Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote: If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. I'm still hoping I'll be able to use the outer and inner TLS for privacy reasons and because right now the radius configuration is doing what I want and merging default and inner-tunnel servers would make the configuration even uglier then it already is:-) Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. Yes, all our users have a certificate issued for our internal wifi so that's not a problem. I'm actually hoping to phase out passwords for network logons. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. We don't have control over the client devices. We just have to hope that the users know what to do and what their devices are doing. The main problem is that I'm currently not allowed to go on with a migration to 802.1x until the mschap problem is solved. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote: On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote: I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established: On the assumption that your certificates are OK... Have you updated the fragment_size so that the outer is larger than the inner? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. And that solved the problem:-) I had the fragment size the same in both configs, now it's working just like the EAP-TTLS/EAP-TLS. Thank you so much. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: well looking at man wpa_supplicant I can see EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it. -- Sent from my phone with, please excuse brevity and typos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 22/08/13 10:54, Alan Buxey wrote: TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no bare MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret. The EAP methods are all a pile of crap; it's truly disappointing how many hoops you have to jump through just because Microsoft gifted us a crappy EAP method, and everyone else slavishly implemented it. Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Phil Mayers wrote: PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no bare MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret. FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP / MS-CHAP inside the tunnel. It *has* to be EAP. Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o( Pretty much. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote: Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: well looking at man wpa_supplicant I can see EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it. We've been doing it for ~18 months now. Works fine (when the fragment sizes have been set up correctly) so we get domain managed certs and soh. Just a shame you can't do user auth as well at the same time. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 21/08/2013 12:17, Martin Kraus wrote: Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer Is this really what you mean? TTLS outer and TLS inner, versus PEAP outer and TLS inner? Because the latter is unlikely to work; it's not a supported combo per the PEAP spec. TLS tunnel is established: WARNING: !! WARNING: !! EAP session for state 0x992158e5992955e0 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! and then later on rlm_eap: No EAP session matching the State variable. [inner-eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Post a full debug, gathered with radiusd -X, of a failing attempt. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote: I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established: On the assumption that your certificates are OK... Have you updated the fragment_size so that the outer is larger than the inner? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:13:57PM +0100, Phil Mayers wrote: On 21/08/2013 12:17, Martin Kraus wrote: Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer Is this really what you mean? TTLS outer and TLS inner, versus PEAP outer and TLS inner? Because the latter is unlikely to work; it's not a supported combo per the PEAP spec. well looking at man wpa_supplicant I can see EAP-PEAP/TLS so I assumed that this is an equivalent of EAP-TTLS/TLS. also from my google searches it might be possible that windows supports PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get it to work because there is no EAP-TTLS/TLS support in windows. There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam because we don't really trust supplicants in windows, macs and various phones to do the right thing (windows phone doesn't check the radius certificate for example). I'll paste the full debug tomorrow when I'm back at the office. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: well looking at man wpa_supplicant I can see EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. also from my google searches it might be possible that windows supports PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get Yes There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam because we don't really trust supplicants in windows, macs and various phones to do the right thing (windows phone doesn't check the radius certificate for example). If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Debian build the freeradius package with unixodbc support
-Original Message- From: freeradius-users-bounces+drivard=datavalet@lists.freeradius.org [mailto:freeradius-users-bounces+drivard=datavalet@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: November-22-12 4:56 PM To: FreeRadius users mailing list Subject: Re: Debian build the freeradius package with unixodbc support On Fri, Nov 23, 2012 at 3:33 AM, Dominick Rivard driv...@datavalet.com wrote: I also want to let you know that it has been replaced by libiodbc2-dev but No, it hasn't. http://packages.debian.org/wheezy/unixodbc-dev http://packages.ubuntu.com/raring/unixodbc-dev iodbc is another different package. They might be two different packages but they conflict in apt: Apt-get upgrade message -- The following packages will be REMOVED: unixodbc-dev The following NEW packages will be installed: libiodbc2-dev then you have to create a symlink: ln -s /usr/lib/libodbc.so.1 /usr/lib/libodbc.so because it isn't created when installing the package. unixodbc-dev has libodbc.so: http://packages.debian.org/wheezy/amd64/unixodbc-dev/filelist Now I have a freeradius and MSSQL backend working and being tested for a future production move. I'm just wondering, why didn't you just use iodbc? That seems to be the default in debian, and should work for mssql. Probably the lack of documentation on how to get freeradius to work with iodbc or even unixodbc is part of it and because I found a post that was explaining a lot on how to get freeradius and mssql working together. http://it.reinhardt.edu/dave/radius-mssql-howto.html But I give it a try this morning installing freeradius-iodbc. I configured my /etc/odbc.ini, /etc/freetds/freetds.conf and /etc/odbcinst.ini. These files configuration can be found here: http://serverfault.com/questions/448365/debian-build-the-freeradius-package- with-unixodbc-support/451350#451350 rlm_sql (sql): Driver rlm_sql_iodbc (module rlm_sql_iodbc) loaded and linked rlm_sql (sql): Attempting to connect to db_user@MSSQLServer:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_iodbc #0 sql_create_socket: SQLConnectfailed: [iODBC][Driver Manager]Data source name not found and no default driver specified. Driver could not be loaded rlm_sql (sql): Failed to connect DB handle #0 I tried to add these environment variables, since trying to find the fix for that error seems to go through these variables, but still no luck at getting freeradius with mssql using iodbc. export ODBCINSTINI='/etc/odbcinst.ini' export ODBCINI='/etc/odbc.ini' Regards. Dominick -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Debian build the freeradius package with unixodbc support
Hi, I finally got everything compiling and work just fine. You can see the answer I provided to my own question on serverfault. http://serverfault.com/a/451350/99708 Thank you for the unixodbc-dev dependencies I was missing. I also want to let you know that it has been replaced by libiodbc2-dev but then you have to create a symlink: ln -s /usr/lib/libodbc.so.1 /usr/lib/libodbc.so because it isn't created when installing the package. Now I have a freeradius and MSSQL backend working and being tested for a future production move. Best. Dominick -Original Message- From: freeradius-users-bounces+drivard=datavalet@lists.freeradius.org [mailto:freeradius-users-bounces+drivard=datavalet@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: November-13-12 9:58 PM To: FreeRadius users mailing list Subject: Re: Debian build the freeradius package with unixodbc support On Wed, Nov 14, 2012 at 4:22 AM, Dominick Rivard driv...@datavalet.com wrote: Here is what I am trying to achieve, we want to install freeradius using a Microsoft SQL backend. I read on the internet that we need to achieve this goal using the unixodbc driver. That's not the only way. unixodbc and iodbc are (mostly) driver-compatible. This is actually working. But I found out downloading the freeradius tarbal that it can't use the rlm_sql_unixodbc driver, because in the debian/rules file they compile it using the flag: --without-rlm_sql_unixodbc Do you have any idea of what I am missing to compile it successfully? Short version? Just run apt-get install freeradius-iodbc, and configure iodbc for mysql. Long version: there are ways you can change the debian recipe to get it to build odbc module (i.e. one of the requirements is that you need to install unixodbc-dev first), but it's MUCH easier to just use whatever the distro provide and support. Debian and Ubuntu has 2.1.12 with backported security patches, and 2.2.0 is available from my ppa: https://launchpad.net/~freeradius/+archive/stable. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian build the freeradius package with unixodbc support
On Fri, Nov 23, 2012 at 3:33 AM, Dominick Rivard driv...@datavalet.com wrote: I also want to let you know that it has been replaced by libiodbc2-dev but No, it hasn't. http://packages.debian.org/wheezy/unixodbc-dev http://packages.ubuntu.com/raring/unixodbc-dev iodbc is another different package. then you have to create a symlink: ln -s /usr/lib/libodbc.so.1 /usr/lib/libodbc.so because it isn't created when installing the package. unixodbc-dev has libodbc.so: http://packages.debian.org/wheezy/amd64/unixodbc-dev/filelist Now I have a freeradius and MSSQL backend working and being tested for a future production move. I'm just wondering, why didn't you just use iodbc? That seems to be the default in debian, and should work for mssql. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On 21 Nov 2012, at 15:18, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? You sure it's not just stuck them in /etc/freeradius? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On 21/11/12 15:18, David Gethings wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? https://github.com/philmayers/freeradius-server/tree/release_2_1_10/raddb ...or the release tarballs. You want to upgrade that version, too - 2.1.10 has a security issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
That's where I have been looking. ;) I'Ve been checking the deb lists files to see where all the config files should go and then searching there. While the directories are created the files are not. And I am doing this as root. ;) It is a weird problem. Just want to know if I can get the default config files from some other location so I can get the radius server going again. -- Cheers Dg On 21/11/2012 15:29, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 21 Nov 2012, at 15:18, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? You sure it's not just stuck them in /etc/freeradius? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On Wed, Nov 21, 2012 at 9:18 AM, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? David, Would you run: apt-cache policy freeradius ? The config files do get placed in /etc/freeradius, so there was an error somewhere along the line during your install. % dpkg-deb -c freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ -rw-r--r-- root/root 27201 2012-09-11 12:07 ./etc/freeradius/radiusd.conf -rw-r--r-- root/root 877 2012-09-11 12:07 ./etc/freeradius/dictionary % dpkg-deb -c freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/modules/ -rw-r--r-- root/root 3357 2012-09-11 12:07 ./etc/freeradius/modules/otp -rw-r--r-- root/root 1255 2012-09-11 12:07 ./etc/freeradius/modules/attr_filter -rw-r--r-- root/root 269 2012-09-11 12:07 ./etc/freeradius/modules/dynamic_clients -rw-r--r-- root/root 509 2012-09-11 12:07 ./etc/freeradius/modules/cui -rw-r--r-- root/root 1232 2012-09-11 12:07 ./etc/freeradius/modules/smsotp -rw-r--r-- root/root 558 2012-09-11 12:07 ./etc/freeradius/modules/expr -rw-r--r-- root/root 5267 2012-09-11 12:07 ./etc/freeradius/modules/ldap -rw-r--r-- root/root 347 2012-09-11 12:07 ./etc/freeradius/modules/mac2vlan -rw-r--r-- root/root 571 2012-09-11 12:07 ./etc/freeradius/modules/pap -rw-r--r-- root/root 1968 2012-09-11 12:07 ./etc/freeradius/modules/passwd -rw-r--r-- root/root 1587 2012-09-11 12:07 ./etc/freeradius/modules/perl -rw-r--r-- root/root 3289 2012-09-11 12:07 ./etc/freeradius/modules/echo -rw-r--r-- root/root 601 2012-09-11 12:07 ./etc/freeradius/modules/sqlcounter_expire_on_login -rw-r--r-- root/root 139 2012-09-11 12:07 ./etc/freeradius/modules/chap -rw-r--r-- root/root 2104 2012-09-11 12:07 ./etc/freeradius/modules/mschap -rw-r--r-- root/root 379 2012-09-11 12:07 ./etc/freeradius/modules/ntlm_auth -rw-r--r-- root/root 1661 2012-09-11 12:07 ./etc/freeradius/modules/preprocess -rw-r--r-- root/root 680 2012-09-11 12:07 ./etc/freeradius/modules/mac2ip -rw-r--r-- root/root 2162 2012-09-11 12:07 ./etc/freeradius/modules/sql_log -rw-r--r-- root/root 4465 2012-09-11 12:07 ./etc/freeradius/modules/inner-eap -rw-r--r-- root/root 1510 2012-09-11 12:07 ./etc/freeradius/modules/radutmp -rw-r--r-- root/root 559 2012-09-11 12:07 ./etc/freeradius/modules/policy -rw-r--r-- root/root 642 2012-09-11 12:07 ./etc/freeradius/modules/pam -rw-r--r-- root/root 2903 2012-09-11 12:07 ./etc/freeradius/modules/counter -rw-r--r-- root/root 2502 2012-09-11 12:07 ./etc/freeradius/modules/linelog -rw-r--r-- root/root 543 2012-09-11 12:07 ./etc/freeradius/modules/unix -rw-r--r-- root/root 847 2012-09-11 12:07 ./etc/freeradius/modules/realm -rw-r--r-- root/root 1088 2012-09-11 12:07 ./etc/freeradius/modules/logintime -rw-r--r-- root/root 1336 2012-09-11 12:07 ./etc/freeradius/modules/attr_rewrite -rw-r--r-- root/root 2134 2012-09-11 12:07 ./etc/freeradius/modules/detail -rw-r--r-- root/root 273 2012-09-11 12:07 ./etc/freeradius/modules/digest -rw-r--r-- root/root 1724 2012-09-11 12:07 ./etc/freeradius/modules/detail.log -rw-r--r-- root/root 442 2012-09-11 12:07 ./etc/freeradius/modules/sradutmp -rw-r--r-- root/root 1522 2012-09-11 12:07 ./etc/freeradius/modules/files -rw-r--r-- root/root 816 2012-09-11 12:07 ./etc/freeradius/modules/etc_group -rw-r--r-- root/root 924 2012-09-11 12:07 ./etc/freeradius/modules/detail.example.com -rw-r--r-- root/root 354 2012-09-11 12:07 ./etc/freeradius/modules/smbpasswd -rw-r--r-- root/root 548 2012-09-11 12:07 ./etc/freeradius/modules/expiration -rw-r--r-- root/root 1376 2012-09-11 12:07 ./etc/freeradius/modules/checkval -rw-r--r-- root/root 3526 2012-09-11 12:07 ./etc/freeradius/modules/wimax -rw-r--r-- root/root 2200 2012-09-11 12:07 ./etc/freeradius/modules/ippool -rw-r--r-- root/root 420 2012-09-11 12:07 ./etc/freeradius/modules/always -rw-r--r-- root/root 766 2012-09-11 12:07 ./etc/freeradius/modules/exec -rw-r--r-- root/root 153 2012-09-11 12:07 ./etc/freeradius/modules/krb5 -rw-r--r-- root/root 287 2012-09-11 12:07 ./etc/freeradius/modules/opendirectory -rw-r--r-- root/root 457 2012-09-11 12:07 ./etc/freeradius/modules/acct_unique -rw-r--r-- root/root 1604 2012-09-11 12:07 ./etc/freeradius/huntgroups -rw-r--r-- root/root 3042 2012-09-11
Re: Debian (Squeeze) FreeRadius package missing config files
Thanks Matt, Phil, I'Ve been able to load the default config files. Now I just need to configure the capabilities I need. :) -- Cheers Dg On 21/11/2012 15:57, Matt Zagrabelny mzagr...@d.umn.edu wrote: On Wed, Nov 21, 2012 at 9:18 AM, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? David, Would you run: apt-cache policy freeradius ? The config files do get placed in /etc/freeradius, so there was an error somewhere along the line during your install. % dpkg-deb -c freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ -rw-r--r-- root/root 27201 2012-09-11 12:07 ./etc/freeradius/radiusd.conf -rw-r--r-- root/root 877 2012-09-11 12:07 ./etc/freeradius/dictionary % dpkg-deb -c freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/modules/ -rw-r--r-- root/root 3357 2012-09-11 12:07 ./etc/freeradius/modules/otp -rw-r--r-- root/root 1255 2012-09-11 12:07 ./etc/freeradius/modules/attr_filter -rw-r--r-- root/root 269 2012-09-11 12:07 ./etc/freeradius/modules/dynamic_clients -rw-r--r-- root/root 509 2012-09-11 12:07 ./etc/freeradius/modules/cui -rw-r--r-- root/root 1232 2012-09-11 12:07 ./etc/freeradius/modules/smsotp -rw-r--r-- root/root 558 2012-09-11 12:07 ./etc/freeradius/modules/expr -rw-r--r-- root/root 5267 2012-09-11 12:07 ./etc/freeradius/modules/ldap -rw-r--r-- root/root 347 2012-09-11 12:07 ./etc/freeradius/modules/mac2vlan -rw-r--r-- root/root 571 2012-09-11 12:07 ./etc/freeradius/modules/pap -rw-r--r-- root/root 1968 2012-09-11 12:07 ./etc/freeradius/modules/passwd -rw-r--r-- root/root 1587 2012-09-11 12:07 ./etc/freeradius/modules/perl -rw-r--r-- root/root 3289 2012-09-11 12:07 ./etc/freeradius/modules/echo -rw-r--r-- root/root 601 2012-09-11 12:07 ./etc/freeradius/modules/sqlcounter_expire_on_login -rw-r--r-- root/root 139 2012-09-11 12:07 ./etc/freeradius/modules/chap -rw-r--r-- root/root 2104 2012-09-11 12:07 ./etc/freeradius/modules/mschap -rw-r--r-- root/root 379 2012-09-11 12:07 ./etc/freeradius/modules/ntlm_auth -rw-r--r-- root/root 1661 2012-09-11 12:07 ./etc/freeradius/modules/preprocess -rw-r--r-- root/root 680 2012-09-11 12:07 ./etc/freeradius/modules/mac2ip -rw-r--r-- root/root 2162 2012-09-11 12:07 ./etc/freeradius/modules/sql_log -rw-r--r-- root/root 4465 2012-09-11 12:07 ./etc/freeradius/modules/inner-eap -rw-r--r-- root/root 1510 2012-09-11 12:07 ./etc/freeradius/modules/radutmp -rw-r--r-- root/root 559 2012-09-11 12:07 ./etc/freeradius/modules/policy -rw-r--r-- root/root 642 2012-09-11 12:07 ./etc/freeradius/modules/pam -rw-r--r-- root/root 2903 2012-09-11 12:07 ./etc/freeradius/modules/counter -rw-r--r-- root/root 2502 2012-09-11 12:07 ./etc/freeradius/modules/linelog -rw-r--r-- root/root 543 2012-09-11 12:07 ./etc/freeradius/modules/unix -rw-r--r-- root/root 847 2012-09-11 12:07 ./etc/freeradius/modules/realm -rw-r--r-- root/root 1088 2012-09-11 12:07 ./etc/freeradius/modules/logintime -rw-r--r-- root/root 1336 2012-09-11 12:07 ./etc/freeradius/modules/attr_rewrite -rw-r--r-- root/root 2134 2012-09-11 12:07 ./etc/freeradius/modules/detail -rw-r--r-- root/root 273 2012-09-11 12:07 ./etc/freeradius/modules/digest -rw-r--r-- root/root 1724 2012-09-11 12:07 ./etc/freeradius/modules/detail.log -rw-r--r-- root/root 442 2012-09-11 12:07 ./etc/freeradius/modules/sradutmp -rw-r--r-- root/root 1522 2012-09-11 12:07 ./etc/freeradius/modules/files -rw-r--r-- root/root 816 2012-09-11 12:07 ./etc/freeradius/modules/etc_group -rw-r--r-- root/root 924 2012-09-11 12:07 ./etc/freeradius/modules/detail.example.com -rw-r--r-- root/root 354 2012-09-11 12:07 ./etc/freeradius/modules/smbpasswd -rw-r--r-- root/root 548 2012-09-11 12:07 ./etc/freeradius/modules/expiration -rw-r--r-- root/root 1376 2012-09-11 12:07 ./etc/freeradius/modules/checkval -rw-r--r-- root/root 3526 2012-09-11 12:07 ./etc/freeradius/modules/wimax -rw-r--r-- root/root 2200 2012-09-11 12:07 ./etc/freeradius/modules/ippool -rw-r--r-- root/root 420 2012-09-11 12:07 ./etc/freeradius/modules/always -rw-r--r-- root/root 766 2012-09-11 12:07 ./etc/freeradius/modules/exec -rw-r--r-- root/root 153 2012-09-11 12:07 ./etc/freeradius/modules/krb5 -rw-r--r-- root/root 287 2012-09-11 12:07
Re: Debian build the freeradius package with unixodbc support
On Wed, Nov 14, 2012 at 4:22 AM, Dominick Rivard driv...@datavalet.com wrote: Here is what I am trying to achieve, we want to install freeradius using a Microsoft SQL backend. I read on the internet that we need to achieve this goal using the unixodbc driver. That's not the only way. unixodbc and iodbc are (mostly) driver-compatible. This is actually working. But I found out downloading the freeradius tarbal that it can't use the rlm_sql_unixodbc driver, because in the debian/rules file they compile it using the flag: --without-rlm_sql_unixodbc Do you have any idea of what I am missing to compile it successfully? Short version? Just run apt-get install freeradius-iodbc, and configure iodbc for mysql. Long version: there are ways you can change the debian recipe to get it to build odbc module (i.e. one of the requirements is that you need to install unixodbc-dev first), but it's MUCH easier to just use whatever the distro provide and support. Debian and Ubuntu has 2.1.12 with backported security patches, and 2.2.0 is available from my ppa: https://launchpad.net/~freeradius/+archive/stable. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 6.0.6 amd64 freeradius + xl2tpd + strongswan ipsec
Dmitry Korzhevin wrote: Can you please advice good howto/guide to configure l2tp with radius server? Read the documentation for the l2tp server to see which attributes it needs. Then, configure that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian packaging
Dear all, I have an issue with the new (development/git) version of the TLV parsing (nested TLVs for WiMAX) : is there a clean way to end a container TLV ? Here is my issue : I have to insert several WiMAX-Packet-Flow-Descriptor TLVs (each containing a WiMAX-Packet-Flow-Id and a WiMAX-Service-Profile-Id). However, I cannot simply write the following (e.g. in update reply) : WiMAX-Packet-Flow-Id = 0 WiMAX-Service-Profile-Id = 1 WiMAX-Packet-Flow-Id = 1 WiMAX-Service-Profile-Id = 2 WiMAX-Packet-Flow-Id = 2 WiMAX-Service-Profile-Id = 3 WiMAX-Packet-Flow-Id = 3 WiMAX-Service-Profile-Id = 4 If I do this, all I get is a single WiMAX-Packet-Flow-Id containing 8 sub-TLVs, while I want 4 WiMAX-Packet-Flow-Id (each containing 2 TLVs). The quick hack I found is to write WiMAX-Packet-Flow-Id = 0 WiMAX-Service-Profile-Id = 1 WiMAX-IP-Technology = 0x06 WiMAX-Packet-Flow-Id = 1 WiMAX-Service-Profile-Id = 2 WiMAX-IP-Technology = 0x06 WiMAX-Packet-Flow-Id = 2 WiMAX-Service-Profile-Id = 3 WiMAX-IP-Technology = 0x06 WiMAX-Packet-Flow-Id = 3 WiMAX-Service-Profile-Id = 4 WiMAX-IP-Technology = 0x06 Here, the WiMAX-IP-Technology = 0x06 (but it could be anything else) acts as a separator, forcing FreeRadius to write a new WiMAX-Packet-Flow-Id container. But this is not clean IMO. Is there a better way to do this ? Best regards, -- Adrien Demarez Le 3 mars 2011 à 08:23, Alan DeKok a écrit : Adrien Demarez wrote: The debian/ folder is still based on the 2.1.8 version, and dpkg-buildpackage does not compile/run for a number of reasons : - some patches do not apply anymore. e.g. I had to regenerate radiusd-to-freeradius.diff. I also had to deactivate (no time to fix it now) the dialupadmin-help.diff. - eap.conf, sql.conf and sqlippool.conf have moved to raddb/modules/, thus I have to delete the original references to those files in intall and postinst conf files - this has another side effect : in the previous configuration, sql.conf was commented by default. Now, it is executed by default since it is in the modules/ folder, which means that default freeradius installation is broken/not working if I don't install freeradius-mysql in the same time (because there is a $INCLUDE directive in modules/sql referencing sql/${database}, which is only installed if I install freeradius-mysql). Same for sqlippool, which has a default reference to sql/postgresql (by the way, it would be desirable to have something homogeneous between default sql and sqlippool files : either both on them with postgresql, or both of them with mysql, but not the current mixed scheme !). For the moment, I just propose to comment the $INCLUDE directives in modules/sql*, but maybe there is a cleaner way to do it ? Is there a way to specify something like $INCLUDE everything except sql* in radiusd.conf ? - since raddb/eap.conf does not exist anymore, the freeradius.postinst must be changed regarding the generation of the certs/ folder. If the certs/ folder remains empty, freeradius installation is broken since modules/eap references nonexisting files ! - the code behind --with-edir does not compile, thus I had do disable the --with-edit flag in rules I send you the diff file on the debian/ folder I use. I am compiling on a fresh Debian Squeeze (i386). Applied, thanks. I left the --with-edir option in, as the edir code got fixed recently. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian packaging
Adrien Demarez wrote: Please start a new thread for new topics, rather than using an old thread. And don't CC me on messages to the list. In case you hadn't noticed, I *do* read the list. Receiving multiple messages is annoying. Here, the WiMAX-IP-Technology = 0x06 (but it could be anything else) acts as a separator, forcing FreeRadius to write a new WiMAX-Packet-Flow-Id container. But this is not clean IMO. Is there a better way to do this ? Not right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Just noticed: commit 48674ba26a39620448723f5852aa30a899d515ac Author: Alan T. DeKok al...@freeradius.org Date: Mon Dec 21 12:07:08 2009 +0100 Add OpenSSL license exception commit 5ed6809aad46a999db022d9a0be417178b93dff6 Author: Alan T. DeKok al...@freeradius.org Date: Mon Dec 21 10:49:50 2009 +0100 Synced with upstream debian Thanks! Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Bjørn Mork wrote: Just noticed: ... Add OpenSSL license exception commit 5ed6809aad46a999db022d9a0be417178b93dff6 Author: Alan T. DeKok al...@freeradius.org Date: Mon Dec 21 10:49:50 2009 +0100 Synced with upstream debian Thanks! More to come. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Bjørn Mork wrote: Alan DeKok posted this very promising report of the re-licensing work he had been doing in January: http://lists.cistron.nl/pipermail/freeradius-devel/2009-January/012726.html I've contacted a number of people. No one has objected. If I understand Alan's post correctly, the license issue was unintentional in the first place. If that is correct, then it is too bad that it keeps a number of users from using the code (yes, there is nothing preventing them from building FreeRADIUS themselves, but most users won't do that) An alternative would be to distribute freeradius + openssl binaries from freeradius.org. Or, to re-arrange the code so that any OpenSSL dependence is re-arranged to avoid the license issue. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail.
Similar problem here... $INCLUDE sql.conf was commented in modules section Removing # was the solution. By default, this was ok in older versions . On Mon, Apr 13, 2009 at 7:42 AM, piston pisto...@yahoo.com wrote: IBM x3550 server install Debian lenny. Download freeradius from ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.4.tar.gz, compile and install. Question: 1. freeradius -v showing freeradius 2.1.5, was this correct? 2. trying to using mysql as database, ucomment sql in site-available/default, running debug mode got such error /etc/freeradius/sites-enabled/default[152]: Failed to find module sql. /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. 3. On the same server download, compile install freeradius 2.1.3 with mysql, no problem. What could be the problem on the version 2.1.4/2.1.5? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail.
Thanks. Got is resolve. By the way this version of freeradius is 2.1.4 or 2.1.5? A bit confuse here. From: Marinko Tarlac mangi...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, April 13, 2009 3:20:08 PM Subject: Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail. Similar problem here... $INCLUDE sql.conf was commented in modules section Removing # was the solution. By default, this was ok in older versions . On Mon, Apr 13, 2009 at 7:42 AM, piston pisto...@yahoo.com wrote: IBM x3550 server install Debian lenny. Download freeradius from ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.4.tar.gz, compile and install. Question: 1. freeradius -v showing freeradius 2.1.5, was this correct? 2. trying to using mysql as database, ucomment sql in site-available/default, running debug mode got such error /etc/freeradius/sites-enabled/default[152]: Failed to find module sql. /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. 3. On the same server download, compile install freeradius 2.1.3 with mysql, no problem. What could be the problem on the version 2.1.4/2.1.5? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian Packages
rgreiner wrote: I've just downloaded the new 2.0.3, and when I tried to generate the debian packages, I got the following error: Lab:~/freeradius-server-2.0.3# dpkg-buildpackage -b -uc parsechangelog/debian: error: found start of entry where expected more change data or trailer, at file debian/changelog line 18 dpkg-buildpackage: unable to determine source package is This was pointed out on the list when 2.0.3 was released. The fix is a one-line change to debian/changelog, which is already in CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian Packages
Oh, ok. Tks. Roberto Alan DeKok wrote: rgreiner wrote: I've just downloaded the new 2.0.3, and when I tried to generate the debian packages, I got the following error: Lab:~/freeradius-server-2.0.3# dpkg-buildpackage -b -uc parsechangelog/debian: error: found start of entry where expected more change data or trailer, at file debian/changelog line 18 dpkg-buildpackage: unable to determine source package is This was pointed out on the list when 2.0.3 was released. The fix is a one-line change to debian/changelog, which is already in CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian
Zitat von Tas Dionisakos [EMAIL PROTECTED]: Hello All, I just compiled radius and tried to create the deb packages using the method mentioned on the freeradius wiki. When the process finishes the deb packages are version 1.1.3, is there a way of correcting this as apt gets confused? just edit debian/changelog, put a new version description at the beginning of the file, such as (from freeradius ... to the line containing the email address and date): start of debian/changelog freeradius (1.1.5-0) unstable; urgency=low * Added more dictionaries * Dictionary files now MUST NOT be globally writable. * Configuration files now MUST NOT be globally readable, or globally writable. * Be more aggressive about freeing memory on clean exit. This helps track down run-time leaks. * Updated rlm_python to something usable * Added experimental sql HPW IPPools. -- Nicolas Baradakis [EMAIL PROTECTED] Mon, 09 Mar 2007 20:06:04 +0100 = end of example this is only an example, the actual text is not so important, just the version number in brackets, and of course add _your_ email address! regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian TLS support
Scott Hughes wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed Get a source tarball from www.freeradius.org and manually build a Debian package as explained in the FAQ. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian TLS support
On Thu, Jun 22, 2006 at 03:36:52PM -0500, Scott Hughes wrote: Is there a HOWTO for example on how a person can do what I am trying to do? Have you tried downloading the source and running dpkg-buildpackage? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian TLS support
Hi, When I install Freeradius (after installing OpenSSL) I get this message when starting Freeradius: you need to make sure you have openssl-devel package also installed. JUST having openssl is not enough (that only supplies the user tools and libraries) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze wrote: versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George I suppose you could add some debug code to where you believe the calls to waitpid should be/are The way I read it, without threads it should be in src/main/radiusd.c:631 in cvs 20060124 Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
Alan DeKok wrote: George Chelidze [EMAIL PROTECTED] wrote: Zombies add up even when I recompile without --without-threads option. That sounds like a serious problem. Looking at the source, I don't see why, though. If I understood things correctly, if I compile radius without threads support reap_children() won't be called and zombies will add up? No. See radiusd.c, look for waitpid(). That code reaps the zombies when there are no threads. I have checked the source, waitpid() is really there but I don't understand why zombies add up when 1.0.1 is compiled without threads. I found a solution (compiled 1.0.1 with --with-threads option) and it works for me, but I'd like to help freeradius team (if I can) to find the reason why it's broken (at least in my environment) in newer versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze [EMAIL PROTECTED] writes: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Is it replaced by a new zombie the next time you send an accounting packet, or do the zombies add up? The way I read rad_fork(), it will call reap_children() every time it is called. But there's not necessarily anything calling reap_children() inbetween. This means that zombies will only live forever on servers without traffic. You should probably read the comment in front of reap_children() in src/main/threads.c. I believe it explains why this design was chosen. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
Bjørn Mork wrote: George Chelidze [EMAIL PROTECTED] writes: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Is it replaced by a new zombie the next time you send an accounting packet, or do the zombies add up? Zombies add up even when I recompile without --without-threads option. The way I read rad_fork(), it will call reap_children() every time it is called. But there's not necessarily anything calling reap_children() inbetween. This means that zombies will only live forever on servers without traffic. You should probably read the comment in front of reap_children() in src/main/threads.c. I believe it explains why this design was chosen. If I understood things correctly, if I compile radius without threads support reap_children() won't be called and zombies will add up? I am not against compiling it with threads support, but unfortunately I get something like this: 18439 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 18440 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18441 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18460 ?Z 0:00 | \_ [test.pl] defunct 18492 ?Z 0:00 | \_ [test.pl] defunct 18442 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18480 ?Z 0:00 | \_ [test.pl] defunct 18443 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18483 ?Z 0:00 | \_ [test.pl] defunct 18444 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18486 ?Z 0:00 | \_ [test.pl] defunct 18445 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18489 ?Z 0:00 \_ [test.pl] defunct Bjørn Thanks a lot for your reply - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Did you try version 1.0.1 indeed? I had this problem several monthes ago with versions 1.0.4 and 1.0.5, but in case of 1.0.1 it works. As I know version 1.0.1 hasn't this problem. My server configuration is similar with yours: Debian 3.1 (Sarge) -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 2006-01-14 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
Rashad Rustamoff wrote: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] defunct As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Did you try version 1.0.1 indeed? I had this problem several monthes ago with versions 1.0.4 and 1.0.5, but in case of 1.0.1 it works. As I know version 1.0.1 hasn't this problem. My server configuration is similar with yours: Debian 3.1 (Sarge) Rashad, Seems 1.0.1 really works when compiled with --with-threads=yes (default). However it doesn't with --with-threads=no flag. 1.0.5 doesn't in both cases, neither does 1.1.0. At least I found a working version - 1.0.1 which is not broken. Thanks. Best Regards to all who helped to eliminate this problem and whole freeradius team. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze [EMAIL PROTECTED] wrote: Zombies add up even when I recompile without --without-threads option. That sounds like a serious problem. Looking at the source, I don't see why, though. If I understood things correctly, if I compile radius without threads support reap_children() won't be called and zombies will add up? No. See radiusd.c, look for waitpid(). That code reaps the zombies when there are no threads. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
Cian Phillips wrote: If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin I have a howto on LDAP and FreeRADIUS at http://vuksan.com/linux/dot1x/802-1x-LDAP.html I have successfully used it for WPA with Linksys and Foundry Networks APs. Should work with Cisco. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 16, 2005 at 18:18 -0800 wrote: Thanks Kris! Everything appeared to compile, install and run without any errors. If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin No problem. Sorry, I don't have any Cisco experience -- it's a bit beyond our budget at this point. Now, the D-Link and Linksys $50-special AP's, that's a different story! :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
Zitat von Cian Phillips [EMAIL PROTECTED]: Greetings. I'm trying to get a Debian (stable) box set up to authenticate users for our Cisco Wireless Control Software via LDAP. I have tried the Debian package and can get LDAP running easily. When I try to get the eap/tls stuff working it gives me an error about missing libraries. rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory I have googled this and found some messages that suggest compiling from source and using the --shared-disabled flag at compile time but I've tried building from source and can't even get LDAP working.. each time I un-comment the ldap line from the radiusd.conf file and try to start using radiusd -x I get a segfault. for version v1.0.2: just add --with-rlm_eap_tls in debian/rules hth markus Ideally I would like to stick with Debian as that is what my other production servers are but would be willing to use something else if it makes easier work of this process. If anyone has gotten Debian + 802.1x + LDAP working or even just 802.1x + LDAP I could really use some pointers if even just to tell me it is or isn't possible. Thanks in advance. Cian Phillips Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 15, 2005 at 23:40 -0800 wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory I have googled this and found some messages that suggest compiling from source and using the --shared-disabled flag at compile time but I've tried building from source and can't even get LDAP working.. each time I un-comment the ldap line from the radiusd.conf file and try to start using radiusd -x I get a segfault. Hi Cian, Make sure you have done this: apt-get install libssl-dev apt-get install libldap2 apt-get install libldap2-dev apt-get install libmysqlclient14 apt-get install libmysqlclient14-dev apt-get install slapd apt-get install ldap-utils apt-get install db4.2-util after those packages are all installed, try compiling again. If that doesn't work, let me know and I can help you further -- this is where I solved my problem. :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
On Aug 16, 2005, at 12:51 PM, Kris Benson wrote: FreeRadius users mailing list freeradius- [EMAIL PROTECTED] on August 15, 2005 at 23:40 -0800 wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory I have googled this and found some messages that suggest compiling from source and using the --shared-disabled flag at compile time but I've tried building from source and can't even get LDAP working.. each time I un-comment the ldap line from the radiusd.conf file and try to start using radiusd -x I get a segfault. Hi Cian, Make sure you have done this: apt-get install libssl-dev apt-get install libldap2 apt-get install libldap2-dev apt-get install libmysqlclient14 apt-get install libmysqlclient14-dev apt-get install slapd apt-get install ldap-utils apt-get install db4.2-util after those packages are all installed, try compiling again. If that doesn't work, let me know and I can help you further -- this is where I solved my problem. :-) Thanks Kris! Everything appeared to compile, install and run without any errors. If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin Thanks again. Cian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian and 'module eap returns noop for request'
Kris Benson [EMAIL PROTECTED] wrote: I have self-compiled the EAP module on Debian due to the binary distribution restrictions, and the error I'm getting is: module eap returns noop for request [number] And what does the *rest* of the debug output say? Hi Alan, I was thinking I'd save you the trouble of wading through all that... but since you asked. :-) here's the debug output: [deletia] Just did some further testing. MacOS 10.4.2 won't connect either, giving the same debug information as the Windows client already mentioned. So it's not the hotfix issue! BTW: Microsoft has e-mailed me the hotfix -- if anybody needs it, please let me know! -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian and 'module eap returns noop for request'
Kris Benson [EMAIL PROTECTED] wrote: I was thinking I'd save you the trouble of wading through all that... but since you asked. :-) Ok... modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module eap returns noop for request 2 If it returns noop, then it SHOULD print out a message explaining why. At least, 1.0.4 does this. If you're running an older version of the server, I don't know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian and 'module eap returns noop for request'
Kris Benson [EMAIL PROTECTED] wrote: I have self-compiled the EAP module on Debian due to the binary distribution restrictions, and the error I'm getting is: module eap returns noop for request [number] And what does the *rest* of the debug output say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian and 'module eap returns noop for request'
Kris Benson [EMAIL PROTECTED] wrote: I have self-compiled the EAP module on Debian due to the binary distribution restrictions, and the error I'm getting is: module eap returns noop for request [number] And what does the *rest* of the debug output say? Hi Alan, I was thinking I'd save you the trouble of wading through all that... but since you asked. :-) here's the debug output: ### Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = before main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = leap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/cert-srv.pem tls: certificate_file = /etc/freeradius/certs/cert-srv.pem tls: CA_file = /etc/freeradius/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/freeradius/certs/dh tls: random_file = /etc/freeradius/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-% Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no
Re: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
On Tue, Jun 21, 2005 at 03:21:17PM +0200, Michael Langer wrote: HI, you have done it at weekend? Today i try apt-upgrade and nothing has changed. The current Version is 1.0.2 in sarge, isn't it? Sorry, I didn't do the update until Monday, and my sponsor picked a problem with it, so I've just resent the update, corrected. It will hopefully appear in Debian unstable in a day or two, and migrate to testing about a fortnight from now, give or take. However, Debian Sarge will not gain the package automatically. Your best bet is to either grab the source from the archive and build it locally, or wait until I become a Debian Developer, and backports.org moves up to Sarge, as I intend to maintain a FreeRADIUS backport there for Sarge. (My own RADIUS server runs Debian Sarge so you're in good company. ^_^) The package I uploaded _may_ install directly on Sarge, but I can't promise such. However, when I do get time to build 1.0.4 for sarge for my own box, I'll post packages somewhere and let the list know, until I start using backports.org. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
On Tue, Jun 14, 2005 at 03:09:20PM +0200, Michael Langer wrote: Hi @all, i read some HowTo's for installing FreeRadius/PEAP and they have used the CA.all script to create the certificats. But i can't find this script after installing FreeRadius deb version 1.0.2 on my PC. I have to install other packets ? Openssl is already installed. (After installing Freeradius) Oh. Wow. You're the first person to notice that I completely missed the scripts/ directory in the FreeRADIUS package. _ If you're working from the version in the Debian archive, I'll make an upload of 1.0.3 to address this by the weekend. If you're working from the release on the website, you'll have to grab the release_1_0 tree from CVS once I fix this. For CVS head, this should be caught when I rearrange the debian/ directory there to use dpatch, real soon now. ^_^ I'll prolly put 'em in /usr/share/doc/freeradius/examples/, unless you want to jump up with a better idea? .../scripts/ comes to mind too. I might do that instead. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
Michael Langer wrote: i read some HowTo's for installing FreeRadius/PEAP and they have used the CA.all script to create the certificats. But i can't find this script after installing FreeRadius deb version 1.0.2 on my PC. I have to install other packets ? Openssl is already installed. (After installing Freeradius) It's not an issue of the Debian packet. It's just that script/Makefile doesn't install CA.all. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
[EMAIL PROTECTED] (Paul Hampson) wrote: If you're working from the version in the Debian archive, I'll make an upload of 1.0.3 to address this by the weekend. If you're working from the release on the website, you'll have to grab the release_1_0 tree from CVS once I fix this. Could you also get 1.0.4 ready? It should be released soon, and I've been busy... I'll prolly put 'em in /usr/share/doc/freeradius/examples/, unless you want to jump up with a better idea? examples/scripts examples/conf etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian testing = no PEAP/TLS/TTLS support? (Lincoln Smith)
Hi Lincoln, How did you solve this problem? rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. It seems I have the same problem. There was a buglisting for this problem, but I don't know how to solve it, so I was hoping you could help me out. Thx, Pascal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian testing = no PEAP/TLS/TTLS support?
On Sat, Jan 15, 2005 at 06:47:38AM +0100, Sven Juergensen wrote: the start/stop script of the debian freeradius package is faulty as well. let me know if you need a modified script and i'll mail it to you. Alternatively, file a bug report and then everyone can benefit from a fix to whatever's wrong with the init script. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian testing = no PEAP/TLS/TTLS support?
On Sat, Jan 15, 2005 at 11:30:03AM +0100, pascal wrote: Hi, rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory It seems I have teh same problem. On a Debian Sarge system. I know there is a bugreport for this problem, but I hoped it would be fixed with a newer version. It was recently discussed on the Debian-Legal mailling list, and I have a list of packages to check for OpenSSL-linkability. If they all pass, and the licenses of the various chunks of FreeRADIUS can be changed (which is a harder problem) we can then add an exception to the GPL to allow linking aginst OpenSSL. Alternatively, someone who has their head wrapped around SSL can convert the various OpenSSL-users in FreeRADIUS to optionally use gnuTLS instead, controlled by the configure.in system. I plan on doing this, but I'm a bit of a TLS Barbie. ^_^ However, that change will only affect FreeRADIUS 1.1.0 or later, since I don't want to be trying to mangle _two_ sets of autoconf scripts. In the meantime, locally compiled FreeRADIUS packages with a build-depends on libssl-dev instead of a build-conflicts will contain the appropriate libraries without any other code changes. If you version it as current Debian version.0.0.1, then it'll be safe from apt replacing it from the archive, and if you put it on hold, then apt-get upgrade won't touch it. I try not to upload too frequently, and so you can take your time to consider if you need to rebuild any new Debian revisions or just leave the current version held. Alternatively, you can build from the release_1_0 branch in CVS, which will give you what will hopefully soon be 1.0.2, and I try and keep the debian/ directory upstream the same as the one in Debian's archive, so the packages should mesh fine. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian testing = no PEAP/TLS/TTLS support?
Err as usual found the solution shortly after posting... Lincoln Smith wrote: Hi there Module: Loaded eap rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. Is it the case that PEAP/TLS/TTLS support has been removed from the freeradius package in debian testing? The libraries appear to be gone and all I've managed to turn up on the web is a small entry in the the changelog alluding to (licence?) conflicts with openssl. Is this situation likely to reverse anytime soon? Cheers -- Lincoln Smith [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian testing = no PEAP/TLS/TTLS support?
the start/stop script of the debian freeradius package is faulty as well. let me know if you need a modified script and i'll mail it to you. cheers, sven Lincoln Smith wrote: Err as usual found the solution shortly after posting... Lincoln Smith wrote: Hi there Module: Loaded eap rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. Is it the case that PEAP/TLS/TTLS support has been removed from the freeradius package in debian testing? The libraries appear to be gone and all I've managed to turn up on the web is a small entry in the the changelog alluding to (licence?) conflicts with openssl. Is this situation likely to reverse anytime soon? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
Paul Hampson wrote: Check you've got libssl-dev installed. It is quite possibly silently not building rlm_eap_tls due to lack of OpenSSL or wrongly-version openSSL, the same thing that'd cause rlm_x99_token to not build. that did it, thanks a bunch paul and alan. all the best and merry xmas, sven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
On Fri, Dec 17, 2004 at 03:47:31AM +0100, Sven Juergensen wrote: and again, http://bugs.freeradius.org/show_bug.cgi?id=98 configuring with --disable-shared make halts at the message of my first email, something with the rlm_x99_token. some strace output: [..] [..] /usr/local/lib/rlm_eap_tls.la, like the strace output suggests, isn't there. Check you've got libssl-dev installed. It is quite possibly silently not building rlm_eap_tls due to lack of OpenSSL or wrongly-version openSSL, the same thing that'd cause rlm_x99_token to not build. rlm_eap_gtc, if it depends on rlm_eap_tls, should skip itself the same way rlm_eap_ttls does (or I think it does) if it won't be built... Then you'd get the more useful error the rlm_eap_gtc wasn't built. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
Sven Juergensen [EMAIL PROTECTED] wrote: #0 0x400600df in lt_dlsym (handle=0x8152ac8, symbol=0xbfffe8f0 rlm_eap_tls) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt It's another libtool stupidity. Delete the previous installation, and build statically. configuring with --disable-shared make halts at the message of my first email, something with the rlm_x99_token. configuring with --disable-shared make halts at the message of my first email, something with the rlm_x99_token. something? Delete the rlm_x99_token directory, and the static build should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
Sven Juergensen [EMAIL PROTECTED] wrote: after some research i found out that someone fixed this with the --without-rlm_x99_token That should be fixed, but the maintainer of the module hasn't been actively involved in the project for a while. it compiles but gives me a segfault once radiusd -X is invoked: [...] gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc Segmentation fault which doesn't really surprise me, since i believe it's because of the --without-rlm_x99_token parameter. No. The modules are completely independent, and don't affect each other. My suggestion would be to use gdb (see doc/bugs), or configure compile the server statically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
thanks alan, here goes the backtrace then: clt173:/install/freeradius-1.0.1# gdb /usr/local/sbin/radiusd core GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-linux...Using host libthread_db library /lib/libthread_db.so.1. Core was generated by `/usr/local/sbin/radiusd -X'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/local/lib/libradius-1.0.1.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.1.so Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libpthread.so.0...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/local/lib/rlm_exec-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_exec-1.0.1.so Reading symbols from /usr/local/lib/rlm_expr-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_expr-1.0.1.so Reading symbols from /usr/local/lib/rlm_pap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_pap-1.0.1.so Reading symbols from /usr/local/lib/rlm_chap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_chap-1.0.1.so Reading symbols from /usr/local/lib/rlm_mschap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_mschap-1.0.1.so Reading symbols from /usr/local/lib/rlm_unix-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_unix-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap_md5-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_md5-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap_leap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_leap-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap_gtc-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_gtc-1.0.1.so #0 0x400600df in lt_dlsym (handle=0x8152ac8, symbol=0xbfffe8f0 rlm_eap_tls) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt #0 0x400600df in lt_dlsym (handle=0x8152ac8, symbol=0xbfffe8f0 rlm_eap_tls) at ltdl.c:3330 #1 0x402325d7 in eaptype_load (type=0xb, eap_type=11, cs=0xb) at eap.c:114 #2 0x40231b2a in eap_instantiate (cs=0x80a80b0, instance=0xb) at rlm_eap.c:134 #3 0x08055a83 in find_module_instance (instname=0x80ac0d8 eap) at modules.c:358 #4 0x08056f6d in do_compile_modsingle (component=0, ci=0x80ac0b8, filename=0x8062720 radiusd.conf, grouptype=0, modname=0xbfffeb68) at modcall.c:814 #5 0x080570f2 in compile_modsingle (component=0, ci=0xb, filename=0xb Address 0xb out of bounds, modname=0xb) at modcall.c:829 #6 0x08055f8d in load_component_section (cs=0x80abec0, comp=0, filename=0x8062720 radiusd.conf) at modules.c:584 #7 0x08056364 in setup_modules () at modules.c:874 #8 0x0804cf1d in main (argc=2, argv=0xbd84) at radiusd.c:965 (gdb) any idea? cheers, sven Alan DeKok wrote: Sven Juergensen [EMAIL PROTECTED] wrote: after some research i found out that someone fixed this with the --without-rlm_x99_token That should be fixed, but the maintainer of the module hasn't been actively involved in the project for a while. it compiles but gives me a segfault once radiusd -X is invoked: [...] gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc Segmentation fault which doesn't really surprise me, since i believe it's because of the --without-rlm_x99_token parameter. No. The modules are completely independent, and don't affect each other. My suggestion would be to use gdb (see doc/bugs), or configure compile the server statically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
and again, http://bugs.freeradius.org/show_bug.cgi?id=98 configuring with --disable-shared make halts at the message of my first email, something with the rlm_x99_token. some strace output: [..] write(1, gtc: challenge = \Password: \\n, 31 gtc: challenge = Password: ) = 31 time(NULL) = 1103255116 write(1, gtc: auth_type = \PAP\\n, 24 gtc: auth_type = PAP ) = 24 time(NULL) = 1103255116 write(1, rlm_eap: Loaded and initialized ..., 41rlm_eap: Loaded and initialized type gtc ) = 41 open(/usr/local/lib/rlm_eap_tls.la, O_RDONLY) = -1 ENOENT (No such file or directory) open(/lib/rlm_eap_tls.la, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/lib/rlm_eap_tls.la, O_RDONLY) = -1 ENOENT (No such file or directory) open(rlm_eap_tls.la, O_RDONLY)= -1 ENOENT (No such file or directory) access(/usr/local/lib/rlm_eap_tls.so, R_OK) = -1 ENOENT (No such file or directory) access(/lib/rlm_eap_tls.so, R_OK) = -1 ENOENT (No such file or directory) access(/usr/lib/rlm_eap_tls.so, R_OK) = -1 ENOENT (No such file or directory) open(/usr/local/lib/rlm_eap_tls.so, O_RDONLY) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 6 fstat64(6, {st_mode=S_IFREG|0644, st_size=8877, ...}) = 0 old_mmap(NULL, 8877, PROT_READ, MAP_PRIVATE, 6, 0) = 0x40241000 close(6)= 0 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory) open(/lib/tls/rlm_eap_tls.so, O_RDONLY) = -1 ENOENT (No such file or directory) open(/lib/rlm_eap_tls.so, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/lib/i686/cmov/rlm_eap_tls.so, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/lib/i686/rlm_eap_tls.so, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/lib/rlm_eap_tls.so, O_RDONLY) = -1 ENOENT (No such file or directory) munmap(0x40241000, 8877)= 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV (core dumped) +++ i'm hardly able to code or make sense of this, are there any suggestions to what might be going wrong here? missing libraries? /usr/local/lib/rlm_eap_tls.la, like the strace output suggests, isn't there. thanks again, sven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian with freeradius and securid PAM Module
[EMAIL PROTECTED] wrote: i want to use securid with freeradius on my debian. I have choosen and installed the pam_securid.so Module from RSA und set up pam and freeradius. PAM may have memory leaks. If at all possible, I would suggest using a command-line tool from SecurID to do the authentication. if a make a radtest everytime a get the following errors in syslog: Nov 17 14:31:49 abrakadabra freeradius: PAM unable to dlopen(/lib/security/pam_securid.so) It's probably not in the default library path. See /etc/ld.so.conf, or edit radiusd.conf, and add ':/lib/security' to the end of the 'libdir' directive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .rules file for building postgres support?
On Mon, Oct 25, 2004 at 01:31:06PM +1000, Tech wrote: Does anybody have a modified .rules file for building a 1.0.1 .deb with Postgres support? Thanks in advance. You'll find one in the freeradius 1.0.1 release on the FreeRADIUS website. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
Thanks for the suggestion. Now i progressed a little bit compiling freeradius on Woody. The problem I am having now is about mysql . What library must be in place . This is what i have : pebble:~# dpkg -l | grep mysql ii libdbd-mysql-p 1.2216-2 mySQL database interface for Perl ii libmysqlclient 3.23.49-8.7mysql database client library ii libmysqlclient 3.23.49-8.7mysql database development files ii mysql-client 3.23.49-8.7mysql database client binaries ii mysql-common 3.23.49-8.7mysql database common files (e.g. /etc/mysql ii mysql-server 3.23.49-8.7mysql database server binaries --- Paul Hampson [EMAIL PROTECTED] wrote: On Sun, Sep 19, 2004 at 08:24:13AM -0700, Aime wrote: OK. I did what you suggested but now I have problem with OpenSSL. It cannot find Openssl. But it is ther , I know. I just compiled Openssl on the machine. Do you also have the OpenSSL package? I'd suggest not building a local copy, but using the 0.9.7 packaged in Woody. That'll keep you in security fixes too. ^_^ How can I use dpkg-buildpackage -uc -us -b -rfakeroot but forcing configure to use parameter --with-openssl-includes=/usr/local/openssl/include ? You add that configure option to debian/rules. Don't forget the trailing backslash for the previous line. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
On Mon, Sep 20, 2004 at 05:30:10AM -0700, Aime wrote: Thanks for the suggestion. Now i progressed a little bit compiling freeradius on Woody. The problem I am having now is about mysql . What library must be in place . libmysqlclient-dev I think... The one below looks right,.. What's the error? This is what i have : ii libmysqlclient 3.23.49-8.7mysql database development files -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
OK. I did what you suggested but now I have problem with OpenSSL. It cannot find Openssl. But it is ther , I know. I just compiled Openssl on the machine. How can I use dpkg-buildpackage -uc -us -b -rfakeroot but forcing configure to use parameter --with-openssl-includes=/usr/local/openssl/include ? --- Paul Hampson [EMAIL PROTECTED] wrote: On Sat, Sep 18, 2004 at 05:40:02AM -0700, Aime wrote: Hello Marcus, Please can you layout here the steps you did to get freeradius compiled on Woody. I tried what you said in your mail (by commenting dh_installpam --name=radiusd ), but still get dependency problems about libsasl2-dev and debhelper. After removing the dh_installpam line, you can take the versioning off the debhelper dependancy. And for woody, change libsasl2-dev to libsasl-dev. Then dpkg-buildpackage -us -uc -b -rfakeroot should work. I'd also recommend adding a new debian/changelog entry, so you can tell your package from anyone else's. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
On Sun, Sep 19, 2004 at 08:24:13AM -0700, Aime wrote: OK. I did what you suggested but now I have problem with OpenSSL. It cannot find Openssl. But it is ther , I know. I just compiled Openssl on the machine. Do you also have the OpenSSL package? I'd suggest not building a local copy, but using the 0.9.7 packaged in Woody. That'll keep you in security fixes too. ^_^ How can I use dpkg-buildpackage -uc -us -b -rfakeroot but forcing configure to use parameter --with-openssl-includes=/usr/local/openssl/include ? You add that configure option to debian/rules. Don't forget the trailing backslash for the previous line. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
Hello Marcus, Please can you layout here the steps you did to get freeradius compiled on Woody. I tried what you said in your mail (by commenting dh_installpam --name=radiusd ), but still get dependency problems about libsasl2-dev and debhelper. Did you do : ./configure make make install OR did you use : dpkg-buildpackage -uc -us -b -rfakeroot to build the package --- Markus Krause [EMAIL PROTECTED] wrote: Hi all, finally I got the debian packages for both woody and sarge built (thanks to paul hampson and michael markstaller for their hints!). for woody i hat to comment out the line dh_installpam --name=radiusd in file debian/rules to have the packages built. i do not know if this breaks anything. the packages can be installed, but i did not test if the work correctly (the packages have been built on an old stand-alone machine without network). any feedback about the packages is warmly appreciated! btw: the packages are ready for download at http://www.stud.uni-muenchen.de/~markus.krause/freeradius have fun! markus -- Markus Krause email: [EMAIL PROTECTED] at Max-Planck-Institute of Biochemistry / Martinsried: Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 at Ludwig-Maximilians-University / Munich: Department of Physical Chemistry I Tel.: 089 - 2180 - 77 537 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for woody and sarge
On Sat, Sep 18, 2004 at 05:40:02AM -0700, Aime wrote: Hello Marcus, Please can you layout here the steps you did to get freeradius compiled on Woody. I tried what you said in your mail (by commenting dh_installpam --name=radiusd ), but still get dependency problems about libsasl2-dev and debhelper. After removing the dh_installpam line, you can take the versioning off the debhelper dependancy. And for woody, change libsasl2-dev to libsasl-dev. Then dpkg-buildpackage -us -uc -b -rfakeroot should work. I'd also recommend adding a new debian/changelog entry, so you can tell your package from anyone else's. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian package for version
On Thu, Aug 19, 2004 at 10:29:28PM -0700, Petersen, Kirsten - NET wrote: Are there any plans to have a debian package for version 1.0.0 soon? There's an unofficial one someone built, the URL was on the mailing list earlier, and the official (DFSG-free) one is currently with my sponsor. However, my sponsor is part of the Debian release team, so I suspect he's too busy just now to check the package over. _ You _could_ grab the version I submitted from: http://www.tbble.net/freeradius/1.0.0-official/ if you like. It's signed by me, and the final version in the Debian archive will be signed by Steve Langasek, but barring anything stupid I've done, it should be identical to what appears in the archive. If you want to build it yourself, grab the tarball, extract it, and dpkg-buildpackage -us -uc -b -rfakeroot and then wait. Shiney new (non-DFSG-free _) packages will appear. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for download
i commented out the line and removed the dependency entry for debhelper in debian/control, now i got the following error after running dpkg-buildpackage: -8- [snip] Making dynamic in rlm_sql_mysql... make[11]: Entering directory `/root/src/freeradius-1.0.0/src/modules/rlm_sql/drivers/rlm_sql_mysql' /usr/bin/libtool --mode=compile gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include -I'/usr/include/mysql' -c sql_mysql.c rm -f .libs/sql_mysql.lo gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include -I/usr/include/mysql -c sql_mysql.c -fPIC -DPIC -o .libs/sql_mysql.lo gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include -I/usr/include/mysql -c sql_mysql.c -o sql_mysql.o /dev/null 21 mv -f .libs/sql_mysql.lo sql_mysql.lo /usr/bin/libtool --mode=link gcc -release 1.0.0 \ -module -export-dynamic -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include \ -I'/usr/include/mysql' -o rlm_sql_mysql.la -rpath /usr/lib/freeradius sql_mysql.lo -L'/usr/lib' -lmysqlclient -lz -lcrypt -lnsl -lm rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.* .libs/rlm_sql_mysql-1.0.0.* gcc -shared sql_mysql.lo -L/usr/lib /usr/lib/libmysqlclient.so -lz -lcrypt -lnsl -lm -Wl,-soname -Wl,rlm_sql_mysql-1.0.0.so -o .libs/rlm_sql_mysql-1.0.0.so /usr/bin/ld: cannot find -lz collect2: ld returned 1 exit status make[11]: *** [rlm_sql_mysql.la] Error 1 -8- which lib is missing there? btw: i tried to update debhelper, but that led me to many other update demands, even libc should be updated. if i did that would that not prevent the package to run on a normal debian woody system? markus Zitat von Paul Hampson [EMAIL PROTECTED]: On Tue, Aug 17, 2004 at 09:24:58AM +0200, Michael Markstaller wrote: I have some freeradius (0.9.3 to 1.0.0-pre3) using MySQL running fine on woody (but without running ldap eap, AFAIK there're unmet dependencies). just build the package from the source (one line needs to be commented out, I posted this on 2004-05-11) --- cut --- debian/rules - line 137 dh_installpam --name=radiusd - this prevents buildding on woody as dh_installpam doesn't know the --name parameter --- cut --- You'll also need to remove the version from the debhelper dependancy or force-depends dpkg-buildpackage, since the versioned dependancy is there to make this line work. _Or_ you can install a newer debhelper version onto your Woody box. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for download
On Fri, Aug 20, 2004 at 09:32:06AM +0200, Markus Krause wrote: i commented out the line and removed the dependency entry for debhelper in debian/control, now i got the following error after running dpkg-buildpackage: -8- [snip] [snip] /usr/bin/ld: cannot find -lz which lib is missing there? zlib1g-dev libmysqlclient-dev ought to have pulled that in... But it doesn't in woody. It's fixed in sid and sarge though... You'll have to add that to Build-Depends for FreeRADIUS, I guess. btw: i tried to update debhelper, but that led me to many other update demands, even libc should be updated. if i did that would that not prevent the package to run on a normal debian woody system? OK, don't do that then... I must have misremembered how easy it is to update to debhelper... Sorry. _ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian backport of FreeRADIUS-1.0.0-pre1 to woody
On Wed, Jun 02, 2004 at 10:51:33AM +0100, Graeme Hinchliffe wrote: As the subject suggests. Anyone done a backport of this yet to woody? I haven't yet. There were some people doing 0.9 backports, dunno if they'll pick up the prereleases though. I don't intend to do a backport until we release 1.0.0 final, and prolly won't bother if someone else steps up to the plate. :-) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html