Greetings,
While testing a setup that uses inner tunnel proxying I was
noticing that there were spurious failures if the setup was
stress tested.
I managed to eliminate back-end latency as a possible cause
by testing instead to a simple auth against rlm_passwd (with
NTLM crypts.) I also tried
Add any users (like yourself, or the user RADIUS is running as) that need to use
winbind to the winbindd_priv in /etc/group.
-Original Message-
From: freeradius-users-bounces+bjulin=clarku@lists.freeradius.org
[mailto:freeradius-users-bounces+bjulin=clarku@lists.freeradius.org]
The big box of exclamation points talking about certificates in the debug log
happens any time an EAP session does not complete all the way. It is not
always a certificate problem, just if you are only having trouble with certain
types of clients and other types connect fine, then that is a
The attached patch fixes a parameter juxtaposition and a couple broken RDEBUG
statements
in auth.c that were trying to print vp_strvalue of a VALUE_PAIR of type integer.
I haven't looked but there could very well be other instances of this over in
the accounting area,
and the Session-Type in
Automate an export of the list of WiFi MAC addresses of your managed computers
from the DC. Then in post-auth, query that list (we use an SQL database) and
use the result to alter the tunnel-group-ID sent back in the outer reply.
Users can spoof their MAC addresses, of course, but as long as
The first order of business would be to freeradius in debug mode, or launch an
eapol_test client against it, and look to see whether the attribute is being
sent. If you do not know whether the attribute is being sent, you cannot
determine whether it is the AP or the freeradius server that
Add to this, IIRC there are some differences (regressions?) in regexp support
in some ancillary files (e.g. users) and a minor dictionary entry glitch that
need to be worked around to use 3.0 in a 2.x config tree. I managed to future
proof most of my configs already by installing 3.0 in a
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org]
On Behalf Of Brian Julin
Sent: Wednesday, January 04, 2012 10:49 AM
To: FreeRadius users mailing list
McSparin, Joe wrote:
Does anyone know if there is a way in the users file to set
the Tunnel-Private-Group-id = some_default_vlan if the
following sql statement comes back blank.
DEFAULT Auth-Type = ntlm_auth
Tunnel-Type = VLAN,
Alan DeKok [al...@deployingradius.com] wrote:
Brian Julin wrote:
Add to this, IIRC there are some differences (regressions?) in regexp
support in some ancillary files (e.g. users)
I don't recall that... it *should* be compatible.
For example
Alan DeKok wrote:
If you run 3.0 on 2.x dictionaries
Don't. Just... don't.
In that case, it might help to document the dictionary = main configuration
item.
Patch attached.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
diff --git a/raddb/dictionary.in
Blake Hudson [bl...@ispn.net] writes:
What is the preferred method to configure freeradius to authenticate two
sets of users out of two databases? Should I look at running multiple
instances of freeRADIUS or can I utilize both databases with one instance?
This should be doable by defining
Hello again,
We're piloting RadSec as a federation server uplink. They use Radiator. When
we first attempted to connect we'd get
a Received packet will be too large! carp from main/tls.c. They checked on
their end and say they have no fragment
size option for RadSec TLS connections, only
, February 23, 2012 4:12 AM
To: FreeRadius users mailing list
Subject: Re: RadSec FR3.0 to Radiator: Received packet will be too large
Brian Julin wrote:
We're piloting RadSec as a federation server uplink. They use Radiator.
When we first attempted to connect we'd get
a Received packet
-Original Message-
From:
freeradius-users-bounces+bjulin=clarku@lists.freeradius.or
g
[mailto:freeradius-users-bounces+bjulin=clarku.edu@lists.freer
adius.org] On Behalf Of Alan DeKok
Sent: Thursday, February 23, 2012 10:31 AM
Subject: Re: RadSec FR3.0 to Radiator:
Too late in the week to dig in like I should, but I was just diagnosing a
problem and preliminary signs point to this:
It appears that a home server entry configured with src_ipaddr will use that
source ip address for auth requests, but when directed to do status_check,
it sends status request
The password and the secret are two different things. When you set up
FreeRadius you had to put a secret = line in the client clause for your NAS.
You have to put that same secret in the NAS (don't ask us where, that depends
on the NAS.) In your case your NAS is your AP or your LWAP/CWAP
Alan DeKok wrote:
Brian Julin wrote:
It appears that a home server entry configured with src_ipaddr will use that
source ip address for auth requests, but when directed to do status_check,
it sends status request packets using some interface address from some
other config item somewhere
It appears there was another layer to my latest issue.
Sometimes a server using RadSec to proxy to a home server ends up
just waiting around unable to see any more incoming requests,
and not having completed the current request.
In this case the server is 3.0, and is sandwiched
between our
Alan DeKok [al...@deployingradius.com] wrote
Sent: Wednesday, March 07, 2012 3:52 AM
To: FreeRadius users mailing list
Subject: Re: proxy server goes deaf after Client has closed connection
(RadSec to home server)
Brian Julin wrote
David Peterson Wrote:
Sent: Tuesday, March 13, 2012 7:12 AM
To: FreeRadius users mailing list
Subject: Centos 6 Compile error
Has anyone seen this error? I am not sure what might be missing:
RHEL variants don't include EC support in OpenSSL due to
some licensing/patent/whatnot issues.
Alan DeKok [al...@deployingradius.com] wrote:
Sent: Friday, March 09, 2012 3:25 AM
Brian Julin wrote:
This keeps the server listening, but there are some lingering issues:
Well, fixes are welcome.
I don't have time to look into this for a few weeks at least.
request_proxy_anew
Alan DeKok Wrote
Brian Julin wrote:
The latter makes me wonder why or if request_proxy_anew works at all.
It was tested at one point. But the code has changed since then.
Given the complexity of RADIUS state management, automating a comprehensive
test suite for it would be a very
-Original Message-
danegirl Wrote:
At the moment all the customers are able to use
all the VPN services (L2TP,
PPTP,) I want to know how can I define user A can only
use PPTP and user B can use L2TP and user C can use all the
services? I wonder how should it define in
Good morning,
A minor item (at least until your disk fills up):
The inline help in sql.conf says the sqltrace option should not
log to the SQL trace file unless the server is in debug mode.
The rlm_sql manpage uses somewhat less specific language.
I don't know what the current intent is, but
Not sure, but you should consider running non-virtual instances
(not that hard to do) and using privilage separation such that
there is little potential for exposure of your internal authentication
structure or internally-utilized crypto material to an externally
presented service.
Also, it is
Jason Rohm wrote:
I'm unclear about the state of
radsec within the freeradius codebase. I've downloaded the
current master source as of a few days ago and successfully
compiled it on CentOS 6.2 64bit. Everything seems to work
save some EAP stuff that I'm not using and was able to
Phil Mayers [p.may...@imperial.ac.uk] wrote
I'm curious about what you mean here. I don't see the difference between
a single server performing attribute filter auth, versus two separate
processes.
Can you explain what threat model you think this addresses?
It limits the exposed fuzzable
Phil Mayers wrote:
I'm not entirely sure I buy that it ensures only the outer server is
affected; once compromised, the outer server can be used to send
arbitrary UDP packets to the inner server since the sockets are already
open. But I guess the same could be said of any perimeter defence
Scott McLane Gardner Wrote:
Here is the configuration I am attempting:
load-balance {
ldap1
if (Ldap-Group == NET Staff) {
I cannot answer your question about if statements, but this
much is clear: the Ldap-Group check attribute will query
the ldap module that was
Scott McLane Gardner wrote:
Sent: Tuesday, March 27, 2012 9:34 AM
To: FreeRadius users mailing list
Subject: Re: load balancing and if statements
This is the answer. Also, this is much easier than what I was
trying to do. Thank you for the pointer, Alan.
-Scott
I'd be surprised if
Scott McLane Gardner
I'd be surprised if using Ldap-Group in the user's file resulted in
load balancing of the group membership queries to the LDAP servers.
Does it?
It does, actually. Or at least it appears to. The first time
it used ldap2 and the second time it used ldap1.
Scott McLane Gardner
(A sensible wishlist item might be to have load-balance
sections in the
instantiate section register the same hooks as their
submodules, then
you'd be able to name the load-balance and use
lbr-modulename-Ldap-Group. But that sounds mildly hairy to
implement.)
Sebastijan Šilec wrote
Sent: Wednesday, March 28, 2012 10:06 AM
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To ==
127.0.0.1, Auth-Type := PAP
User-Name = `%{User-Name}`,
Fall-Through = yes
DEFAULT Realm == mydomain.com, Freeradius-Proxied-To ==
127.0.0.1, Autz-Type :=
Tobias Hachmer wrote:
Now I'm coming closer to my questions.
When a local user logon to a telnet device freeradius does all the ldap
membership queries.
When an AD user will logon to a telnet device freeradius also does all
the ldap membership queries.
Q1: Can I abbreviate this process
Alan DeKok wrote:
Scott McLane Gardner wrote:
So, now I'm confused again. If this doesn¹t load balance, then how should
I really be going about this?
It's hard.
Actually, on some further reading, it might not be: the LDAP library/DNS may
take care of this instead of requiring special
This just replaces some wrong port numbers in comments. This incorrect 689
port has also made it onto the wiki, FWIW.
diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap
index c9520f4..218e69d 100644
--- a/raddb/mods-available/ldap
+++ b/raddb/mods-available/ldap
@@ -73,7 +73,7
-Original Message-
Tobias Hachmer
Am 19.04.2012 13:44, schrieb Alan DeKok:
Tobias Hachmer wrote:
During FreeRADIUS performance test as described in
/usr/share/doc/freeradius/performance-testing.gz I noticed that FR
does
for the ldap-group query above (Ldap-Group ==
A cursory look suggests we may use some of the effected codepaths
in CVE-2012-2110
(http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html)
and given that FreeRADIUS often deals with certificates from
sources that are not under direct control of administrators (dot1x clients,
Tobias Hachmer wrote:
Am 19.04.2012 15:46, schrieb Brian Julin:
Create a single RRDNS entry for your LDAP servers and use a single
LDAP definition. The DNS name(s) in the LDAP definition is sent to
directly to the underlying LDAP library and should be looked up for
each connection
Wassim Zaarour wrote:
Look at this
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40162.html
The user says that it worked, I tried the attributes he used and still got
the same error.
I don't even know how this was ever working for that user. On my wired switch
Alan Buxley wrote
I can tell you right now that you dont need that hack to assign VLANs on cisco
switches (well, not if you are running reasonably up to date firmware on the
cisco devices anyway - ie something less than 2 years old)
The latest public firmware for the 3550 is 3+ years old,
Is anyone else getting this problem, or have I just managed to confuse git
somehow?
$ git pull origin master
fatal: remote error: access denied or repository not exported:
/freeradius-server.git
$ git remote -v
origin git://git.freeradius.org/freeradius-server.git (fetch)
origin
Three patches versus master attached:
The first puts a saner default config for radsec connections from clients,
because in the dominant
use-case for radsec clients (outside federation servers pointing to your IDP
service) these connections
are often nailed up by the client so if they timeout
Roberto Franceschetti wrote:
Mine is just a theory, but I cannot verify it until I figure out how to have
the
un-escaped ocg\cmctrf3 string being sent in the output instead of the
current escaped one.
It probably is not escaped. Some logs and debug outputs escape before
outputting to
Kaya Saman wrote:
I will perform a wireshark and tcpdump packet capture this evening in
order to try to debug more clearly what is going on between the
devices however, in the mean time I was wondering if there was some
sort of interoperability quircks between newer Cisco IOS releases and
Kaya Saman
Sent: Friday, June 01, 2012 10:05 AM
To: FreeRadius users mailing list
Subject: Re: Cisco phones loosing connectivity with VMPS and IOS upgrade to
15.0(1)SE2
On Thu, May 31, 2012 at 3:45 PM, Brian Julin bju...@clarku.edu wrote:
Kaya Saman wrote:
I will perform
Attached is an improved version of one of the patches originally posted here.
http://lists.freeradius.org/pipermail/freeradius-users/2012-May/060820.html
It moves decrements of socket/client num_connections counters into event_new_fd
so that it
happens on all paths by which a connection may be
I'm currently hunting a problem that causes a recent checkout of FR3.0
to abort but which does not seem to be affecting an older revision (April 8th
or so)
of FR3.0 on another box. I do have a couple small in-house patches applied
but they should probably not be relevant.
The issue seems to
-Original Message-
On 11/09/12 12:16, Phil Mayers wrote:
This approach of a separate available/enabled modules dir is the default
approach in the MASTER branch (to be 3.x)
Would redhat packaging policy allow the package scripts to instead
create e.g. modules.rpmnew/ and stuff its
Scott Armitage wrote:
gmake[4]: /usr/local/src/freeradius-server/libtool: Command not found
gmake[4]: *** [dict.lo] Error 127
gmake[3]: *** [lib] Error 2
gmake[2]: *** [all] Error 2
gmake[1]: *** [src] Error 2
make: *** [all] Error 2
IIRC running libtoolize cleared this up. I'm not sure
I had some more time to play with this; it seems to be related to retiring
old threads, not actual problem on the home server. Some new observations
below.
Alan DeKok wrote on Aug28, 2012:
Brian Julin wrote:
I'm currently hunting a problem that causes a recent checkout of FR3.0
to abort
Menard, Yannick writes:
Example: I am able to permit only certain user based on their active directory
group to connect to my certain wireless SSID.
Also I use ACS to configure Downloadable IP ACLs for the VPN access
Does freeradius have similar option?
Yes and yes, but it will be more
Brian Candler writes:
Or is there another way I can concatenate strings, which doesn't involve
expanding them into another string?
The workaround I've used for this is to feed the value through a regexp
match to get it into %{1}, which does not seem to be subject to unescaping.
try:
if
Brian Candler wrote
try:
if (%{reply:Reply-Message} =~ /(.*)/) {
update reply {
Reply-Message = stuff %{1}
}
}
Nice idea, but it appears to suffer the same expansion problem.
As you have written it gives this error:
Bare %{...} is invalid in condition
Phil Mayers wrote:
Yes. However, buying separate certs might not be a good idea as it will
complicate the client setup - they'll all have to come from the same CA
and share the same CN (or you'll have to rely on wildcard CN matching on
the clients).
Has that actually been tested to work
Paulo wrote:
Is there any way that freeradius act as WPA-PSK??
What i am trying to deploy is a wi-fi network with only one password
that is changed every week.
Right now I have a open wireless signal distributed over 20 wi-fi
routers. This signal is used by all the clients of the hotel,
James JJ Hooper wrote:
WPA2-Enterprise with PEAP authentication is automatically recognized
by most new clients these days. The clients will prompt for a username
and a password. If you generate an ntcrypt (by shelling out of FR to
a utility to do so) for an inbound username/password
Slightly OT, but I'd like to encourage folks here who have a google account to
star
up issue #37178 on code.google.com to see if we cannot get Android developers
to make
future versions of the OS behave sanely WRT which AAA server certificates they
will accept.
I also left a long screed there
Alan DeKok wrote:
I'd suggest putting up a web page explaining how you can steal android
credentials via a malicious AP. If you can get it to do TTLS + PAP for
a random certificate, that's good for a CERT issue. And they'll pay
attention to that.
The FreeRADIUS-WPE patches have been out
Muhammad Nuzaihan wrote:
What are the roadmap for this? Are there any initial work being done or
proof-of-concept work on this? By looking at implementations of TLS (in
combination of openssl/gnutls) on other protocols might be similar to
this but i may be wrong (i have yet to read on the
Nick Lowe wrote:
So, a compliant NAS that is able to treat the User-Name AVP as being
authoritative would get to see the real, inner identity and in a
normalised form.
As an aside to the mechanics of this, if you do this, test your NAS under
simulated user load. We found that our Cisco WLC
Nick Lowe wrote:
I would have thought that it is perfectly reasonable to return the
identity back in the case you have roaming federations as long as it
was an agreed requirement beforehand.
I am of the opinion that this -should- be mandated as part of Eduroam,
for example.
I'd have to
Roberto Carna wrote:
Sent: Monday, May 20, 2013 3:43 PM
To: FreeRadius users mailing list
Subject: Radius vs Tacacs+
Dear, my chief ask me to choose between Tacacs+ and Radius for switches
and Linux SSH user authentication.
This depends primarily on your cryptographic needs, and
I started working on DDDS support a while back and the code is to the
point where I can swallow my pride enough to let other people see it.
It is far from completely debugged/tested, and it is just the analogue to
rlm_realm for DDDS -- it does nothing but create some attributes and
will be moot
Arran Cudbard-Bell wrote:
Soon. We've gone into official feature freeze. Still finding bugs though,
it'd be helpful if people could test.
Just to make sure it was understood during the foreach fixup patch I sent
on github, I mentioned that indexed attribute accesses were broken.
None of
It seems to be last call for refactoring some of the user-visible
config items that are easier to change when bumping a major
rev number. The syntax for regexp-based realms has always
struck me as a bit hinky:
realm ~regexp\\.edu {
}
Would it require too much tokenization witchdoctoring to
I finally got around to trying some RC code (the release_branch_3.0.0 on
github) on our
production configurations, after a bit of massaging got them looking like they
were working,
but not so much the one that re-proxies the inner tunnel contents to an internal
server after unwrapping EAP-PEAP:
a.l.m.bu...@lboro.ac.uk [a.l.m.bu...@lboro.ac.uk] wrote:
how did you configure the server...from scratch or copy pasting bits over
from a 2.x ?
It's a mongrel, not an alteration of fresh 3.0. It was working on a pre-talloc
3.0 development branch.
does this 'eap' module use its own
Alan DeKok wrote:
Brian Julin wrote:
I tried to replicate on a test server with lightly modified 3.0 stock
configs.
The error only
happens when everything is running through the same server/eap
instances, so good
instincts there. Replicating it is easy: just uncomment the peap
Alan DeKok wrote:
Well... I tried it, and I didn't see any errors.
Can you check that you're really running a *stock* binary, and a
*stock* configuration?
Attached is a recipe for how I replicated it (and another doublefree) on a
clean system.
1) started on a fresh system that had
Roberto Carna wrote:
I can authenticate with Windows, Linux and Android devices, but I
can't authenticate with Apple devices (iphone and ipad) at all.
Is it an intrinsic problem of Freeradius ???
No, Apple devices auth off FreeRADIUS just fine.
More likely it is a problem with certs/CAs,
.
Thanks again
2013/8/14 Brian Julin bju...@clarku.edu:
Roberto Carna wrote:
I can authenticate with Windows, Linux and Android devices, but I
can't authenticate with Apple devices (iphone and ipad) at all.
Is it an intrinsic problem of Freeradius ???
No, Apple devices auth off
Arran wrote:
and wow did they get rid of the 802.1X profile configuration GUI interface in
OSX 10.8? That sucks.
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig without access to an OSX server license.
--
Brian S. Julin
-
List
/DL1465
Dave Aldwinckle
On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote:
Arran wrote:
and wow did they get rid of the 802.1X profile configuration GUI
interface in
OSX 10.8? That sucks.
If you think that sucks, wait till you see the horrible things you have
to do
sticky. The first time warez
to
perform an MITM on WPA2-Enterprise is packaged in a way that any old
script kiddie can use, there will be pain.)
--
Brian Julin
Network Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mathieu wrote:
At least from that side there is hope for improvements with Android 4.3
onwards there
are API calls for enterprise wireless configuration.
Maybe someone steps up by making an application that can manage
profiles or something like this.
That is promising, but I hope this
Congratulations Alan, Arran for pushing this out of the nest,
all the while being so attentive on the mailing list, along with Phil
and the other Alan :-)
You guys are truly obsessed. I get exhausted just reading your commit logs.
:-)
-
List info/subscribe/unsubscribe? See
Neal wrote:
When I click on it I get a 404 error..
Upgrading instructions are available here:
https://github.com/FreeRADIUS/freeradius-
server/blob/release_branch_3.0.0/raddb/README.rst
That link would have changed when the release was officially renamed
from release_branch_3.0.0 to
Phil wrote:
I could wrap ntlm_auth in a script that times it and lots the info, but
I'm slightly wary of that - it might perturb the timings.
Any obvious/easy thing I'm missing?
You might be able to run FR under gdb (or attach/resume a running FR),
and set breakpoints with commands that
80 matches
Mail list logo