username='%{SQL-User-Name} Is these configurations obligatory? I'm using the standard radcheck table (id,username,attribute,op,value) and query that comes with freeradius. From what I understood, I need to create a VSA, assign my SSHA1-Password attribute to it and convert it to hex format using the unlang and xlat? Without these extra configuration, the messages from authorization are now: That's right, the RESTENA-* thing is a VSA. Not sure about the data type right now, not in the office. I think SSHA1-Password's failing one is octets and the VSA is string (or text?) instead. Ehm, the thread should tell you :-) If you have control over your database, it's obviously better to change the attribute name inside the DB to your VSA's attribute name, and to leave the standard queries in sql.conf untouched. In my setup, I did not have that luxury, thus the override of attribute name to a hard-wired RESTENA-SSHA1-Password. [pap] login attempt with password senhasecreta [pap] Using SSHA encryption. [pap] User authenticated successfully ++[pap] = ok So the Normalizing error and segmentation fault isn't happening anymore. With only those specific 0x/0X characters triggering failure, you'd see approx. 1 out of 16.000 hashes being affected. Depending on your deployment size, you may simply not have seen it yet :-) The normal non-debug log would not produce any clue that something went wrong (aside from auth failed), as the error would be an SQL query error - even though the query is perfectly fine; it's the post-processing that goes wrong. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault on [pap] Normalizing SSHA1-Password from base64 encoding
Hi, http://lists.freeradius.org/pipermail/freeradius-devel/2013-May/008046.html http://lists.freeradius.org/pipermail/freeradius-users/2013-May/066440.html I also did everything that Stefan Winter did - gdb live server, valgrind, look at the source, compare with 3.0 - and got the same results. In the -devel thread Alan DeKok says there won't be any patches or development on the 2.2.x branch anymore, and I tested with 3.0 with success. So I ask: is there any way to backport the fix to 2.2.x branch? I don't know C very well but if it's not so hard, I might try talking to people who knows how to code and create a unnoficial patch. I saw that the base64 is now using a brave new approach on 3.0. And also, if keeping this bug forever in the 2.2.x branch, what is, in your opinions, the best way to store the encrypted passwords? I'm using SSHA-Passwords attribute, salted with the uuidgen command. And I was thinking, if I use a salt with only 16 characters instead of 32+, is there any chance for this bug to happen? It'll be easier for me to fix the salts instead of the code. I can't migrate to 3.0 right now because the system is in production state. (Please, don't say Cleartext-Passwords are the solution :P) You should read the (entire!) thread on -devel titled 2.x.x (and earier?): yet another decoding SSHA issue during which at some point the 2.x.x branch code got fixes for the bulk of the issue. This will be in 2.2.1; but you can safely grab current branch, it's running stable on my production systems for a long time now. The fix still needs config changes with a bit of a hackish workaround - read the thread til the end to get all the goodness. Greetings, Stefan Winter The following hash generates the crash: 42A9cqWnI8QAyQLsy7+iZDNKkrwzYzZlMjFiMC00YWFlLTQyN2QtOTdlNC0zNjIyYTZmYjhjNDk= Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, # mv raddb raddb-noinst # mkdir raddb # touch raddb/all.mk # make install that's easy enough, thanks! Except that it doesn't suffice :-/ INSTALL rlm_utf8.la INSTALL rlm_always.la INSTALL rlm_logintime.la INSTALL rlm_attr_filter.la INSTALL rlm_soh.la make: *** No rule to make target `/usr/local/freeradius/config/raddb/mods-config', needed by `/usr/local/freeradius/config/raddb/mods-config/perl'. Stop. Do I need to mkdir and touch all subdirs as well? Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.x.x and radtest: no IPv6?
Hi, while using radtest, I got some strange results: # ./radtest swinter testpwd [::1] 123 testing123 radclient: Failed to find IP address for host ::1: Success # ./radtest swinter testpwd ipv6-localhost 123 testing123 radclient: Failed to find IP address for host ipv6-localhost: Success ipv6-localhost is in my /etc/hosts. I'd expect both of these to work... no brackets also doesn't work, but that was just my last straw and doesn't have to work anyway. Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. ahem -4 Use IPv4 for the NAS address (default) -6 Use IPv6 for the NAS address Uh. Sorry. Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. I see that such a -4 -6 option is required for hostnames, but even then only if they return addresses for both families. ipv6-localhost only returns ::1. And ::1 successfully parses neither as an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous and could be auto-detected. That would add a little user-friendliness for users who didn't have enough sleep :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, I'd love to try. looking at GITHUB's master branch, I see that the latest commit was 5 months ago, and the last tag is 3_0_0_beta1 ? There's also no other branch name that suggests recent versions. Anything wrong with github? Stefan On 16.07.2013 15:15, Alan DeKok wrote: Stefan Winter wrote: (0) ERROR: %{#User-Password} (0) ERROR: ^ Unknown attribute (0) ERROR: Evaluation of condition failed for some reason. (0)else else { (0) - entering else else {...} Earlier, this would yield the number of characters in the incoming request's User-Password attribute, and see if it's exactly 96 Bytes. I don't know why the # triggers an unknown attribute? Looks like a bug to me... That code was removed because it was horrid. I've pushed a fix, including fixes to documentation. Use %{strlen:...} instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, Anything wrong with github? Oh, never mind that. git.freeradius.org has a link to: http://github.com/alandekok/freeradius-server/tree/master which is probably not the best place to link to. Sure, if you read the github notice on that page it'll tell you Alan DeKok's private copy of the FreeRADIUS Server code. Do NOT fork this. Use the link below instead. https://github.com/FreeRADIUS/freeradius-server; And if you do that, you'll get the source. But wouldn't it be much more useful to send people to the correct URL immediately? Stefan Stefan On 16.07.2013 15:15, Alan DeKok wrote: Stefan Winter wrote: (0) ERROR: %{#User-Password} (0) ERROR: ^ Unknown attribute (0) ERROR: Evaluation of condition failed for some reason. (0)else else { (0) - entering else else {...} Earlier, this would yield the number of characters in the incoming request's User-Password attribute, and see if it's exactly 96 Bytes. I don't know why the # triggers an unknown attribute? Looks like a bug to me... That code was removed because it was horrid. I've pushed a fix, including fixes to documentation. Use %{strlen:...} instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. Here's another thing that worked in 2.x, should continue to according to man 5 unlang, but doesn't: (0) ? if ( User-Name == cyrus ) (0) expand: cyrus - 'cyrus' (0) ? if ( User-Name == cyrus ) - FALSE (0) ? elsif ( %{#User-Password} == 96 ) (0) expand: 96 - '96' (0) ERROR: %{#User-Password} (0) ERROR: ^ Unknown attribute (0) ERROR: Evaluation of condition failed for some reason. (0)else else { (0) - entering else else {...} Earlier, this would yield the number of characters in the incoming request's User-Password attribute, and see if it's exactly 96 Bytes. I don't know why the # triggers an unknown attribute? Looks like a bug to me... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. Here's one thing during make install that used to work, but now ceased. In 2.x.x, there was an easy mechanism to prevent make install from generously copying config files into the target config directory. This worked by doing a mv raddb raddb-somestring. make install would not find the raddb directory and ignore it during install. That was quite cool; I have a config dir which only contains files which are actually in use; like I don't have a users file. If raddb is in place during a make install, this would copy the default config files (a.k.a. random junk) into my production config. Now, with 3.0.0 if I try the same trick, I get: # mv raddb raddb-noinst # make install scripts/boiler.mk:552: raddb/all.mk: No such file or directory make: *** No rule to make target `raddb/all.mk'. Stop. I understand that the urgency of preserving existing config dirs is lower; due to the server not creating new modules in modules/ any more; these days, it can mess with mods-available as it likes. But still, the hygiene I could apply to my config previously was nice. Any chance to get this back? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. The errors for people upgrading from 2.x are a bit cryptic. Of course reading README.rst will solve it, but the initial complaints when just starting with -X are: (I have user,group, and allow_core_dumps both on the top-level AND in the security subsection to have a config for 2.x and 3.x - this used to be okay, with the top-level entries simply ignored) main { security { user = radiusd group = radiusd allow_core_dumps = no } /usr/local/freeradius/config/raddb/radiusd.conf[0]: Configuration item user is deprecated /usr/local/freeradius/config/raddb/radiusd.conf[0]: Replace user with group } Here it complained about the top-level user - but suggesting to replace it with group? Afer commenting out the user and group ones, I got to allow_core_dumps: main { security { user = radiusd group = radiusd allow_core_dumps = no } /usr/local/freeradius/config/raddb/radiusd.conf[0]: Configuration item allow_core_dumps is deprecated /usr/local/freeradius/config/raddb/radiusd.conf[0]: Replace allow_core_dumps with (null) Replace with null makes it look like the config parameter doesn't exist any more; while it simply moved into security { }. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, On 15.07.2013 10:24, Alan DeKok wrote: # mv raddb raddb-noinst # mkdir raddb # touch raddb/all.mk # make install that's easy enough, thanks! Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. I must be missing something pretty obvious, so sorry if the below question is just noise... I'll have replace my sql_log instances with rlm_sql_null (*sniff*). So as I was in the process of re-weriting the first instance config, I stumbled over the 2.x parameter: sql_log sql-relay-acct-vpn { path = ${radacctdir}/sql-relay-common ... } Which is useful for knowing where the text file with the queries ends up. And in 3.0.0-rc0 ... there is no such thing?!? Or I just don't get it. mods-available/sql speaks of setting null and dialect to mysql - and the dialect config doesn't have file names. The only filename I see in the sql config is sqltracefile. Maybe that's it, but with that parameter description, the semantics would be a rather horrible mismatch. NB: README.rst doesn't mention the death of sql_log nor that sql (null) is its replacement. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, I'll double check the default configs to make sure they list it and update the documentation. Fixes pushed for behaviour, and to fixup the default config files. Good news! Just wondering: the files being written to are properly locked thread waits for the lock - right? I have several instances of sql_log which all write to the same file, so converting them needs to keep that up. Other than those issues, I now have a server which at least starts up with my half-converted config. A couple of legacy warnings and a non-suggested directory structure, but it works! I'll now start issuing actual requests for all my vservers. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hello, To avoid the need of installing our CA certificate on every Windows machine, we´ll buy the server certificate from a public CA. Having the CA cert installed only does half of the job; for EAP configuration purposes, the CA must explicitly marked as trusted /for this EAP identity/. So you still need to tell users to set a checkbox besides that CA. The difference to importing the CA before that is not much more work; on Windows, it's a couple of clicks only. If this is a usability issue, I recommend you look at dissolvable setup clients like cloudpath, or investigate the various certificate/settings bundles that things like iPhones support. And since he is from a university and likely his deployment is an eduroam one, you should also mention the dissolvable client setup tool eduroam CAT, https://cat.eduroam.org , which is free and tailored to eduroam. It will install private CAs just as fine and automated as it does commercial CAs. Greetings, Stefan Winter Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi, it's a very bad idea to use link-local addresses. You should use a global or ULA address instead. I don't *know* why this doesn't work, but it does with our global-scope addresses just fine, so I'm guessing it's the address type. Especially since link-local addresses are only valid with an interface scope. So fe80::215:17ff:fed0:d278 simply isn't an IPv6 address. fe80::215:17ff:fed0:d278%eth0 is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Greetings, Stefan Winter Am 23.05.13 16:11, schrieb Michael Sherman: what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same :( radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.10.0.0/16 { require_message_authenticator = no secret = bigsecret shortname = test-net } client fe80::215:17ff:fed0:d278 { require_message_authenticator = no secret = bigsecret shortname = test-net nastype = other } ... radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 } listen { type = acct ipv6addr = :: IPv6 address [::] port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54225 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault error
the segfault. I was also able to get a core dump as well which I pasted at the bottom. Which is *not* what we asked for. Please follow the instructions in doc/bugs. It gives DETAILED instructions on what to post. You are NOT posting the information we need to be able to help you. You're just showing that you can run gdb. This isn't useful. You need to run the gdb commands in doc/bugs, which tell us WHERE the problem occurred. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
require_message_authenticator when sending
Hi, I just noticed something unintuitive when trying to enforce the presence of Message-Authenticator on a server which has FreeRADIUS 2.2.0 as a proxying client. In proxy.conf, home_server section, there is very strong wording that require_message_authenticator is good; and the default as spelt out in the config file is =yes. My config simply omits the keyword entirely. With all those nice words about how good it is I was somewhat expecting it to default to yes in the code as well and set require = yes on the clients.conf on the receiving end. If omitted, the code sets it to NULL though, which seems to be a no. Of course I'm fixing my config by making the yes explicit - but maybe adapting the defaults in realms.c might be a little more consistent behaviour. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release of Version 2.2.1
Hi, It's been a while since Version 2.2 was released, so it's time for the next release. I'd like to fix the reported memory leak issue, and then release it later next week. The changes are minor, and mostly cleanups and bug fixes. Please let me know if there are any issues. According to current GIT in 2.x.x, my patch to prevent SIGTERM turning into SIGSEGV is not included yet. A proper shutdown is required on all systems using systemd, so I believe it would be very useful to get this into the mainstream release. For the mini, two-line patch which prevents this (admittedly not totally clean), please see my message to -devel on 12 Oct 2012, titled SIGTERM - SIGSEGV. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 277 realms to maintain
Hi, There are now 277 entires similar to this: realm domain.com http://domain.com { auth_pool = my_auth_failover nostrip } Could I use an $INCLUDE statement here to maintain the list of realms in a separate file? That way it would be easier to automate the creation of the realms list. Sure. Just do exactly that. Stefan Is there a better way of doing this? Thank you, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
Hi, I have configured freeradius to entertain EAP-TLS requests. And i am using the freeradius certificate (shipped with software). I got stuck at end, now i don't know how to send EAP-TLS request to server. I read man radeapclient, but it only support md5. Could you please tell me how could i send request to server using EAP-TLS authentication method. Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or for a command-line test use eapol_test, which is part of wpa_supplicant. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Hi, Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? No: there is no User-Password. This is an EAP request. Credentials are sent inside the EAP-Message attribute, and strongly encrypted between the source (user device) and the home RADIUS server at cru.fr. As an intermediate party, this is all you will get. Why are you interested in other users' passwords? Greetings, Stefan Winter Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? In eduroam, every identity provider makes the choice of EAP type all on their own. I.e. we do not have a central register of who uses which EAP type. Of course these things can be found out; if by no other means by sniffing the first bytes of EAP conversations on proxies to see which EAP type was negotiated. But seriously: what's the point? There are a number of EAP methods which satisfy the IETF requirements for good EAP types in RFC4017. So long as you stay in the good set - pick whatever fits your local situation best; some have advantages in certain situations, others don't. There is no definitive answer which EAP type is best, so you'll have to sit down and find out your own needs yourself. And if you just want statistics for statistics' sake... sorry, that kind of information is so hard to get hold of, I'm reasonably confident that it won't be done unless there's a real use case for it. That said, we might get information of that kind as a by-product of a configuration assistant tool which identity providers may use to make their lives easier, and then maybe we could generate numbers from that. Don't hold your breath though. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: customized format of log file
Hi, I'm deploying a WiFi proxy center with FreeRadius now, therefore I need detailed auth/acct log records for statistical purpose. While default format of detail log cannot satisfy my goal there, so is there any way to define my own customized format of auth/acct log file? for example, for auth, I can write AA value while receiving Access-Accept and AJ for Access-Reject into log file. Another question, how to use tab as delimiter of logging instead of default : ? In general, my question is: Can anyone of modules process any content of packets *without replacing and updating original attribute value* by regex, unlang before output of logging? just for logging purpose. Or it's necessary to use Perl? See modules/linelog. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, until today, I have been running FreeRADIUS 2.2.0 successfully with a system-supplied openSSL. Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. However, when running PEAP on this version, I get a segmentation fault now: [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = test.edur...@education.lu Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Segmentation fault The repetition of that attribute is NOT an error; it's there to inflate the packet beyond 1500 bytes to trigger UDP fragmentation (this is our Nagios testing). In 2.2.0 against the old openSSL version, everything works fine - Access-Accept. Any hints? Greetings, Stefan winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. That was it indeed. Had to change the include path above to --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include because configure adds the openssl/ sub-path on its own. Now it works like a charm (as usual :-) ). Thanks! Stefan Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Thanks. I'll try to get the release out this week. (finally) As an extra heads-up: I've put it onto our primary some time last week, where it gets plenty of non-EAP requests and accounting stuff, too. Works like a charm. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, Anyway, adding an example would still be nice :-) Submit a patch, or edit the wiki? :D Here goes a unified diff - took the statement from sql/mysql/dialup.conf. Greetings, Stefan Winter --- sql_log.orig2012-08-10 11:05:49.690247808 +0200 +++ sql_log 2012-08-10 11:08:51.280864849 +0200 @@ -36,18 +36,42 @@ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '%S', '0', '0', ''); + Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ '%{Acct-Terminate-Cause}'); + Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); + Accounting-On = UPDATE ${acct_table} \ + SET \ + acctstoptime = '%S', \ + acctsessiontime= unix_timestamp('%S') - \ + unix_timestamp(acctstarttime), \ + acctterminatecause = '%{Acct-Terminate-Cause}', \ + acctstopdelay = %{%{Acct-Delay-Time}:-0} \ + WHERE acctstoptime IS NULL \ + AND nasipaddress = '%{NAS-IP-Address}' \ + AND acctstarttime = '%S' + + Accounting-Off = UPDATE ${acct_table} \ + SET \ + acctstoptime = '%S', \ + acctsessiontime= unix_timestamp('%S') - \ + unix_timestamp(acctstarttime), \ + acctterminatecause = '%{Acct-Terminate-Cause}', \ + acctstopdelay = %{%{Acct-Delay-Time}:-0} \ + WHERE acctstoptime IS NULL \ + AND nasipaddress = '%{NAS-IP-Address}' \ + AND acctstarttime = '%S' + Post-Auth = INSERT INTO ${postauth_table} \ (username, pass, reply, authdate) VALUES\ ('%{User-Name}', '%{User-Password:-Chap-Password}', \ -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_log and Accounting On/Off
Hello, I'm currently migrating a number of direct accounting sql module calls to delayed writes using sql_log. I noticed that sql_log has statements for Start, Stop, Alive (and Post-Auth, about which I don't care at that point). The real SQL modules have accounting_on_off_query, too. I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Looking at the code: could it be that I can just use Accounting-On and Accounting-Off as keys, because the code seems to reference the values of Acct-Status-Type? That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Ah, man 5 rlm_sql_log. Right. Sorry for the noise. Anyway, adding an example would still be nice :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Timeout instead of Access-Reject
Hi, there's reject_delay in radiusd.conf It is typcially set to one second to prevent some attacks. You could set it to zero and then the reject may come through faster. Still, 300 ms is *really* low even for that - depending on the time your auth backend needs to even determine whether it was success or failure may take longer than that. Stefan On 07.08.2012 20:55, Antonio Modesto wrote: You're right, it worked. The default mikrotik timeout is 300ms, I've set it to 5000 ms and I've got the right answer. One more question, Though I'll reconfigure all the timeout's on my nas'es, why doesn't this problem happen with freeradius 1.X? Is that normal? Or is it something that's causing my freeradius 2.x to take longer to reply the requests 2012/8/7 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com Antonio Modesto wrote: Hi, I work at an ISP in Brazil, our main radius server is running freeradius 1.X. I'm configuring a new server with freeradius 2.X and doing some tests to see if I find any problem before putting it on production. So far I've found a little problem that doesn't disable me to put it in production, but can confuse in case of a radius failure. When an authentication failure happens, on the nas it appears that the radius server is not responding, it shows a Radius timeout message, here is the output of the radius debug: The timeouts on the NAS are set WAY too low. Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145 Waiting to send Access-Reject to client teste port 35710 - ID: 86 i.e. the NAS didn't see a reply, and retransmitted. Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145 Waiting to send Access-Reject to client teste port 35710 - ID: 86 And retransmitted again 0.3 seconds later. Waking up in 0.3 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 86 to 192.168.2.100 port 35710 And then the server responded 0.3 seconds later. Fix the NAS so it doesn't have *ridiculous* timeouts. RADIUS timeouts are normally in the multi-second range. Having the NAS retransmit multiple times a second is stupid, wrong, and will create problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atenciosamente, * Antônio Modesto Gerente de TI* Praça Getúlio Vargas, 77 – Sala 308 – Centro Santo Antônio do Monte – MG – CEP: 35560-000 Tel:(37) 3281-2800 Contato: isimp...@isimples.com.br mailto:isimp...@isimples.com.br http://www.isimples.com.br Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter informações confidenciais e/ou privilegiadas. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, por favor, não leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada nessas informações. Notifique o remetente imediatamente por e-mail e apague a mensagem permanentemente. Atenção: embora a Isimples Telecom, tome seus cuidados para garantir a ausência de vírus neste e-mail, a empresa não se responsabiliza por quaisquer perdas ou danos decorrentes do uso da mensagem e seus anexos. A segurança e ausência de erros na transmissão do e-mail não podem ser garantidas, já que as informações podem ser interceptadas, corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou, ainda, conter vírus. Recomendamos checar se o e-mail e seus anexos contém vírus, uma vez que nem a Isimples Telecom ou o remetente se responsabilizam pela transmissão destes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, We're (again) close to releasing 2.2.0. This time for real. In order to make the server more future-proof, I've made some changes to the TTLS parser. This will solve issues in the long term. But it needs more testing now. Please try the git v2.1.x branch with various supplicants, and TTLS. Please post here if it works / fails. I've just installed it on one of our servers (today's GIT). Compiles and starts just fine; I've directed all our eduroam traffic at it (mix of PEAP and TTLS) and see lots of Access-Accepts. It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Well... EAP-TLS seems not to work for me. My iPhone gets Rejects now. primary server (2.1.12): Wed Aug 8 12:57:46 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:27:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:30:18 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:31:04 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:42:39 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:42:43 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 14:43:41 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 14:43:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) backup server (2.2.0-pre): Wed Aug 8 15:35:44 2012 : Auth: Login incorrect: [certuser-2010-...@restena.lu/via Auth-Type = eap-staff] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) I have neither touched the iPhone nor the server; primary and backup run the same configuration - synced via SVN. I can revert back to 2.1.12 on the backup to verify that that fixes it to be sure... Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, I have neither touched the iPhone nor the server; primary and backup run the same configuration - synced via SVN. I can revert back to 2.1.12 on the backup to verify that that fixes it to be sure... Never mind; a file in sites-enabled was out of sync with the primary, and did something that never worked, also not with 2.1.12. Now working fine with 2.2.0-pre. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS WinXP, default_md MD5, default_eap_type
Hello, the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5 that is used as a message digest in certificate generation (configured in the .cnf files you mentioned) have *nothing* to do with each other. I.e. you can change one without side-effects on the other. Since there is no EAP-SHA1, it does not make sense to add a sha1 { } section in eap.conf. The replacements for MD5 in EAP are things like TTLS, PEAP, TLS, and others. They are mentioned in eap.conf. If you want to get rid of EAP-MD5, configure one of those. Greetings, Stefan Winter On 11.07.2012 21:17, Si St wrote: The following questions about changing default_md and default_eap_type is solely for the matter that I should have RADIUS work on some Linux-machines and some Windows-machines all of them hopefully with TLS client sertificates mainly. There are some diversities as to MD5 and post SP1 WinXP: http://freeradius.org/doc/EAP-MD5.html QUOTE: Windows XP (before SP1) Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices. Go to the Network Connections window. Right-click the connection corresponding to the adapter which is going to use EAP authentication. Go to the Authentication tab. If it doesn’t appear (yes, it’s weird sometimes) try to unplug and plug your adapter till it does (if PCMCIA...) Otherwise, download the software for the adapter configuration like e.g. ACU for the Cisco adapters and try to de- and reactivate the card. In the Authentication dialog, assure the box Use IEEE802.1X network authentication is checked. Set your EAP type there (EAP/MD5 Challenge). That’s all. Now deactivate and reactivate your LAN-connection on this adapter and it should work. ENDQUOTE. This recommendation is put forth in the etc/raddb/certs/README: QUOTE: MD5 has known weaknesses and is discouraged in favor of SHA1 (see http://www.kb.cert.org/vuls/id/836068 for details). If your network equipment supports the SHA1 signature algorithm, we recommend that you change the ca.cnf, server.cnf, and client.cnf files to specify the use of SHA1 for the certificates. To do this, change the 'default_md' entry in those files from 'md5' to 'sha1'. ENDQUOTE. In the eap.conf this is put forth: QUOTE: # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } ENDQUOTE. QUESTIONS: -Should I stick only to the changes of default_md in ca.*,server.*, and client.cnf and leave the eap.conf unchanged, or should I add a module like: sha1 { } or change the md5{} to sha1{} or should it be done differently? . I count for the postulate in eap.conf that: QUOTE: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. ENDQUOTE and therefore I do no not need to change so much in eap.conf -Should I by all means keep winXP-userclient to a PEAP solution because the nice doc in: http://freeradius.org/doc/EAPTLS.pdf for Windows is outdated or wont work today? It could be that I complicate the matter here by mixing together parts that do not belong to each other, but I have to ask - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, I am struggling to configure my FreeRADIUS server for eduroam (www.eduroam.org), as I understood that some subscribers have done the configuration successfully, I come here to get help. I have been running my FreeRADIUS server with out problem for several years, identifying to an openLdap backend. I managed to configure a test WiFi access point to identify with 802.1x against that same radius/ldap server. But I have a problem to configure eduroam, so I would be glad if I could see a working example. It would help if you told us *what* the problem is. Looking at what you write, you have a working FreeRADIUS, working openLDAP backend, and have configured it to do IEEE 802.1X on a WiFi access point. That is 99% of what eduroam needs. So, what's missing? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions on the finer points of CUI
On 28.06.2012 09:07, Scott Armitage wrote: All, I was after some clarification about the implementation of CUI in freeRADIUS. My first point is the use of Client IP Address. I notice that client IP Address makes a regular appearance but I'm wondering whether it should. Looking at the cui.conf the post-auth insert adds the Client IP Address. postauth_query = INSERT IGNORE INTO ${cui_table} \ (clientipaddress, callingstationid, username, cui, lastaccounting) \ VALUES \ ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'; likewise the schema (in cui.sql) even has the Client IP Address as a primary key which to me seems wrong. In the world of eduroam my RADIUS server can proxy off to one of 3 National Proxies each will have a different Client IP Address, therefore a single client could have 3 entries in the cui table depending upon which National proxy dealt with the request. I don't see the point of the Client IP Address being in there. If each home server is using a salt (together with the operator name) then even the same username and calling station id will return a different CUI for different home servers. Maybe some could explain what I'm missing and why the Client IP Address is there? The $cui_table is merely a helper table to bind returned CUI values from the home server during the *authentication* phase to a possible subsequent Accounting packet for that same session. It is logically maintained at the SP side of the transactions (i.e. towards Access Points and Controllers). When doing auth, Calling-Station-Id and a User-Name are present in the request. The response contains the associated Chargeable-User-Identity, and may or may not contain a User-Name, and that User-Name may or may not be the same as the request had. If the NAS doesn't bin auth-CUI to acct-CUI itself (which is true for most NASes), the SP-side RADIUS server needs to do guesswork to add the CUI attribute to the outgoing accounting request (for all such requests: starts, interims and stops). It can see the binding primarily by observing that the calling-station ID is the same. It can not use the User-Name in Accounting because some NASes use the value of an Access-Accept instead of the original value. In principle, one could stop here. However, if a user moves from one NAS to another, he needs to reauthenticate and has the same Calling-Station-Id. This new authentication might get the same CUI or another (as you rightly note, the next request can go to a different home server, who might calculate his own CUI). In that case, there are two entries for the same Calling-Station-Id with different CUIs, and the server won't know which one to attach to the next outgoing Accounting-Request - BAD. That's why the Client-IP-Address is a secondary key: since we're talking SP-side, the client is the Access-Point or Controller, and the tuple of (CSI;Client-IP) makes the CUI value unique: This device *on this client* at a particular point in time. You might argue that the user could close the session and then re-auth on the *same* NAS. That's true, but it is not a problem: if that previous session was closed in order with an Accounting-Stop, the temporary entry in $cui_table gets deleted, and the new session gets the new one. If not, since the key of CSI and Client-IP is identical, the new session overwrites the CUI value of the previous one. This should also explain your subsequent queries below. Greetings, Stefan Winter Staying with the Client IP Address, my next point surrounds the Accounting. The cui.conf shows that accounting updates the table using Client IP Address in the search: accounting_start_query = UPDATE ${cui_table} \ SET \ lastaccounting = CURRENT_TIMESTAMP \ WHERE clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; How would this work? The NAS doesn't know what the Client IP Address is and doesn't send it in Accounting packets. Finally, why does the Accounting stop for cui remove the cui from the database: accounting_stop_query = DELETE FROM ${cui_table} WHERE \ clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; Surely I'd want to keep this? If 2 weeks later I get a copyright infringement notice for a client, I'd want the CUI when contacting the home site of the user. Thanks Scott Armitage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA
Re: more EAP/TTLS trouble
Hi, The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy. As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell ultimate versions of an OS for $150-200 when they dont even support as many features as a free, open source system? I just got into work, so I'll be looking over the suggestions and making more attempts at this. Thanks again for all the help! Here's one more: many folks in eduroam have gone through the exact same considerations, and some indeed need TTLS-PAP. If it is unavoidable, there is a GPLed version of SecureW2 which can deliver TTLS-PAP to older versions of Windows. I'm sure you can find it on the internet somewhere. Stefan On Wed, May 30, 2012 at 8:15 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 30/05/12 13:44, Steve Hopps wrote: IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. It's certainly a shame that Windows 7 doesn't support TTLS/PAP. PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap oracle like ntlm_auth running on Samba as a member of the domain. If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited. EAP-TLS, perhaps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hello, noone with a hint? Stefan On 07.05.2012 11:13, Stefan Winter wrote: Hi, at a client's site, I have to some chopping off parts of User-Name, pretty straightforward, but for some reason it doesn't work (2.1.12): In inner-tunnel, authenticate, MSCHAPv2 for PEAP: authenticate { Auth-Type MS-CHAP { if(%{Stripped-User-Name} =~ /().*/){ update request { SAMAccountName := %{1} } } else { update request { SAMAccountName := %{Stripped-User-Name} } } mschap } So, if the Stripped-User-Name is longer than 20 chars, chop it off and store it in SAMAccountName, otherwise, just store the full Stripped-User-Name in SAMAccountName. SAMAccountName is defined in the dictionary as an internal attribute: ATTRIBUTE SAMAccountName 3003 string During run-time, the following strange thing happens... # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] ? Evaluating (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++- entering else else {...} [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] +++[request] returns reject [mschapv2] ++- else else returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. So... short User-Name, the else path is taken, Stripped-User-Name expands nicely... and then, the update request group returns reject?!? I tried to use update control instead, which fails too, and used a non-internal attribute for that name as well. It just won't work. Is that maybe one of the known quirks in 2.1.12? Would using the current stable branch work better? Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hi, yet another subtlety I didn't know of... I'm checking with my client whether either moving it to authorize or putting the ok in front will do the trick. I'll let the list know of the outcome so that the collective list intelligence a.k.a. archive will have the answer for later. Thanks, Stefan On 09.05.2012 09:56, Alan DeKok wrote: Stefan Winter wrote: noone with a hint? Hmm... the default return code for things in the authenticate section is reject. And the update sections just pass through the *previous* return code. You might try this as a hack: Auth-Type MS-CHAP { ok if (..) { } else { } mschap } The ok at the start will over-ride the default reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hi, both methods worked: moving into authorize (but after calling the suffix module, which sets Stripped-User-Name), and also the ok hack in authenticate. We chose to move to authorize, as it's more easily understandable. Thanks for the help! Greetings, Stefan Winter On 09.05.2012 11:17, Stefan Winter wrote: Hi, yet another subtlety I didn't know of... I'm checking with my client whether either moving it to authorize or putting the ok in front will do the trick. I'll let the list know of the outcome so that the collective list intelligence a.k.a. archive will have the answer for later. Thanks, Stefan On 09.05.2012 09:56, Alan DeKok wrote: Stefan Winter wrote: noone with a hint? Hmm... the default return code for things in the authenticate section is reject. And the update sections just pass through the *previous* return code. You might try this as a hack: Auth-Type MS-CHAP { ok if (..) { } else { } mschap } The ok at the start will over-ride the default reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang fails for some strange reason...
Hi, at a client's site, I have to some chopping off parts of User-Name, pretty straightforward, but for some reason it doesn't work (2.1.12): In inner-tunnel, authenticate, MSCHAPv2 for PEAP: authenticate { Auth-Type MS-CHAP { if(%{Stripped-User-Name} =~ /().*/){ update request { SAMAccountName := %{1} } } else { update request { SAMAccountName := %{Stripped-User-Name} } } mschap } So, if the Stripped-User-Name is longer than 20 chars, chop it off and store it in SAMAccountName, otherwise, just store the full Stripped-User-Name in SAMAccountName. SAMAccountName is defined in the dictionary as an internal attribute: ATTRIBUTE SAMAccountName 3003 string During run-time, the following strange thing happens... # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] ? Evaluating (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++- entering else else {...} [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] +++[request] returns reject [mschapv2] ++- else else returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. So... short User-Name, the else path is taken, Stripped-User-Name expands nicely... and then, the update request group returns reject?!? I tried to use update control instead, which fails too, and used a non-internal attribute for that name as well. It just won't work. Is that maybe one of the known quirks in 2.1.12? Would using the current stable branch work better? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SHA-256,384,512?
Hi, I'm trying to figure out if FreeRADIUS supports SHA-2 (256,384,512 variants) or just SHA1. Some attributes have only SSHA in their name, without a -1 so I thought they could do more than SHA-1. Looking at the source code of 2.1.12, it doesn't look like it though, SHA seems to be synonymous for SHA-1. Can I get a quick confirmation that the SHA-2 family is not supported for password hashes? Anything coming up in that regard in 3.0? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: which 3rd party CA for EAP
Hi, We are trying to setup eap for different mobile devices. We don't need certificates for each user, we want to authorize againt the radius with username and password only. With self signed certificates its working if the mobile devices installs the root ca certifcate. We tried several 3rd party certificates: StartSSL, united ssl, godaddy, test certificates from thawte. Apple and windows clients are claiming, that the certificate is not trusted. Has anybody a working solution with 3rd party certificates and can tell us which certifcate could be used and what needs to be configured in eap.conf? You should be aware that the trusted status of a CA is completely independent in bowsers vs. for EAP. Browsers have a (large|too large) set of CAs which they consider trusted. EAP supplicants typically trust NO CA unless explicitly configured to. In the Windows case, the supplicant will trust the 3rd party certs just fine as soon as you open the EAP properties and check the box of that CA. So, very often you will require extra manual/scripted configuration whether you use a self-signed CA or not; merely the actual import of the certificate file can be omitted if the CA is shipped. I.e. you don't gain a lot, and spend more money when using a trusted CA, so in the vast majority of cases, it is the wiser way to use a self-signed CA. Greetings, Stefan Winter Kind Regards Uwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: ldap-radius integration
Please don't write private mail to me with FreeRADIUS questions. Forwarding to freeradius-users. Original Message Subject:ldap-radius integration Date: Fri, 30 Mar 2012 12:35:53 -0700 From: exu...@gmail.com To: stefan.win...@restena.lu could you give me some refrence material or the steps involved in integrating radius and ldap? Iam stuck with the error [ldap] bind as cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf cant understand how to proceed..! PS: Im using ubuntu 11.10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: ldap-radius integration
could you give me some refrence material or the steps involved in integrating radius and ldap? Iam stuck with the error [ldap] bind as cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf cant understand how to proceed..! PS: Im using ubuntu 11.10 You need to tell FreeRADIUS login credentials for your LDAP administrator account. According to the query, the username for that is Manager and the LDAP server is radius.example.com. I believe these are the default (shipped) values that come with FreeRADIUS. Replace them with the *real* login details of your LDAP admin account. In general: *read* the debug output and *apply common sense*. Greetings, Stefan Winter P.S.: your Operating System is irrelevant for this error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
generate a random value with unlang?
Hi, in some weird business case, I would like to generate a one-time use token for later consumption in post-auth. So when the user is accepted, trigger an {sql:INSERT randomvalue INTO someplace} The value should be new for every Access-Accept. I wonder how to generate such a random value with unlang. Is there some {%rand} or anything like that? Currently I do it embedded in the INSERT: INSERT ... SHA1(RAND())... INTO someplace but our MySQL admins don't like me doing that. So I'd prefer to do this on FreeRADIUS and send a simple string to the DB. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadSec FR3.0 to Radiator: Received packet will be too large
Hi, We're piloting RadSec as a federation server uplink. They use Radiator. When we first attempted to connect we'd get a Received packet will be too large! carp from main/tls.c. They checked on their end and say they have no fragment size option for RadSec TLS connections, only for EAP-TLS connections. The above doesn't make much sense to me... there are size limits in RADIUS, but not regarding the TLS stream around them. The limits in question are: - EAP-Message total length must be = MTU between NAS and device (EAP cannot be fragmented on layer 2) - RADIUS datagram total length 4096 Bytes (arbitrary RFC limit) The RADIUS/TLS wrapper around those datagrams is not size-limited at all - it carries streams on n RADIUS datagrams. The TCP stack will take care of sending the data in chunks like with any other TCP based protocol. My guess is that main/tls.c thinks it operates within a EAP context and tries to warn of too big data chunks, while there is actually nothing to warn about. Greetings, Stefan Winter So we applied the below as a test and it works, but I was wondering as to the wisdom of it... interestinga RADSEC packet can be much bigger than that too - 2048 gives some room for a big certificate - but not if its double-chained with intermediate and its got a nice security size instead of being a little 512bit RSA one. typically EAP-TLS can be fragmented on the server due to it going through to the end-clients ..and being UDP things get a little nasty...whereas with RADSEC theres no reason why a single TCP request couldnt be quite large and needing to be fragmented by the routers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Source for freeradius-server-2.0.4
ftp://ftp.freeradius.org/pub/freeradius/old/ On 11.02.12 03:32, Charles H. Fisher wrote: I have heavily patched version of freeradius-server-2.0.4 That I would like to migrate forward to the current version. This requires that I know what changes were made to the standard 2.0.4. I have not been able to find a copy of it on the internet, and the archives on this site do not have any of older files any later than the end of the 1.x series. Do you know where I can find a copy of the freeradius-server-2.0.4 source tarball. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Hi, that's a discussion / holy war admins are fighting over for *years* in the eduroam roaming consortium. I agree with all what was said in the thread, regarding security vs. convenience. Just to add one thing to the mix: if you allow bring your own device for your network, you'll have much less control over what hardware comes to visit you. For some supplicants it is very hard/impossible to add an own self-signed CA to the trust root. In these cases, being able to verify the issuing CA against the hard-wired trust store is arguably more secure than not being able to validate the cert at all with a self-signed CA. For Android 4.0 for example, pushing a new CA into the trust store is hard. Doing it in a non-interactive autoconfig way is to my knowledge impossible. So, BYOD is a factor to consider. Greetings, Stefan Winter McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. Self-signed CA. *Always*. And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes. I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Well, I wrote that README. It's correct. Here's a question for management. Do they want anyone on the planet to be able to set up a copy of their WiFi SSID, and grab user information? If yes, use a public CA. If no, use a self-signed CA. With web surfing, your web browser verifies that the site at facebook.com is holding an SSL certificate which says facebook.com. This prevents anyone else from using a facebook.com certificate, because no one else can control the facebook.com domain. For WiFi, there is no such control. If your company SSID is example.com, *anyone* can duplicate that SSID. The EAP supplicant doesn't check if the SSID matches the certificate. It can't check, for a whole host of reasons. So the situations are different. The result is that the security methods are different, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Next release of the server?
Hi, 2.2.0 is explicitly compatible with 2.1.12. The only change is to fix something which was *broken* in 2.1.12. Is there really much point in calling it 2.2.0 then? If people don't like a 13 patch-level number, it could also be called 2.1.14 :-) Cranking up the minor version number just leads to many people asking the kind of can I upgrade questions we've just gone through. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN attribution in an eduroam setting - proxied users
Hello Rui, As for the VLAN attribution wether the user is a roaming user (i.e. goes to a proxy to be authenticated), I have done several tries, without sucess. Haven't managed to do it through the users file above;my last attemp was trying to setting them up in the /etc/freeradius/attrs file with attr_filter.post-proxy, however it seems to interfere with the AEP/password negotiation. The setup is as follows, and I would like to ask for an alternative of where to insert the roaming VLAN. post-proxy { post_proxy_log attr_filter.post-proxy # here --- Post-Proxy-Type Fail { detail } } The attr_filter module only controls what to strip out of the incoming reply, it can not be used to add new attributes. What you specified in the file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 216, means: Only leave these attributes in the reply packet if they have exactly these values, otherwise strip them out. That is obviously not what you want. The solution is rather simple with unlang: post-proxy { post_proxy_log update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := 216 } Post-Proxy-Type Fail { detail } } (syntax is free-handed, you should try this on a testing server first) Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
Hi, why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? To be honest, I'm thinking of a similar thing. Given how painful a CA rollover can be, I'm planning to rollover to a CA with validity somewhere beyond Stefan's retirement date, which is unfortunately later than 2037. Given that the extra effort to extend the lifetime of a CA is *zero* (just enter a different date in openssl.cnf) and the pain to eventually stumble over an expiring CA is non-zero - I prefer to do the zero work. Of course things might change, my CA keys might get too short, and I might be forced to roll over anyway - there is at least a *chance* that I can prevent a need to rollover, and so I'll do it. 3011 is stretching it though, admitted. Stefan anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Hi, You haven't done that. You're smart if you spend the time to understand what you're talking I know what I am talking about. When there is something I don't know, however - I ask, politely, and expect the same from others (that doesn't include you, apparently). I think what Alan was trying to point out is that it is easy to find answers to your basic questions without asking this mailing list. The security of RADIUS is incredibly well-documented, and not specific to FreeRADIUS. So if your problem is that you don't know whether or not a RADIUS shared secret is sent in clear text or not - and jump to false conclusions based on your *belief* how it *might* work (even if you are wrong in your assumptions) then that is typically called noise on a mailing list. You might rather want to clarify that aspect yourself. I just typed RADIUS shared secret into Google, and found actual on-topic results - on page one. Microsoft Technet unfortunately, but better than nothing. Now to get more down to the topic. You mention that security is paramount, which is correct. When you are using EAP-TLS or EAP-TTLS, security of your transmitted credentials comes by virtue of the TLS tunnel that is established within that EAP method. The transport-layer security of RADIUS adds nothing to the security of these credentials. In that case, it doesn't matter much - for security reasons - whether your Access Points talk RADIUS (IP+shared secret) or RADIUS/TLS. What *is* revealed if you use only RADIUS, is some of the not-so-significant attributes in the Access-Request like the MAC address of the connecting client in Calling-Station-Id. That you might possibly see as a rather minimal privacy invasion if an eavesdropper listens on the packet; in that case, RADIUS/TLS would be a way of mitigating that. Your thread contains lots of confusion, false assumptions and wrong conclusions. There is always a danger that that kind of half-knowledge spreads and leads to FUD. So to be abundantly clear: Transport security - * traditional: fixed bindings of IP address+shared secret; uses MD5 for hash calculation * TLS security: either TLS-PSK (drop-in replacement for shared secret) or certificate based Credential security -- * most EAP types roll their own, which makes transport security less relevant * EAP-TLS, TTLS, PEAP, FAST are among those * FreeRADIUS supports all of these EAP types just fine * some weak EAP types don't provide that security on their own, and either - need to be tunneled within TTLS and friends - or - - need to be secured by transport security I think this answers all the questions in your thread and counteracts all the conclusions you jumped onto mid-way. If I may add: almost none of these questions were specific to *FreeRADIUS - the product* - they were about the RADIUS protocol. This mailing list is not the place to ask random questions about RADIUS. Read up on it on the internet, buy a book, or visit a course about RADIUS. The mailing list is about configuring FreeRADIUS. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Hi, Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? The CRL needs to be in the same directory as the CAs, and needs to be hashed with c_rehash just like the CA certs. CRLs automatically get the hash suffix .r0 instead of .0. You will still need to restart FreeRADIUS after downloading a new CRL; re-reading them at runtime is not possible due to glorious openSSL. Stefan Thank you — Martin Čmelík 2011/11/14 Alan DeKok al...@deployingradius.com: Martin Čmelík wrote: nobody knows how setup freeradius to check new CRL lists? FreeRADIUS uses OpenSSL for CRLs (and everything SSL). OpenSSL does not support dynamically adding CRLs at run time. See the ocsp support in 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Beginner's Guide
Hi, I'm a complete newbie to RADIUS, looking to make use of the features of my new smart switches and wireless access point to secure my home network, so the title certainly sounds right. Has anyone had a look at this book yet? If so, what are your thoughts? I have finally found the time to give it a look, too. Here's my review: Book Review: FreeRADIUS Beginner's Guide The book „FreeRADIUS Beginner's Guide – Manage your network resources with FreeRADIUS“ by Dirk van der Walt has set itself a bold goal: to transform an ordinary Unix/Linux system administrator from a „Zero“ to a „Hero“ in the topic of Authentication, Authorisation and Accounting with FreeRADIUS. The book is in a very modest price range and available in traditional printed and also an eBook version right here: http://www.packtpub.com/freeradius-master-authentication-authorization-accessing-your-network-resources/book?tag=rk/freeradiusbg-abr1/0911 From my own experience, getting in first contact with the RADIUS protocol in general and FreeRADIUS in particular can be a dreadful exercise: there are many complex concepts to grasp and huge configuration files to master; and plenty of opportunity to break things if you touch the configuration without knowing the do's and don'ts. The FreeRADIUS software package has ample documentation in the form of man pages and comments in configuration files. What was sorely missing – up until now – was documentation that would take an innocent reader by the hand and show him the wonders of RADIUS without too much confusion. Dirk's book certainly achieves this goal, and more. It dives straight into the matter, touches the RADIUS specification only as much as is needed to understand the software that delivers it. The reader learns how easy it is to get to the „Hello, world!“ equivalent of RADIUS – the first successful authentication, an Access-Accept packet. From then on, the book builds on the milestones achieved by the reader and adds more and more features and complexity. Near the end of the book, the reader has all the required knowledge to run his own little hotspot, a federated „single-sign-on domain“ based on RADIUS or even be part of a large roaming consortium. Being heavily involved in RADIUS myself, as the lead RD engineer for the „eduroam“ roaming consortium in Europe, and as lecturer on the topic of Secure Network Admission at the University of Luxembourg, I was amazed how often I found myself thinking „Right, couldn't have said it better“ when the author explained some of the particularly hairy concepts – EAP with outer identity just being one example. Of course, there are always those few little things everyone likes to do a bit differently; I'm very much a compile-from-source person and was slightly disappointed to read that the author rather encourages his readers to use distribution packages or build their own RPMs/DEBs. Then again, the target audience is starting from zero, and adding “compile your own” to the stack of things to learn is probably asked a bit much. Another question of taste is the client to use for testing the more complex authentication mechanisms – the book uses a GUI client, JRadiusSimulator, while I very much prefer „eapol_test“ from the wpa_supplicant software suite. It can be so nicely scripted and is as flexible as a Swiss army knife – perfect for Nagios monitoring. In my humble opinion, it would have deserved a significant mention. Lastly, there is a nagging little oversight when it comes to the description of proxying on page 250: Proxying, when done in combination with mutually authenticating EAP methods and with anonymous outer identities doesn't expose usernames nor credentials to the roaming partner. The book doesn't make that aspect overly clear. Then again, peeking at the title, this topic is way advanced and few people will get to a point in their RADIUS life where they would need it. Summarising, I can highly recommend this book as a starter to get into FreeRADIUS. I'm sure the FreeRADIUS users' mailing list would see much less traffic on basic operational and conceptual questions if everyone were to read this book. If you need to get acquainted with FreeRADIUS, do yourself a favour and grab a copy. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
systemd and FreeRADIUS
Hi, seems like openSUSE is going the fancy way and throws good old INIT overboard with their next release. System initialisation and housekeeping is changing towards systemd instead. So, in 20-something days I'll try to get my first FreeRADIUS running on that, and can't use my good old init scripts any more (I guess I could with some systemd-to-INIT legacy support, but I like eating fresh dogfood). Is there already someone working on systemd description files for FreeRADIUS? If not, I'll (have to :-) ) give it a go myself... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? No...? There's http://www.willhackforsushi.com/FreeRADIUS_WPE.html, but it's not a complete solution in itself... Uh, what a lame thing. It will only work on the assumption that the user does not check the server certificate, which really bad practice. The rest is a setup of FreeRADIUS which is designed to be compatible with as many EAP types as possible; so as not to disturb the end user experience. It also can't figure out if the user entered his real credentials or had a typo/intentionally put in something different. The patch is a few sample clients, nothing more. A nice exercise, for sure, but calling this Pwnage Edition is somewhat exaggerated. As I read the headline, I expected more bang for the buck :-) Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin
Hi, radiusd -X is of no use in debugging dialup admin. It's a PHP tool running on a web server, whereas FreeRADIUS' radiusd is a stand-alone process doing RADIUS. Their only interface is that FreeRADIUS writes into a DB, and dialup admin reads data from that same DB; the two sides of it use a common schema. You need to configure both sides regarding database hostname, username, password. Setting it in raddb/* is NOT doing any good. So, if your dialup admin throws an error - look at the web server's error log. It will help you much more. Greetings, Stefan Winter Am 19.09.2011 05:14, schrieb shawky skaff: Hi, I am having issues viewing content on the dialup screen, I can see the html links, when I select one of them say acconuting I just receive a error saying DEBUG(SQL,MYSQL DRIVER): Connect: User=root,Password=* *I have allowed all sql options in site-enabled default file. Running radiusd -X gives me the following output [root@radius conf]# radiusd -X FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Keeps on running like Forest Gump. Stefan Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Authentication failure issue
Hello, while you marked lots of stuff in yellow, you missed the REALLY helpful part: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! How about doing exactly that...? Stefan Winter Am 05.08.2011 06:14, schrieb fieldpeak: Hello Friends, I met a issue regarding password/authentication with FreeRadius, Could anybody help for the issue, Thanks! User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user The details in below mails. Regards, Charles Forwarded conversation Subject: *Authentication failure issue* From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Dear Friends, I'm trying integrate Freeswitch with Freeradius, I met below issue, can anyone help, thanks in adance. Freeradius server log: rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49, length=111 User-Name = 1001 User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 Called-Station-Id = 888 h323-conf-id = 749d2b5a-16ad-48e4-af58- 24011949d1b5 Calling-Station-Id = 1001 NAS-Port = 0 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] expand: %t - Wed Aug 3 12:06:33 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 1001, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - 1001 [sql] sql_set_user escaped user -- '1001' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1001' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '1001' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User 1001 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1001 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 49 to 127.0.0.1 port 52684 Waking up in 4.9 seconds. Cleaning up request 8 ID 49 with timestamp +7674 Ready to process requests. WARNING! No known good password found for the user Regards, Charles -- From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Hello Gurus, I've double checked the shared secret on both server and NAS are the same, the problem still exist, it trouble me a few days, can anyone kindly help? nas: /usr/local/etc/radiusclient/servers localhost/localhosttesting123 server: /usr/local/etc/raddb/clients.conf secret= testing123 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Re: Fwd: Authentication failure issue
Hi, if the password is mangled that way, there is not much other reason than a misconfigured shared secret. I can't tell you which config file exactly does what on your system; that depends on the configure settings you used to install FreeRADIUS, and on where and how you installed the NAS stuff with radiusclient. You could post a *full* debug output of radiusd -X, *including* what's printed on server startup - it will print out which files it reads for its configuration. Stefan Am 05.08.2011 10:21, schrieb fieldpeak: Hi Stefan, Sorry for the confusion, actullay i have checked both secret on both NAS and server sides, it is same. below is debug output, the confusion pasword Q?²Êà ëê¢p?¤F?+Õa is very suspecious, it should be '' that i configure in database. maybe i check the wrong conf files for secrect, below is files that i checked. is it correct? NAS: usr/local/etc/radiusclient/ servers localhost/localhost testing123 Server: /usr/local/etc/raddb/clients.conf secret = testing123 debug output: Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password Q?²Êà ëê¢p?¤F?+Õa [pap] Using clear text password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1001 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 38 for 1 seconds Regards, Charles 2011/8/5 Stefan Winter stefan.win...@restena.lu mailto:stefan.win...@restena.lu Hello, while you marked lots of stuff in yellow, you missed the REALLY helpful part: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! How about doing exactly that...? Stefan Winter Am 05.08.2011 06:14, schrieb fieldpeak: Hello Friends, I met a issue regarding password/authentication with FreeRadius, Could anybody help for the issue, Thanks! User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user The details in below mails. Regards, Charles Forwarded conversation Subject: *Authentication failure issue* From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Dear Friends, I'm trying integrate Freeswitch with Freeradius, I met below issue, can anyone help, thanks in adance. Freeradius server log: rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49, length=111 User-Name = 1001 User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 Called-Station-Id = 888 h323-conf-id = 749d2b5a-16ad-48e4-af58- 24011949d1b5 Calling-Station-Id = 1001 NAS-Port = 0 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] expand: %t - Wed Aug 3 12:06:33 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 1001, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - 1001 [sql
Re: Fwd: Authentication failure issue
Hi, your FreeRADIUS Server reads the clients from this file: including configuration file /usr/local/etc/raddb/clients.conf which is what you edited - good. Now you have to check where radiusclient reads its secret from. Can't help you with that. Stefan Am 05.08.2011 11:09, schrieb fieldpeak: Hi Stefan, Attached is the fully log from FreeRadius start, i tried to identify it myself however i'm new comer to FR, can you please advise, thanks a lot! Regards, Charles 2011/8/5 Stefan Winter stefan.win...@restena.lu mailto:stefan.win...@restena.lu Hi, if the password is mangled that way, there is not much other reason than a misconfigured shared secret. I can't tell you which config file exactly does what on your system; that depends on the configure settings you used to install FreeRADIUS, and on where and how you installed the NAS stuff with radiusclient. You could post a *full* debug output of radiusd -X, *including* what's printed on server startup - it will print out which files it reads for its configuration. Stefan Am 05.08.2011 10:21, schrieb fieldpeak: Hi Stefan, Sorry for the confusion, actullay i have checked both secret on both NAS and server sides, it is same. below is debug output, the confusion pasword Q?²Êà ëê¢p?¤F?+Õa is very suspecious, it should be '' that i configure in database. maybe i check the wrong conf files for secrect, below is files that i checked. is it correct? NAS: usr/local/etc/radiusclient/ servers localhost/localhost testing123 Server: /usr/local/etc/raddb/clients.conf secret = testing123 debug output: Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password Q?²Êà ëê¢p?¤F?+Õa [pap] Using clear text password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1001 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 38 for 1 seconds Regards, Charles 2011/8/5 Stefan Winter stefan.win...@restena.lu mailto:stefan.win...@restena.lu mailto:stefan.win...@restena.lu mailto:stefan.win...@restena.lu Hello, while you marked lots of stuff in yellow, you missed the REALLY helpful part: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! How about doing exactly that...? Stefan Winter Am 05.08.2011 06:14, schrieb fieldpeak: Hello Friends, I met a issue regarding password/authentication with FreeRadius, Could anybody help for the issue, Thanks! User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user The details in below mails. Regards, Charles Forwarded conversation Subject: *Authentication failure issue* From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Dear Friends, I'm trying integrate Freeswitch with Freeradius, I met below issue, can anyone help, thanks in adance. Freeradius server log: rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49, length=111 User-Name = 1001 User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 Called-Station-Id = 888
num_answers_to_alive
Hi, the configuration of 2.1.10 has the parameter num_answers_to_alive in proxy.conf. Looking at the source code, I found that instead, in realms.c, the config option num_pings_to_alive is used. num_answers is read from the config, but never referenced. If that's the case, then the config option in proxy.conf should be changed to be num_pings_to_alive, otherwise people will likely fail to tweak the value. Speaking of tweaking the value, I also found if (home-num_pings_to_alive 3) home-num_pings_to_alive = 3; if (home-num_pings_to_alive 10) home-num_pings_to_alive = 10; The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send response to client
Hi, Am 27.06.2011 07:55, schrieb Christ Schlacta: is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? more details: wireless WPA2-EAP-TLS There is no such guarantee. RADIUS ends at the access-point; from then on, everything must be fitted into an EAPoL exchange. I'm not aware of any supplicant that processes EAP-Notifications at the time of rejection, and also not aware that an Access Point would encapsulate a Reply-Message into such a notification. Even if there was a supplicant and AP to do that, you couldn't be sure that the end device is actually using that supplicant. Greetings, Stefan Winter on a Ubiquiti PicoStation 2 firmware 5.3.2 (I believe it includes some form of hostapd, but I'm not sure which version) Freeradius Version 2.1.9 Clients running Windows 7 or Windows Vista with no special software installed. the procedure is OS, Wired Driver, ethernet cable, Windows Update once for drivers, Wireless certificate, connect to Wifi, (Note this point) finish updates. It's at the Note this point point that I want the clients to be able to recieve a rejection response with some level of certainty. what users add to their system later is welcome to break it, if they're willing to deal with it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed creating handler
Hi, I'm running FreeRADIUS 2.1.11 on Gentoo compiled with specific patches (qafixes, versionless, pkglibdir) and a small patch of my own (byminute, adds an extra var in xlat.c, nothing big). I'm experiencing a weird crash of which I've found absolutely nothing online: Failed creating handler. Source code says this one comes from src/main/event.c when calling fr_event_insert() but I can't figure out anything else. My new 2.1.11 died after about 24h of happy RADIUSing - twice now. It's too busy to run -X, so I don't have a lot of logs. radius.log logs the last previous auth OK - and then the process is gone. Would this behaviour fit to this problem cause? Worth trying the usec fix in GIT? Greetings, Stefan Winter The server does decoupled accounting, one site has only one module in accounting, rlm_detail and the other listens on the detail logs with only one module in accounting, rlm_python. cleanup_delay is 5, max_requests 10240, 16 threads, max_requests_per_server = 1500 Any idea what could be the problem? tx, amne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.11 has been released
Hi, a similar issue with the config parser here... The following worked nicely in 2.1.10, but barks with Unexpected text else (and with the obvious change to elsif, Unexpected text elsif). if ( %{NAS-Identifier} == ejabberd ) { update request { RESTENA-Service-Type = Staff-Jabber } } else if ( %{NAS-Identifier} == AAI-Staff-IdP ) { update request { RESTENA-Service-Type = Staff-AAI } } else update request { RESTENA-Service-Type = Staff-%{client:staff_type} } But... what's wrong with that? How would I have to fix the syntax to be acceptable? Apologies for not spotting it earlier... I run 2.1.x on a test server, but the test server's config is only slightly more simple than the production one - it has no else in that authorize block. Stefan Winter Am 20.06.2011 16:47, schrieb Alan Buxey: Hi, It's been a long time since 2.1.10. We're happy to release version 2.1.11, which has many of useful new features, and a number of minor bugs fixed. yay! :-) virtual champagne cork released however, a nice quirky change in config parser means that any unlang style code with an 'if' condition check that end with no space before curlies eg if (condition){ rather than if (condition) { causes the daemon to not start... quick one-line config changer on the command line is: sed -i -e 's/){/) {/g' * this fixed at least 45 instances of such coding ctyle in my virtual servers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.11 has been released
Hello Alan, all, thanks for that quick lesson :-) I stand corrected; and with the right ordering, things are now working as they should. I did wonder a few times why that attribute RESTENA-Service-Type wasn't properly populated in some cases :-) But no bad things happened, just things being logged into a different directory than expected. Thanks again, Stefan Am 21.06.2011 11:53, schrieb Alan DeKok: Stefan Winter wrote: a similar issue with the config parser here... The following worked nicely in 2.1.10, but barks with Unexpected text else (and with the obvious change to elsif, Unexpected text elsif). if ( %{NAS-Identifier} == ejabberd ) { update request { RESTENA-Service-Type = Staff-Jabber } } else Except that's wrong... it doesn't do what you want! The else is ignored. But... what's wrong with that? How would I have to fix the syntax to be acceptable? $ man unlang :) Everything needs to go on its own line: if (...) { ... } elsif (...) { ... } Using } elseif won't work. The elsif will *always* be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
Hi, The github Facebook logins will work, so it should be *much* easier for people to contribute to the Wiki. Ah! Federated login! Any plans to add OpenID? I have this nice OpenID provider hanging around here... Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
Hi, Sure... but we have hard-code the URL, and register the app. That takes ~10 min, but it needs to be done. OpenID is different from OAuth (or SAML): it is completely self-asserted. If you enable OpenID on your resource, the user is asked Which URL can authenticate you - user enters it, gets redirected there, and comes back with some token when done. So, my identity on OpenID is for example https://clueless.restena.lu/swinter - and that's the input I provide. The concept is kind of cute, but some people are scared by the self-assertedness of identity. Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug in proxy code with IPv6?
Hello, this is about 2.1.10. In my proxy.conf, I have two clauses for a host ( see [1] and [2] below), once with ipaddr for IPv4 and once with ipv6addr for IPv6. If I set the pool to use the IPv4 one (see [3]) , packets get proxied just fine. If I replace with IPv6, no packet leaves the server (i.e. tcpdump on the FR machine sees no packet leaving) [4]. With tcpdump not seeing anything, I'm pretty sure that something's wrong inside FR - i.e. not a firewall problem. Host firewall is off anyway. In -X [5], the server *says* it's going to proxy the packet, but a simultaneous tcpdump just doesn't see it, and there's no auth happening. As soon as I change the proxy pool definition back to the v4 variant, things start working again. That's a bit strange... Greetings, Stefan Winter [1] IPv4 proxy definition: home_server radius-int-1-v4 { type = auth+acct ipaddr = 158.64.X.Y port = 1812 secret = ... response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } [2] IPv6 proxy defintiion: home_server radius-int-1-v6 { type = auth+acct ipv6addr = 2001:a18:X:Y::Z port = 1812 secret = .. response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } [3] working pool (the non-working one only replaces -v4 with -v6): home_server_pool RESTENA-internal { type = fail-over home_server = radius-int-1-v4 home_server = ... more servers ... } [4] access point tries to auth user, packet goes into FR server, but nothing leaves; in non-proxy operation, server works nicely, see Status-Server reply: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:45:50.592669 IP ap-2.rest.restena.lu.csd-monitor galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24 length: 226 14:45:54.644141 IP ap-2.rest.restena.lu.csd-monitor galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x44 length: 226 14:45:55.590066 IP ap-2.rest.restena.lu.csd-monitor galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24 length: 226 14:45:56.985799 IP haldir.restena.lu.59546 galadriel.restena.lu.radius: RADIUS, Status Server (12), id: 0x00 length: 38 14:45:56.986208 IP galadriel.restena.lu.radius haldir.restena.lu.59546: RADIUS, Access Accept (2), id: 0x00 length: 20 [5] -X: Ready to process requests. rad_recv: Access-Request packet from host 158.64.A.B port 3072, id=126, length=226 User-Name = certuser-2010-...@restena.lu Service-Type = Framed-User NAS-IP-Address = 158.64.A.B NAS-Port = 3 NAS-Port-Id = 3 Called-Station-Id = 00-A0-57-16-91-27:eduroam-restena Calling-Station-Id = 64-B9-E8-A0-2E-A4 Connect-Info = CONNECT 54 Mbps 802.11g NAS-Identifier = ap-2.rest NAS-Port-Type = Wireless-802.11 Framed-MTU = 1500 EAP-Message = 0x020100210163657274757365722d323031302d3030314072657374656e612e6c75 Message-Authenticator = 0x181d5b6f8959d9d079807ea00c77bcbc server eduroam { # Executing section authorize from file /usr/local/freeradius/config//raddb/sites-enabled/eduroam +- entering group authorize {...} ++[request] returns notfound [auth_log] expand: /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail - /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail [auth_log] /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail expands to /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail [auth_log] expand: %t - Wed May 11 14:57:05 2011 ++[auth_log] returns ok [suffix] Looking up realm restena.lu for User-Name = certuser-2010-...@restena.lu [suffix] Found realm restena.lu [suffix] Adding Realm = restena.lu [suffix] Proxying request from user certuser-2010-001 to realm restena.lu [suffix] Preparing to proxy authentication request to realm restena.lu ++[suffix] returns updated } # server eduroam # Executing section pre-proxy from file /usr/local/freeradius/config//raddb/sites-enabled/eduroam +- entering group pre-proxy {...} ++- entering policy cui_pre-proxy {...} +++? if (Packet-Type == Access-Request) ? Evaluating (Packet-Type == Access-Request) - TRUE +++? if (Packet-Type == Access-Request) - TRUE +++- entering if (Packet-Type == Access-Request) {...} expand: modules.sql[cui].sp_operator_name - modules.sql[cui].sp_operator_name expand: 1%{config:modules.sql[cui].sp_operator_name} - 1restena.lu [proxy-request] returns noop +++- if (Packet-Type == Access-Request) returns noop ++- policy cui_pre-proxy returns noop [pre_proxy_log] expand: /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail - /var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail [pre_proxy_log] /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail expands to /var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail [pre_proxy_log] expand: %t - Wed
Re: Bug in proxy code with IPv6?
Hi, That's a bit strange... Bug #143, fixed in the v2.1.x branch. Cool! Looking forward to 2.1.11... Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug in proxy code with IPv6?
Hi, I was going to be reporting the same thing - however, I've delayed since I could only see this behaviour on a VM system so wasnt sure it wasnt a VMWare issue (random UDP thing) - as, the exact same code (2.1.8 through to 2.1.10) on a real physical server didnt show this behaviour. however, if latest 2.1.x code fixes this, then i can certainly try to verify this Verified only minutes after reading the other Alan's answer - now stuff works. BTW: The parameter src_ipaddr in home_server {} can also take an IPv6 address as argument, which is quite a blessing for my deployment. Greetings, Stefan alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install new version (2.1.10) to completely different location
Hi, I’m wanting to upgrade to 2.1.10, however, I want to install **all** files to a different location so I don’t overwrite **any** 2.1.6 production files. FreeRADIUS does *not* over-write any production configuration files. Worth noting though that it will add default files to modules/ and sites-enabled/default inner-tunnel - if you have a cleaned-up subdirs and/or renamed things inside sites-enabled, then make install can create some surprises. Recent versions allow to rename the source /raddb directory to something else like /raddb-noinst, and a subsequent make install will then not touch raddb. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL results going ... wrong
Hi, Thu Apr 14 15:43:07 2011 : Error: rlm_sql: Invalid operator ?x�{?(�{?@�{?D�{?�{?D�{?Z�{?]�{?v�{?swinter for attribute += Thu Apr 14 15:43:07 2011 : Error: rlm_sql (sql-aai): Error getting data from database Thu Apr 14 15:43:07 2011 : Error: [sql-aai] SQL query error; rejecting user Something looks like accessing memory where it better shouldn't. What character set encodings are you using for the database? I suspect the database is set UTF8 and your default character encoding on the system you are developing FreeRadius is different. This does definitely not look like a character encoding issue to me. I've seen lots of these, and I'm using the same database structure all around in our production setup. And the characters being transmitted are all good old plain ASCII characters. If you check the debug output against what's being sent, you'll see striking mismatches; ' Invalid operator ... for attribute +=' There is no attribute += - attributes are all RESTENA-AAI-Attribute - which is defined in my dictionaries. The quoted strange-string content contains my username swinter, but the debug output says it considers this to be part of the operator column. Sorry, but this is beyond character set badnesses. I'll run the same test case with sql module debug on - maybe that sheds more light into what's going wrong. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL results going ... wrong
Hi, Maybe try an strace or gdb w/ breakpoint. Is there any possibility you're pulling an attribute of 253 bytes from the database, which might be stomping the stack? IIRC rlm_sql should prevent that itself, but maybe there are holes in the code. Good idea, but that wasn't it... A mix of D'oh and insufficient input checks by FR. My mistake was that my table had 4 columns - which contained all the value I cared for, but FreeRADIUS expects 5 - an id column as first. It also expects this first column to be the row denomination integer, but it got a string from me. I fixed my schema/view and things work just fine now. But: how about a sanity check for SQL along with a more adequate error message? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL results going ... wrong
Hi, I'm just implementing a new virtual server with a slightly complex query and sizable result set coming back in radreply. The query goes out as expected, and the MySQL reply is well-formed and looks as expected in wireshark when it comes back. But the debug output is ... interesting: Thu Apr 14 15:43:07 2011 : Info: [sql-aai] User found in radcheck table Thu Apr 14 15:43:07 2011 : Info: [sql-aai] expand: SELECT * FROM reply_aai_firstname WHERE username='%{SQL-User-Name}' UNION ALL SELECT * FROM reply_aai_lastname WHERE username='%{SQL-User-Name}' UNION ALL SELECT * FROM reply_aai_mail WHERE username='%{SQL-User-Name}' UNION ALL SELECT * FROM reply_aai_eduPersonAffiliation WHERE username='%{SQL-User-Name}' - SELECT * FROM reply_aai_firstname WHERE username='swinter' UNION ALL SELECT * FROM reply_aai_lastname WHERE username='swinter' UNION ALL SELECT * FROM reply_aai_mail WHERE username='swinter' UNION ALL SELECT * FROM reply_aai_eduPersonAffiliation WHERE username='swinter' Thu Apr 14 15:43:07 2011 : Error: rlm_sql: Invalid operator ?x�{?(�{?@�{?D�{?�{?D�{?Z�{?]�{?v�{?swinter for attribute += Thu Apr 14 15:43:07 2011 : Error: rlm_sql (sql-aai): Error getting data from database Thu Apr 14 15:43:07 2011 : Error: [sql-aai] SQL query error; rejecting user Something looks like accessing memory where it better shouldn't. If I execute the xlated query on the MySQL server directly, the result looks beautiful: +--+---+++ | username | attribute | op | value | +--+---+++ | swinter | RESTENA-AAI-Attribute | += | urn:oid:2.5.4.42='Stefan' | | swinter | RESTENA-AAI-Attribute | += | urn:oid:2.5.4.4='Winter' | | swinter | RESTENA-AAI-Attribute | += | urn:oid:0.9.2342.19200300.100.1.3='stefan.win...@education.lu' | | swinter | RESTENA-AAI-Attribute | += | urn:oid:1.3.6.1.4.1.5923.1.1.1.1='member' | +--+---+++ So it must go wrong somewhere in the server. That same server executes many many other SQL queries of the radcheck style without issues. This is the first time I'm using a radreply query though. Version is 2.1.10. mysql client lib is so old I'm too ashamed to tell here. So... any known badnesses in MySQL/radreply? Anything I should do (besides updating mysql client libs, which has right now popped near the top of my TODO list)? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Hi, My simple question: How to configure freeRADIUS server so it replay access-challenge message on access-request from a client? Alan's problem with this simple question of yours is that it's not just simple, but simplistic. RADIUS can convey *many different* authentication protocols which are all using an Access-Challenge to send challenge data back. The content of the Access-Challenge, and the configuration needed for that specific Access-Challenge, is significantly different. The fact that you ask the question like you did is a strong indication that you don't know about this fact. Please ask a question like How to configure freeRADIUS server so it replies with a CHAP access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a MS-CHAP access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a MS-CHAPv2 access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a EAP-TLS access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a EAP-TTLS access-challenge message on access-request from a client? How to configure freeRADIUS server so it replies with a PEAP access-challenge message on access-request from a client? See? You need to be more specific in your question before anyone here can give you an answer. Or better yet, read up on RADIUS, and/or EAP methods, and *then* ask a well-informed question. Greetings, Stefan Winter -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hi, The complete certification path is installed on the client. The client don't have an extra client certificate, server certificate check is turned off in wireless settings. Turned off? Thanks, that's a new piece of info! That would hint towards a different problem indeed. Original radius works fine, with both SSIDs, new radius does not. So what's wrong? The debug output still points towards: the client doesn't want to speak to the server after starting the EAP conversation. If it's not a certificate problem, something else is different between the two RADIUS servers. What did you do after cloning the VM? Did you upgrade FreeRADIUS from an older version maybe? It would certainly help if you could post the debug output of the old server vs. the new one; for the EAP conversation in its entirety, not just the last packet exchange. If you positively want to rule out that the certificate change was the problem, you could, if your CA's policy allows, install the old server's certificate on the new instance. For IEEE 802.1X, there is no requirement that DNS names and CN/subjectAltNames match. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hello, rad_recv: Access-Request packet from host ... port 32769, id=219, length=159 User-Name = xy [...] EAP-Message = 0x0202000b01737461646572 It would also help not to mangle the debug output by hand, if that's what happened here. The EAP-Message's EAP-Response/Identity says the username is stader, while the RADIUS User-Name attribute says xy? If that is *really* what came in over the wire, your Controller is doing dumb things. If it was manual editing, please stop doing that, it really doesn't help us helping you. Or mangle the EAP-Response/Identity to be consistent with your other edit, at least :-) Greetings, Stefan Winter Message-Authenticator = 0xe5b0ffbed84243bf27ac1ac9c9fcd0b5 server eduroam { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam +- entering group authorize {...} [suffix] No '@' in User-Name = xy, looking up realm NULL [suffix] Found realm NULL [suffix] Adding Realm = NULL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[mschap] returns noop [eap] EAP packet type response id 2 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/eduroam +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 219 to ... port 32769 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x3abc7e1c3abf6764392496688aff7b3f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host ... port 32769, id=219, length=159 Sending duplicate reply to client WLC-TUT port 32769 - ID: 219 Sending Access-Challenge of id 219 to ... port 32769 Waking up in 2.0 seconds. Cleaning up request 0 ID 219 with timestamp +3 WARNING: !! WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Ready to process requests. eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { certdir= /etc/hostcertkey cadir = /etc/cacert dh_file = ${certdir}/dh private_key_file = ${certdir}/roaming.key certificate_file = ${certdir}/roaming.pem CA_file = ${cadir}/chain.txt dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes #use_tunneled_reply = yes virtual_server = eduroam-inner-tunnel } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes #use_tunneled_reply = yes #proxy_tunneled_request_as_eap = yes virtual_server = eduroam-inner-tunnel } mschapv2 { } } -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help and some advice !!!
Hi, it still didn't work . when I seperate command at clients.conf client localhost { ipaddr = 127.0.0.1 secret = testing } client localhost { ipv6addr = ::1 secret = testing123 } result : radclient: Failed to find ip address for host ::1: success Give the two clients different names, otherwise, the server may well get confused. How about: client localhost-v4 { ipaddr = 127.0.0.1 secret = testing } client localhost-v6 { ipv6addr = ::1 secret = testing123 } ? Stefan so I really confuse now. what i've done wrong and missing some config ? please. HELP ME thank you so much.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/I-need-help-and-some-advice-tp4167834p4283543.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hi, No, the machines are indetical, only changed IP, hostname and certificates. No updates or something. Okay... I put the debug output in appendix. Sorry i had to remove passwords and IPs because of security reasons, i think you will understand ;-) That part of mangling is okay :-) If you positively want to rule out that the certificate change was the problem, you could, if your CA's policy allows, install the old server's certificate on the new instance. For IEEE 802.1X, there is no requirement that DNS names and CN/subjectAltNames match. This was the first thing i tried... Good! Looking at the output, things become clearer. The conversation ends when the server tries to send the first Access-Challenge packet to the client. It seems like that packet never gets there - and so the client retransmits the same Request over and over again. The server then repeatedly tries to re-send its reply, but again, it never seems to get there. Make sure that the changed IP address doesn't lead to some firewall (host FW? net FW? Cisco Controller's ACLs?) eats the responses. At least it is now apparent that it's not a certificate issue - the EAP conversation doesn't even get far enough to send certificate data at all. In any case, I don't think the FreeRADIUS server process is to be blamed - it sends a well-formed response to a reasonable request. Something's wrong between the server OS and the supplicant. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hi, PEAP can work with or without client certs. Both run through the tls instance; that is no error. The problem is much rather here: Sending Access-Challenge of id 219 to ... port 32769 Waking up in 2.0 seconds. Cleaning up request 0 ID 219 with timestamp +3 WARNING: !! WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Ready to process requests. The client probably doesn't like the server certificate, and stops talking to the server. When you cloned your RADIUS server, did you give the clone a different certificate afterwards? FreeRADIUS will generate a sample one on first start. If your client only trusts the old one, it won't talk to the new one... Greetings, Stefan Winter eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { certdir= /etc/hostcertkey cadir = /etc/cacert dh_file = ${certdir}/dh private_key_file = ${certdir}/roaming.key certificate_file = ${certdir}/roaming.pem CA_file = ${cadir}/chain.txt dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes #use_tunneled_reply = yes virtual_server = eduroam-inner-tunnel } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes #use_tunneled_reply = yes #proxy_tunneled_request_as_eap = yes virtual_server = eduroam-inner-tunnel } mschapv2 { } } -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hi, The solution to the problem is simple. The answer is in front of you. Alan DeKok. Looks like i'm blind...please give me a hint ;-) Dude... supplicants are typically configured to trust only the exact one certificate that is in the RADIUS Server (CN=... is in the supplicant conf). If you change the Subject in the cert... the supplicant won't like it any more. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_linelog and syslog over UDP
Hi, are there any plans to add logging to *remote* syslog servers to the rlm_linelog module? Would be kinda cute; we want to log authentication results to a central statistics collection host - and going through re-send on the local syslog instance is a superfluous extra step. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Riverbed console authentication, encrypted User-Password
Hi, I have been asked if our Riverbed console users can also be authenticated through freeRadius. Riverbed has RiOS running, which is almost Cisco IOS and a Radius Server can be configured so I did. In freeRadius I added the Riverbed as client but unfortunately it was not that easy (is it ever?). rad_recv: Access-Request packet from host 10.1.1.27 port 9538, id=37, length=71 User-Name = username User-Password = /\227\334\377\374\302\343\204\345\001'O\227 NAS-Identifier = webasd NAS-Port = 8513 NAS-Port-Type = Virtual Service-Type = Authenticate-Only That is not the password I entered, my conclusion is that Riverbed encrypts the password before the entire request is encrypted using the shared secret. This looks like a typical case of shared secret mismatch. Are you *sure* that the shared secret is exactly the same on RiOS and FreeRADIUS? I cannot find a way to change how Riverbed sends the request, though I am writing a ticket there as well. My question to you, can freeRadius work with encrypted passwords? It can, in a multitude of ways. None of these ways is about en-/dycrypting the password within the User-Password attribute though. That is very odd. My strong guess is a shared secret mismatch instead. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strategy question
Hi, Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? Commenting on dumb printers... there's been some nice work even on that area. If you're lucky enough to have HP printers, the NICs can meanwhile do 802.1X just fine. Even the JetDirect 620n (which I understand is the entry-level thing) does PEAP: http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-378355-378357-1838265.html And if you throw in another 80 USD, you'll even get ... insert drum roll ... IPv6! http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-500078-500091-1838264.html Stefan -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of localh...@mac.hush.com Sent: Monday, February 07, 2011 1:08 PM To: freeradius-users@lists.freeradius.org Subject: strategy question In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_realm module, Realm attr value
Hello, Thanks for your comments. Beeing able to differentiate a path the request is about to take is a real need. I've had an impression %{control:Proxy-To-Realm} can be referenced to get this particular information. Please, correct me in case I need to pick up on the intended attribute content and its use. Seems like the term Realm is used in an overloaded manner: on the one hand, it's the user-supplied character string, on the other hand it's a named instance of the realm module. Looks like up until 2.1.8, the AVP Realm was always created with Realm-the-character-string as it came from the request, but with 2.1.9, this changed to Realm-the-instance-name. Problem is, both of these can be valuable somehow, and need to be addressable. In a rlm_linelog, I care about logging the actual input; at other places, I may want to check which path the packet will take. In short, I think there should be two attributes: one to contain the instance name, one with the string. Using unlang is of course possible, but clumsy - it worked without before. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure output summary
Hi, But newcomers aren't that trained yet. Perhaps you should change your course material? I wasn't referring to my course in particular. It's just one instance where I can see how innocent users perceive things when they come across them first time. I.e. you should read 'newcomers' as people who compile FreeRADIUS for the first time. Not all these first-timers have previously attended my course, so changing my course material doesn't solve the general problem. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chargeable-User-Identity implementation
Hi, From my perspective, Chargeable-User-Identity is something that should be logged with the 'custom' SQL logging rules being used. Slipping it into a separate table, somehow feels weird; I guess that's what makes me a packet-pusher and someone else a database guru :) The question is: where to put it. The CUI information comes with the Access-Accept, and needs to be stored before the first accounting packet (if any) arrives at the server. So it can't be an extra column in any accounting query. SQL logging in post-auth would be an option. But that usually doesn't store the necessary bits to retrofit the incoming accounting queries with the CUI value (Calling-Station-Id being one thing that needs to be logged alongside, to correlate the auth and acct). So that requires a new structure for radpostauth - which is certainly a possibility. I just wonder how much people fancy if radpostauth structure changes between releases - it hasn't changed in a long while now. * I thought Client-IP-Address was deprecated and we all should be using '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' Humm. That deserves updating the code :-) * section 2.1 of RFC 4372 lets you be awkward about mis-matching CUI's and offers you the option to Reject :) That's the paragraph for re-authentications, right? i.e Upon receiving a non-nul CUI value in an Access-Request, the home RADIUS server MAY verify that the value of CUI matches the CUI from the previous Access-Accept. If the verification fails, then the RADIUS server SHOULD respond with an Access-Reject message. I don't think that is essential or even clever to implement. A home server is allowed to change its CUIs after a (long) while. Now what happens if a user authenticated with one value for his CUI, the home server meanwhile rolled over to a new CUI, and then the client reauthenticates? Rejecting the re-auth is rather drastic, and out of control of the user in question. * not too sure about the outer.request bits. It seems cleaner to get the inner layer to return just the User-Name to the outer layer, the outer layer can then add the CUI bits (as if it was a non-EAP request) and trim the User-Name in the reply packet before it sends out the Access-Accept The code in that section is the result of a rather long and fruitful trial-and-error: there are EAP methods which don't have an inner method. Some other EAP types generate the CUI value not in the last inner-tunnel packet, but the penultimate one. I'm not the one who implemented it, but I know that much pain has gone into testing and refining these statements. But this doesn't preclude from advancing the implementation even more, of course. But I'd be happy to have *some* implementation in mainline release eventually, and then take it from there. * I never thought to add Operator-Name as part of the hash key for CUI, noted for myself, ta * not sure about even having cui_require_operator_name as the user's realm would tell you who you need to pester surely? No, the user's realm gives the Service Provider an idea who the responsible Identity Provider is. Operator-Name gives the Identity Provider an idea which Service Provider to pester. The require part of this is due to privacy considerations: if Operator-Name is not in the packet, CUI for a user will be the same *at all Service Provider locations* - enabling tracking mobility profiles. As an Identity Provider you could say: I'll only release CUI if I can do it per Service Provider to prevent tracking - and the require option allows you to make just that happen. Greetings, Stefan Winter My approach is a bit more softly-softly (although I will admit it has not had any field testing), most of the brains is here in policy.conf: cui { if (Realm == %{config:local.MY.realm}) { update control { # md5(cui_hash_key + u...@realm) Chargeable-User-Identity := %{md5:%{config:local.MY.cui_hash_key}%{tolower:%{%{reply:User-Name}:-%{request:User-Name } if ((request:Chargeable-User-Identity)) { update reply { Chargeable-User-Identity := %{control:Chargeable-User-Identity} } if (request:Chargeable-User-Identity != \\000) { if (request:Chargeable-User-Identity != reply:Chargeable-User-Identity) { update reply { Reply-Message := CUI Mismatch } reject } } } else { update request
Re: Accounting and Acct-Delay-Time in MySQL
Hi, I'd re-visit the entire accounting table queries. Create a *new* table, so that people don't have surprises when they upgrade. Ideally, it should be robust in the face of duplicate packets, and packets forwarded via 2 different paths (think radrelay + delays) Okay, I'll see what I can do. One thing I noticed is that the default schema has a column xascendsessionsvrkey varchar(10) default NULL, A VSA, of a vendor that's long dead? This is one column that I would wipe out. If some people find they need it, they can always modify the tables to their (peculiar ;-) ) needs. No reason to push this column into every FreeRADIUS installation on the planet. Another thing I miss very much is in radpostauth: * some gear sends a different User-Name attribute in its reply than was in the request. It would be good to have these two names correlated easily, at least for forensics. Adding a column reply-username would do a lot of good here. * callingstationid would also be nice to have * and an indication which NAS the user used to log in (and/or which virtual server was used to handle the request) All of that is info one typically has to dig out of detail files; which is much more cumbersome than having it in SQL. Any thoughts here? Greetings, Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure output summary
Hi, when running configure, lots of somewhat important messages scroll by, like silently disabling something you need :-) ./configure --with-whatever-options | grep WARN ;-) Yes, I can do that. I even dare say that I can spot WARNINGs while the scroll buffer runs by, and thus instantly see what's going wrong (at least on my slow-spec'd VMs). But newcomers aren't that trained yet. You shouldn't have to tell them every other Linux project does configure, but you have to configure | grep WARN - it's odd if you're not used to it. there are other packages that print out stuff at the end about what features are not enabled etc - but , being on those mailing lists too, noone reads that outputeven if you put a whacking great big dragon in it ;-) Exactly these projects were the role model I had in mind. Granted, some people will even overlook the necessary information if it is in blinkRED/blink. But a summary at the end at least raises chances of problems being flagged by the person running configure. Interesting discussion elsewhere in the thread... a proper solution to the problem would indeed be that the recursiveness of configure goes away. Much better than running a whacky script, of course! Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html