Re: What does FR 2.2.2 fix?
Hi, clarification/agreement from Stefan or others? tried the newest GIT this morning and the proxy issues were gone. I haven't seen your Internal sanity check failed just yet (and am not looking forward to it :-/ ). Stefan alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ipad ssl error in free radius
Hi, is the firmware on that iPad particularly old? Or maybe your OpenSSL on the server side? Things like mismatching cipher requirements or force secure renegotiation might cause some of these issues. Greetings, Stefan Winter Am 19.09.13 06:27, schrieb val john: hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com mailto:u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, We are in feature freeze for 3.0. The configuration format and behaviour for 3.0 will be stable between now and the final release (as it was with release_3_0_0_rc0). If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behavior changes you notice. To provide a single point to test against, the release_3_0_0_rc1 tag has been created. When trying to make install with the custom way of avoiding raddb as suggested on the list earlier (i.e. mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install I now encounter a Makefile error: radius-int-1-new:~/freeradius-server-release_3_0_0_rc1 # make install make: *** No rule to make target `/usr/local/freeradius/config/raddb/mods-config', needed by `/usr/local/freeradius/config/raddb/mods-config/perl'. Stop. As you see, I'm not inside /usr/local/freeradius at all ... I'm in /root/freeradius-server-release_3_0_0_rc1/. The raddb folder is empty except the 0-byte all.mk. Why would it think it needs to do something for /usr/local/freeradius/config/raddb/mods-config/perl ? This is an otherwise fresh rc1. The directory above is the place where the config resides in; but it should leave that one alone, right? configure runs with the following options: ./configure --prefix=/usr/local/freeradius/3.0.0-tagged-rc1 \ --with-raddbdir=/usr/local/freeradius/config/raddb \ --with-openssl \ --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include \ --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib (and that's the reason it knows about /usr/local/freeradius/config/raddb at all) I believe that way to make make install ignore raddb used to work with rc0 and numerous GIT snapshots. Greetings, Stefan Winter Behaviour changes since release_3_0_0_rc0: * Fixed many more compiler warnings. * LDAP schemas to load dynamic clients from LDAP * the control socket is now marked stable * Added RFC 6929 dictionary, along with a few others * Clean up proxy ID allocation / re-allocation * pairbasicfree() has been replaced by talloc_free() * Added %{debug_attr:LIST} to print out at attributes in LIST * The PAP module can now configurably *not* normalize passwords * Remove support for %{#}, and add %{strlen:} expansion Bug fixes: * Corrected more documentation to match the new behavior and config * Corrected many minor typos and spelling mistakes in documentation and config files * If the installation directory exists, don't re-install files * add crlDistributionPoints to certificates for Windows phones. * Use documentation IP addresses everywhere (192.0.2/24) * Build fixes for clang related to the -rdynamic flag * Allow update sections to update outer.reply * Re-write module handler to work, the code is significantly cleaner, and priority overrides work correctly in all cases, #404, #424 * CUI SQL fixes, #412 * Don't die in RB tree re-allocation of proxy ID * Do a second pass over pre-compiled conditions, #421, #423 * Add delete order to rbtree, #416 Also used by the proxy ID re-allocation code * Fixed TCP socket close handlers to be simpler and more robust * Allow ${..} expansion in `strings` * moved EAP destructors to talloc, which wasn't done in -rc0 * Fix LDAP group comparisons, and other pair comparisons * NULL terminate strings copied between VALUE_PAIRs correctly * Fix !* when used with non-string attributes * Fix `` exec in update sections * Load libpython within rlm_python to ensure all required symbols are available * Don't SEGV printing IPv6 Interface ID * Don't SEGV evaluating dates in rlm_expiration * Fix ./configure --with-shared-libs=no * Fix crashes related to opaque request data and regular expressions * Fix heimdal krb5 build The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_rc1.tar.gz Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, mv raddb raddb-noinst mkdir raddb touch raddb/all.mk make install do 'mkdir raddb/mods-config' you've 'messed around' with the configuration directory which assumes that mods-config exists... i guess that could be fixed to make dir directory first if it doesnt exist. The idea is that make install is not supposed to touch my production config in any way. I don't want it to generously add directories without me knowing. It was easy to tell it to back off earlier (even easier in v2 - just mv source/raddb/ out of the way), but now for some reason the old v3-style mechanism doesn't work any more. I guess I could create the mods-config/ dir in my production config dir and it would make the symptom go away. I still found it worth reporting that some messing-around with the config dir is going on/attempted even when the source dir is told not to do that. I think I udnerstand from the earlier post that the make install target of rlm_perl wants to do something in raddb/mods-config/ on its own; and bails out when it can't. It's not nice if one module makes assumptions about a part of the directory structure it doesn't control. Nothing stops me from deploying a raddb with the configs lying in raddb/modules-configuration-information/ and it would be very undue if the stock build process bails out on failure then during a subsequent installation. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Hi, Because that all.mk file for the rlm_perl module installs example perl scripts in mod-config, the same with rlm_python and rlm_ruby. I guess we'll have to come up with a proper fix. Does the file need to be created by the rlm's make install? The example scripts could be put into source/raddb/mods-config, and installed from raddb's own part of make install. That way, if I move raddb out of the way, nothing bad will happen; both the current content of raddb and all the script examples will be ignored. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault on [pap] Normalizing SSHA1-Password from base64 encoding
Hi, The fix still needs config changes with a bit of a hackish workaround - read the thread til the end to get all the goodness. I tested some of the hashes that were giving me trouble and they all worked with the current branch version. I also read all the thread, Glad to hear that :-) The remaining issue occurs only when the base64-encoded SSHA password starts with the two characters 0x or 0X. In that case, FreeRADIUS thinks oh, a hex number, let's decode it - while the input is not a number at all. Doesn't lead to crashes, but auths going wrong. And, IIRC, that kind of failed decoding heuristics only happens inside the SQL module, so if you pull your SSHA hashes from elsewhere, it may not apply at all. and some things were not so clear for me (sorry for the noobiness). Could you explain your final configuration state? The problem is that SSHA1-Password's data type triggers the wannabe-decoding. The workaround was to define another attribute myself, with another data type, which stops this from happening; and later re-coding into the original attribute name explicitly in the config. I saw the unlang: update reply { SSHA1-Password := 0x%{base64tohex: %{control:RESTENA-SSHA1-Password1}} } And the SQL syntax: SELECT id, username, 'RESTENA-SSHA1-Password', value, op FROM check_smtp_ssha1 WHERE username='%{SQL-User-Name} Is these configurations obligatory? I'm using the standard radcheck table (id,username,attribute,op,value) and query that comes with freeradius. From what I understood, I need to create a VSA, assign my SSHA1-Password attribute to it and convert it to hex format using the unlang and xlat? Without these extra configuration, the messages from authorization are now: That's right, the RESTENA-* thing is a VSA. Not sure about the data type right now, not in the office. I think SSHA1-Password's failing one is octets and the VSA is string (or text?) instead. Ehm, the thread should tell you :-) If you have control over your database, it's obviously better to change the attribute name inside the DB to your VSA's attribute name, and to leave the standard queries in sql.conf untouched. In my setup, I did not have that luxury, thus the override of attribute name to a hard-wired RESTENA-SSHA1-Password. [pap] login attempt with password senhasecreta [pap] Using SSHA encryption. [pap] User authenticated successfully ++[pap] = ok So the Normalizing error and segmentation fault isn't happening anymore. With only those specific 0x/0X characters triggering failure, you'd see approx. 1 out of 16.000 hashes being affected. Depending on your deployment size, you may simply not have seen it yet :-) The normal non-debug log would not produce any clue that something went wrong (aside from auth failed), as the error would be an SQL query error - even though the query is perfectly fine; it's the post-processing that goes wrong. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault on [pap] Normalizing SSHA1-Password from base64 encoding
Hi, http://lists.freeradius.org/pipermail/freeradius-devel/2013-May/008046.html http://lists.freeradius.org/pipermail/freeradius-users/2013-May/066440.html I also did everything that Stefan Winter did - gdb live server, valgrind, look at the source, compare with 3.0 - and got the same results. In the -devel thread Alan DeKok says there won't be any patches or development on the 2.2.x branch anymore, and I tested with 3.0 with success. So I ask: is there any way to backport the fix to 2.2.x branch? I don't know C very well but if it's not so hard, I might try talking to people who knows how to code and create a unnoficial patch. I saw that the base64 is now using a brave new approach on 3.0. And also, if keeping this bug forever in the 2.2.x branch, what is, in your opinions, the best way to store the encrypted passwords? I'm using SSHA-Passwords attribute, salted with the uuidgen command. And I was thinking, if I use a salt with only 16 characters instead of 32+, is there any chance for this bug to happen? It'll be easier for me to fix the salts instead of the code. I can't migrate to 3.0 right now because the system is in production state. (Please, don't say Cleartext-Passwords are the solution :P) You should read the (entire!) thread on -devel titled 2.x.x (and earier?): yet another decoding SSHA issue during which at some point the 2.x.x branch code got fixes for the bulk of the issue. This will be in 2.2.1; but you can safely grab current branch, it's running stable on my production systems for a long time now. The fix still needs config changes with a bit of a hackish workaround - read the thread til the end to get all the goodness. Greetings, Stefan Winter The following hash generates the crash: 42A9cqWnI8QAyQLsy7+iZDNKkrwzYzZlMjFiMC00YWFlLTQyN2QtOTdlNC0zNjIyYTZmYjhjNDk= Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, # mv raddb raddb-noinst # mkdir raddb # touch raddb/all.mk # make install that's easy enough, thanks! Except that it doesn't suffice :-/ INSTALL rlm_utf8.la INSTALL rlm_always.la INSTALL rlm_logintime.la INSTALL rlm_attr_filter.la INSTALL rlm_soh.la make: *** No rule to make target `/usr/local/freeradius/config/raddb/mods-config', needed by `/usr/local/freeradius/config/raddb/mods-config/perl'. Stop. Do I need to mkdir and touch all subdirs as well? Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.x.x and radtest: no IPv6?
Hi, while using radtest, I got some strange results: # ./radtest swinter testpwd [::1] 123 testing123 radclient: Failed to find IP address for host ::1: Success # ./radtest swinter testpwd ipv6-localhost 123 testing123 radclient: Failed to find IP address for host ipv6-localhost: Success ipv6-localhost is in my /etc/hosts. I'd expect both of these to work... no brackets also doesn't work, but that was just my last straw and doesn't have to work anyway. Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication by hostname
Hi, sorry, I am completely new to Radius … I want to change a FreeRadius server to authenticate a few hosts by their hostnames. The hostnames would be stored in a config file. How could I do this? This is the authentication request: rad_recv: Access-Request packet from host 10.10.10.21 port 54285, id=145, length=347 Framed-MTU = 1480 NAS-IP-Address = 10.10.10.21 NAS-Identifier = HP-2520-24-PoE User-Name = host/MYHOSTNAME Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 84-34-97-de-df-80 Calling-Station-Id = 00-1f-29-98-8d-41 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 201 EAP-Message = 0x0201001401686f73742f544344452d3030303131 Message-Authenticator = 0xe06791a76c819a3dc0f89c8baf2df141 MS-RAS-Vendor = 11 Thanks for any help! Take care, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. ahem -4 Use IPv4 for the NAS address (default) -6 Use IPv6 for the NAS address Uh. Sorry. Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. I see that such a -4 -6 option is required for hostnames, but even then only if they return addresses for both families. ipv6-localhost only returns ::1. And ::1 successfully parses neither as an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous and could be auto-detected. That would add a little user-friendliness for users who didn't have enough sleep :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, I'd love to try. looking at GITHUB's master branch, I see that the latest commit was 5 months ago, and the last tag is 3_0_0_beta1 ? There's also no other branch name that suggests recent versions. Anything wrong with github? Stefan On 16.07.2013 15:15, Alan DeKok wrote: Stefan Winter wrote: (0) ERROR: %{#User-Password} (0) ERROR: ^ Unknown attribute (0) ERROR: Evaluation of condition failed for some reason. (0)else else { (0) - entering else else {...} Earlier, this would yield the number of characters in the incoming request's User-Password attribute, and see if it's exactly 96 Bytes. I don't know why the # triggers an unknown attribute? Looks like a bug to me... That code was removed because it was horrid. I've pushed a fix, including fixes to documentation. Use %{strlen:...} instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, Anything wrong with github? Oh, never mind that. git.freeradius.org has a link to: http://github.com/alandekok/freeradius-server/tree/master which is probably not the best place to link to. Sure, if you read the github notice on that page it'll tell you Alan DeKok's private copy of the FreeRADIUS Server code. Do NOT fork this. Use the link below instead. https://github.com/FreeRADIUS/freeradius-server; And if you do that, you'll get the source. But wouldn't it be much more useful to send people to the correct URL immediately? Stefan Stefan On 16.07.2013 15:15, Alan DeKok wrote: Stefan Winter wrote: (0) ERROR: %{#User-Password} (0) ERROR: ^ Unknown attribute (0) ERROR: Evaluation of condition failed for some reason. (0)else else { (0) - entering else else {...} Earlier, this would yield the number of characters in the incoming request's User-Password attribute, and see if it's exactly 96 Bytes. I don't know why the # triggers an unknown attribute? Looks like a bug to me... That code was removed because it was horrid. I've pushed a fix, including fixes to documentation. Use %{strlen:...} instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. Here's another thing that worked in 2.x, should continue to according to man 5 unlang, but doesn't: (0) ? if ( User-Name == cyrus ) (0) expand: cyrus - 'cyrus' (0) ? if ( User-Name == cyrus ) - FALSE (0) ? elsif ( %{#User-Password} == 96 ) (0) expand: 96 - '96' (0) ERROR: %{#User-Password} (0) ERROR: ^ Unknown attribute (0) ERROR: Evaluation of condition failed for some reason. (0)else else { (0) - entering else else {...} Earlier, this would yield the number of characters in the incoming request's User-Password attribute, and see if it's exactly 96 Bytes. I don't know why the # triggers an unknown attribute? Looks like a bug to me... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. Here's one thing during make install that used to work, but now ceased. In 2.x.x, there was an easy mechanism to prevent make install from generously copying config files into the target config directory. This worked by doing a mv raddb raddb-somestring. make install would not find the raddb directory and ignore it during install. That was quite cool; I have a config dir which only contains files which are actually in use; like I don't have a users file. If raddb is in place during a make install, this would copy the default config files (a.k.a. random junk) into my production config. Now, with 3.0.0 if I try the same trick, I get: # mv raddb raddb-noinst # make install scripts/boiler.mk:552: raddb/all.mk: No such file or directory make: *** No rule to make target `raddb/all.mk'. Stop. I understand that the urgency of preserving existing config dirs is lower; due to the server not creating new modules in modules/ any more; these days, it can mess with mods-available as it likes. But still, the hygiene I could apply to my config previously was nice. Any chance to get this back? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. The errors for people upgrading from 2.x are a bit cryptic. Of course reading README.rst will solve it, but the initial complaints when just starting with -X are: (I have user,group, and allow_core_dumps both on the top-level AND in the security subsection to have a config for 2.x and 3.x - this used to be okay, with the top-level entries simply ignored) main { security { user = radiusd group = radiusd allow_core_dumps = no } /usr/local/freeradius/config/raddb/radiusd.conf[0]: Configuration item user is deprecated /usr/local/freeradius/config/raddb/radiusd.conf[0]: Replace user with group } Here it complained about the top-level user - but suggesting to replace it with group? Afer commenting out the user and group ones, I got to allow_core_dumps: main { security { user = radiusd group = radiusd allow_core_dumps = no } /usr/local/freeradius/config/raddb/radiusd.conf[0]: Configuration item allow_core_dumps is deprecated /usr/local/freeradius/config/raddb/radiusd.conf[0]: Replace allow_core_dumps with (null) Replace with null makes it look like the config parameter doesn't exist any more; while it simply moved into security { }. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, On 15.07.2013 10:24, Alan DeKok wrote: # mv raddb raddb-noinst # mkdir raddb # touch raddb/all.mk # make install that's easy enough, thanks! Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. I must be missing something pretty obvious, so sorry if the below question is just noise... I'll have replace my sql_log instances with rlm_sql_null (*sniff*). So as I was in the process of re-weriting the first instance config, I stumbled over the 2.x parameter: sql_log sql-relay-acct-vpn { path = ${radacctdir}/sql-relay-common ... } Which is useful for knowing where the text file with the queries ends up. And in 3.0.0-rc0 ... there is no such thing?!? Or I just don't get it. mods-available/sql speaks of setting null and dialect to mysql - and the dialect config doesn't have file names. The only filename I see in the sql config is sqltracefile. Maybe that's it, but with that parameter description, the semantics would be a rather horrible mismatch. NB: README.rst doesn't mention the death of sql_log nor that sql (null) is its replacement. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, I'll double check the default configs to make sure they list it and update the documentation. Fixes pushed for behaviour, and to fixup the default config files. Good news! Just wondering: the files being written to are properly locked thread waits for the lock - right? I have several instances of sql_log which all write to the same file, so converting them needs to keep that up. Other than those issues, I now have a server which at least starts up with my half-converted config. A couple of legacy warnings and a non-suggested directory structure, but it works! I'll now start issuing actual requests for all my vservers. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hello, To avoid the need of installing our CA certificate on every Windows machine, we´ll buy the server certificate from a public CA. Having the CA cert installed only does half of the job; for EAP configuration purposes, the CA must explicitly marked as trusted /for this EAP identity/. So you still need to tell users to set a checkbox besides that CA. The difference to importing the CA before that is not much more work; on Windows, it's a couple of clicks only. If this is a usability issue, I recommend you look at dissolvable setup clients like cloudpath, or investigate the various certificate/settings bundles that things like iPhones support. And since he is from a university and likely his deployment is an eduroam one, you should also mention the dissolvable client setup tool eduroam CAT, https://cat.eduroam.org , which is free and tailored to eduroam. It will install private CAs just as fine and automated as it does commercial CAs. Greetings, Stefan Winter Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure authenticate using IPv6
Hi, it's a very bad idea to use link-local addresses. You should use a global or ULA address instead. I don't *know* why this doesn't work, but it does with our global-scope addresses just fine, so I'm guessing it's the address type. Especially since link-local addresses are only valid with an interface scope. So fe80::215:17ff:fed0:d278 simply isn't an IPv6 address. fe80::215:17ff:fed0:d278%eth0 is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Greetings, Stefan Winter Am 23.05.13 16:11, schrieb Michael Sherman: what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same :( radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.10.0.0/16 { require_message_authenticator = no secret = bigsecret shortname = test-net } client fe80::215:17ff:fed0:d278 { require_message_authenticator = no secret = bigsecret shortname = test-net nastype = other } ... radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 } listen { type = acct ipv6addr = :: IPv6 address [::] port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54225 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault error
Hi, FYI, I just had the same issue and went into the code that leads to this. The issue is that with *salted* passwords, FreeeRADIUS sometimes decides to base64-decode *twice*. The first round does the right thing; the second one *may* produce garbage (attempting to decode an already-decoded string). It only does so if the decoded value from first round looks like it could be a base64-encoded string (e.g. contains an = sign very early) AND if your salts are long enough to trick FreeRADIUS into thinking that there's something to decode still. Hoping to get this fixed for 2.2.1. Stefan On 02.05.2013 19:33, Chris Taylor wrote: I forgot to include my OS and kernel type. Linux on-radius01.eastlink.ca 2.6.18-308.16.1.el5 CentOS release 5.9 (Final) -Original Message- From: Chris Taylor Sent: Thursday, May 02, 2013 1:31 PM To: 'FreeRadius users mailing list' Subject: RE: segfault error I think I have what you are looking for now. I have copied the whole dump from when I start using gdb. Chris [root@on-radius01 raddb]# gdb /usr/sbin/radiusd /tmp/core-radiusd-11-95-95-11609-1367435209 GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. [New Thread 11611] [New Thread 11614] [New Thread 11613] [New Thread 11612] [New Thread 11610] [New Thread 11609] Reading symbols from /usr/local/lib/libfreeradius-radius-2.2.0.so...done. Loaded symbols for /usr/local/lib/libfreeradius-radius-2.2.0.so Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_ldap.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_ldap.so.2 Reading symbols from /usr/local/lib/rlm_exec-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_exec-2.2.0.so Reading symbols from /usr/local/lib/rlm_expr-2.2.0.so...done. Loaded symbols for /usr/local/lib/rlm_expr-2.2.0.so Reading symbols from /usr/local/lib/rlm_expiration-2.2.0.so...done. Loaded symbols for /usr/local/lib
Re: RADIUS shared secret over internet
Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
require_message_authenticator when sending
Hi, I just noticed something unintuitive when trying to enforce the presence of Message-Authenticator on a server which has FreeRADIUS 2.2.0 as a proxying client. In proxy.conf, home_server section, there is very strong wording that require_message_authenticator is good; and the default as spelt out in the config file is =yes. My config simply omits the keyword entirely. With all those nice words about how good it is I was somewhat expecting it to default to yes in the code as well and set require = yes on the clients.conf on the receiving end. If omitted, the code sets it to NULL though, which seems to be a no. Of course I'm fixing my config by making the yes explicit - but maybe adapting the defaults in realms.c might be a little more consistent behaviour. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release of Version 2.2.1
Hi, It's been a while since Version 2.2 was released, so it's time for the next release. I'd like to fix the reported memory leak issue, and then release it later next week. The changes are minor, and mostly cleanups and bug fixes. Please let me know if there are any issues. According to current GIT in 2.x.x, my patch to prevent SIGTERM turning into SIGSEGV is not included yet. A proper shutdown is required on all systems using systemd, so I believe it would be very useful to get this into the mainstream release. For the mini, two-line patch which prevents this (admittedly not totally clean), please see my message to -devel on 12 Oct 2012, titled SIGTERM - SIGSEGV. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using return-output from external script as reply-message
Hello. I want to use an external script (multiotp) for authentication in FreeRADIUS. I created a new module called multiotp that starts the external script... exec multiotp { wait = yes input_pairs = request output_pairs = reply program = /etc/freeradius/multiotp/multiotp.php -log -debug '%{User-Name}' '%{User-Password}' shell_escape = yes } ...and activated this module in the authentication-section of the default-configuration (and also in the inner-tunnel-configuration): authenticate { [...] Auth-Type MultiOTP { update reply { Reply-Message = Hello, %{User-Name} } multiotp } [...] } The external script gives me additional informations (like OK: Token accepted, INFO: Authentication failed etc.) after authentication. When I run freeradius in debug mode, I can see the output-message from the external script: [...] Exec-Program output: 0 OK: Token accepted Exec-Program-Wait: plaintext: 0 OK: Token accepted Exec-Program: returned: 0 ++[multiotp] returns ok Login OK: [test] (from client localhost port 0) [...] Is it possible to use this output-message as the reply-message ? Thanks. Stefan P.S. This is the complete output from freeradius -X: /usr/sbin/freeradius -X FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 11 2012 at 17:06:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/multiotp including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites
Re: 277 realms to maintain
Hi, There are now 277 entires similar to this: realm domain.com http://domain.com { auth_pool = my_auth_failover nostrip } Could I use an $INCLUDE statement here to maintain the list of realms in a separate file? That way it would be easier to automate the creation of the realms list. Sure. Just do exactly that. Stefan Is there a better way of doing this? Thank you, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
Hi, I have configured freeradius to entertain EAP-TLS requests. And i am using the freeradius certificate (shipped with software). I got stuck at end, now i don't know how to send EAP-TLS request to server. I read man radeapclient, but it only support md5. Could you please tell me how could i send request to server using EAP-TLS authentication method. Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or for a command-line test use eapol_test, which is part of wpa_supplicant. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
move /etc/raddb/users file to mysql
Hello List, I inherited an old freeradius 1.1.8 system which is configured to use a mysql DB. So far so good, but now I discovered, that someone also created a /etc/raddb/users file with some DEFAULT information in it. The funny thing is, that I have also some DEFAULT information in my DB in radgroupreply, which is where I think the data from the users file belongs. As far as I see in our config, the flat files have precedence over SQL. I am not very deep into freeradius, so I have some questions which I hope someone can answer: 1) Does the data from the users file go into radgroupreply table? 2) I have a DEFAULT groupname in the DB and in the flat file, will I have to rename the flat file DEFAULT groupname to something else to avoid problems? 3) op needs to be =~ and := for the first to settings and == for all the following? For your reference here is the anonymized content of my users file: DEFAULT User-Name =~@example\.net$, Auth-Type := Accept Context-Name == local, Tunnel-Domain == 1, Tunnel-Type == L2TP, Tunnel-Medium-Type == IP, Tunnel-Client-Endpoint == xxx.xxx.xxx.xxx, Tunnel-Server-Endpoint == yyy.xxx.xxx.xxx, Tunnel-Password == password, Tunnel-Assignment-Id == zzz.xxx.xxx.xxx, Tunnel-Function == 1, Tunnel-Local-Name == EXAMPLE.NET Thanks for any help or hints! regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Hi, Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? No: there is no User-Password. This is an EAP request. Credentials are sent inside the EAP-Message attribute, and strongly encrypted between the source (user device) and the home RADIUS server at cru.fr. As an intermediate party, this is all you will get. Why are you interested in other users' passwords? Greetings, Stefan Winter Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending authentication-requests to multiple radius-servers
Hi Arran. You could also use rlm_replicate to duplicate the packet, but there's currently no way of checking the aliveness of a realm at runtime, so you'd end up sending duplicate requests to whatever the primary OTP server was. and that wouldn't help if you were actually wanting to authenticate the user instead of just performing some kind of synchronisation between the OTP servers. Because we don't have any multicast-infrastructure, I will try rlm_replicate. You can't setup a VLAN between the OTP servers and the RADIUS server? You don't need all the fancy IGMP/PIM stuff if you can get the devices in the same L2 domain. No, not really. The 2nd server is about 250km away :-) Sure, you use the control attribute Proxy-To-Realm to specify multiple realms to replicate to, and then call the replicate module. update control { Replicate-To-Realm := foo Replicate-To-Realm += bar } replicate Thinking about it you may be able to setup something like: proxy.conf: home_server otp0 { type = acct ipaddr = foo port = 1812 secret = bar } home_server otp1 { type = acct ipaddr = foo port = 1812 secret = bar } home_server_pool otp0 { home_server = otp1 home_server = otp0 } home_server_pool otp1 { home_server = otp0 home_server = otp1 } realm otp0 { auth_pool = otp0 } realm otp1 { auth_pool = otp1 } sites-available/default: authorize { update control { Proxy-To-Realm := otp0 Replicate-To-Realm := otp1 } replicate } IIRC home server state is tracked on a per homeserver basis (irrespective of pool), and proxy-to-realm and replicate-to-realm will only replicate to the first alive server in a given pool. So the above *may* do exactly what you want, with the caveat that the replicated packets won't be retransmitted if they're lost. Should work ok in v2.x.x I will try. Thanks a lot. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending authentication-requests to multiple radius-servers
Hi Arran. You could also use rlm_replicate to duplicate the packet, but there's currently no way of checking the aliveness of a realm at runtime, so you'd end up sending duplicate requests to whatever the primary OTP server was. and that wouldn't help if you were actually wanting to authenticate the user instead of just performing some kind of synchronisation between the OTP servers. Because we don't have any multicast-infrastructure, I will try rlm_replicate. Do you have some information, which files do I have do modify ? Thanks for your help. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending authentication-requests to multiple radius-servers
Hello. I have a short question: Is it possible to send an authentication-request from a client to multiple servers simultaneously ? +--+ /-| radius A | +++--+ / +--+ | client |---| radius proxy |X +++--+ \ +--+ \-| radius B | +--+ We now authenticate with HMAC-based One Time Password Token (aka event-based token) from a Cisco ASA via radius to only one freeradius-server. But we want to establish a second authentication server for failover reasons. When using event based tokens, it's absolute necessary that every server receives the same authentication request simultaneously from the client to trigger the next event on the server side. Best Regards, Stefan Kuegler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? In eduroam, every identity provider makes the choice of EAP type all on their own. I.e. we do not have a central register of who uses which EAP type. Of course these things can be found out; if by no other means by sniffing the first bytes of EAP conversations on proxies to see which EAP type was negotiated. But seriously: what's the point? There are a number of EAP methods which satisfy the IETF requirements for good EAP types in RFC4017. So long as you stay in the good set - pick whatever fits your local situation best; some have advantages in certain situations, others don't. There is no definitive answer which EAP type is best, so you'll have to sit down and find out your own needs yourself. And if you just want statistics for statistics' sake... sorry, that kind of information is so hard to get hold of, I'm reasonably confident that it won't be done unless there's a real use case for it. That said, we might get information of that kind as a by-product of a configuration assistant tool which identity providers may use to make their lives easier, and then maybe we could generate numbers from that. Don't hold your breath though. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: customized format of log file
Hi, I'm deploying a WiFi proxy center with FreeRadius now, therefore I need detailed auth/acct log records for statistical purpose. While default format of detail log cannot satisfy my goal there, so is there any way to define my own customized format of auth/acct log file? for example, for auth, I can write AA value while receiving Access-Accept and AJ for Access-Reject into log file. Another question, how to use tab as delimiter of logging instead of default : ? In general, my question is: Can anyone of modules process any content of packets *without replacing and updating original attribute value* by regex, unlang before output of logging? just for logging purpose. Or it's necessary to use Perl? See modules/linelog. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, until today, I have been running FreeRADIUS 2.2.0 successfully with a system-supplied openSSL. Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. However, when running PEAP on this version, I get a segmentation fault now: [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = test.edur...@education.lu Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Reply-Message = What shall we do with the drunken sailor? What shall we do with the drunken sailor? What shall we do with the drunken sailor - early in the morning? Give him eduroam. Segmentation fault The repetition of that attribute is NOT an error; it's there to inflate the packet beyond 1500 bytes to trigger UDP fragmentation (this is our Nagios testing). In 2.2.0 against the old openSSL version, everything works fine - Access-Accept. Any hints? Greetings, Stefan winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, Today, I compiled with --with-openssl --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib the path is in ld.so.conf, and ldd shows that linking against this new version works. Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c
Hi, --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl Are you sure? The openssl SEGV problem is almost always because you have two versions of OpenSSL installed. What is likely happening is that the compile stage is picking up the system-supplied OpenSSL include files. The way to test this is to rename / move them, do the build, and then the install. If it now works, it was picking up OpenSSL X, and linking against OpenSSL Y. Hm, okay... will do. That was it indeed. Had to change the include path above to --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include because configure adds the openssl/ sub-path on its own. Now it works like a charm (as usual :-) ). Thanks! Stefan Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Thanks. I'll try to get the release out this week. (finally) As an extra heads-up: I've put it onto our primary some time last week, where it gets plenty of non-EAP requests and accounting stuff, too. Works like a charm. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, Anyway, adding an example would still be nice :-) Submit a patch, or edit the wiki? :D Here goes a unified diff - took the statement from sql/mysql/dialup.conf. Greetings, Stefan Winter --- sql_log.orig2012-08-10 11:05:49.690247808 +0200 +++ sql_log 2012-08-10 11:08:51.280864849 +0200 @@ -36,18 +36,42 @@ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '%S', '0', '0', ''); + Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ '%{Acct-Terminate-Cause}'); + Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); + Accounting-On = UPDATE ${acct_table} \ + SET \ + acctstoptime = '%S', \ + acctsessiontime= unix_timestamp('%S') - \ + unix_timestamp(acctstarttime), \ + acctterminatecause = '%{Acct-Terminate-Cause}', \ + acctstopdelay = %{%{Acct-Delay-Time}:-0} \ + WHERE acctstoptime IS NULL \ + AND nasipaddress = '%{NAS-IP-Address}' \ + AND acctstarttime = '%S' + + Accounting-Off = UPDATE ${acct_table} \ + SET \ + acctstoptime = '%S', \ + acctsessiontime= unix_timestamp('%S') - \ + unix_timestamp(acctstarttime), \ + acctterminatecause = '%{Acct-Terminate-Cause}', \ + acctstopdelay = %{%{Acct-Delay-Time}:-0} \ + WHERE acctstoptime IS NULL \ + AND nasipaddress = '%{NAS-IP-Address}' \ + AND acctstarttime = '%S' + Post-Auth = INSERT INTO ${postauth_table} \ (username, pass, reply, authdate) VALUES\ ('%{User-Name}', '%{User-Password:-Chap-Password}', \ -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_log and Accounting On/Off
Hello, I'm currently migrating a number of direct accounting sql module calls to delayed writes using sql_log. I noticed that sql_log has statements for Start, Stop, Alive (and Post-Auth, about which I don't care at that point). The real SQL modules have accounting_on_off_query, too. I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, I wonder how to send stuff to sql_log when an On/Off arrives... guessing that I'm simply overlooking something. Looking at the code: could it be that I can just use Accounting-On and Accounting-Off as keys, because the code seems to reference the values of Acct-Status-Type? That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log and Accounting On/Off
Hi, That would be cute; but it's hard to find - one has to go into the code. So if I'm right with that, could the documentation in modules/sql_log be updated for 2.2.0? At least adding it as an example like the others would be nice. Ah, man 5 rlm_sql_log. Right. Sorry for the noise. Anyway, adding an example would still be nice :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP Authentication working not every time
Hello! we are using freeradius2 version 2.1.10 on a centos/rhel 5 Server. We authenticate several ubnt clients on ubnt AP's via EAP-PEAP/MSCHAPV2. This works very well, but sometimes the clients got an Access-Reject and i don't know why ;( I set the radius Server to debug mode and get those output: Waking up in 0.7 seconds. Waking up in 2.2 seconds. Waking up in 1.9 seconds. WARNING: !! WARNING: !! EAP session for state 0x69522edb6a233743 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Waking up in 0.3 seconds. Ready to process requests. Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default # Executing group from file /etc/raddb/sites-enabled/default Waking up in 3.9 seconds. Waking up in 1.9 seconds. Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default # Executing group from file /etc/raddb/sites-enabled/default rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Login incorrect: [m1588a00@EAP/via Auth-Type = EAP] (from client 10.55.0.0/16 port 0 cli 00-27-22-D2-CD-83) # Executing group from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Waking up in 0.9 seconds. The wiki talks about windows clients and decreasing the tunnel MTU. I'm not sure what they mean. How can i get a more detailed debug msg on what is actually wrong. thx for your help Stefan __ www.epb.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Timeout instead of Access-Reject
Hi, there's reject_delay in radiusd.conf It is typcially set to one second to prevent some attacks. You could set it to zero and then the reject may come through faster. Still, 300 ms is *really* low even for that - depending on the time your auth backend needs to even determine whether it was success or failure may take longer than that. Stefan On 07.08.2012 20:55, Antonio Modesto wrote: You're right, it worked. The default mikrotik timeout is 300ms, I've set it to 5000 ms and I've got the right answer. One more question, Though I'll reconfigure all the timeout's on my nas'es, why doesn't this problem happen with freeradius 1.X? Is that normal? Or is it something that's causing my freeradius 2.x to take longer to reply the requests 2012/8/7 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com Antonio Modesto wrote: Hi, I work at an ISP in Brazil, our main radius server is running freeradius 1.X. I'm configuring a new server with freeradius 2.X and doing some tests to see if I find any problem before putting it on production. So far I've found a little problem that doesn't disable me to put it in production, but can confuse in case of a radius failure. When an authentication failure happens, on the nas it appears that the radius server is not responding, it shows a Radius timeout message, here is the output of the radius debug: The timeouts on the NAS are set WAY too low. Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145 Waiting to send Access-Reject to client teste port 35710 - ID: 86 i.e. the NAS didn't see a reply, and retransmitted. Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145 Waiting to send Access-Reject to client teste port 35710 - ID: 86 And retransmitted again 0.3 seconds later. Waking up in 0.3 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 86 to 192.168.2.100 port 35710 And then the server responded 0.3 seconds later. Fix the NAS so it doesn't have *ridiculous* timeouts. RADIUS timeouts are normally in the multi-second range. Having the NAS retransmit multiple times a second is stupid, wrong, and will create problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atenciosamente, * Antônio Modesto Gerente de TI* Praça Getúlio Vargas, 77 – Sala 308 – Centro Santo Antônio do Monte – MG – CEP: 35560-000 Tel:(37) 3281-2800 Contato: isimp...@isimples.com.br mailto:isimp...@isimples.com.br http://www.isimples.com.br Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter informações confidenciais e/ou privilegiadas. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, por favor, não leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada nessas informações. Notifique o remetente imediatamente por e-mail e apague a mensagem permanentemente. Atenção: embora a Isimples Telecom, tome seus cuidados para garantir a ausência de vírus neste e-mail, a empresa não se responsabiliza por quaisquer perdas ou danos decorrentes do uso da mensagem e seus anexos. A segurança e ausência de erros na transmissão do e-mail não podem ser garantidas, já que as informações podem ser interceptadas, corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou, ainda, conter vírus. Recomendamos checar se o e-mail e seus anexos contém vírus, uma vez que nem a Isimples Telecom ou o remetente se responsabilizam pela transmissão destes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
(username, pass, reply, authdate) VALUES ( 'nagios', '', 'Access-Accept', '2012-08-08 10:42:37') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 10 to 172.21.15.1 port 59848 MS-MPPE-Recv-Key = 0x3a1be0edbc8566fc1b291ff8d09a4892ad61da4dc4a33927088e7c700d478e12 MS-MPPE-Send-Key = 0x39a7512be1ea532b88619cf74533da41e180aeb57c6077287a98c82597f8cfa5 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = nagios Finished request 780. Going to the next request Waking up in 0.1 seconds. -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
http://wiki.freeradius.org/EAP-Clients#rad_eap_test says rad_eap_test also uses eapol_test from wpa_supplicant. Shouldn't it produce the same behavior? rad_eap_test is only a wrapper script around eapol_test because it produces much output. Those are all access-accept, aren't they? The second number (reading from http://wiki.eduroam.cz/rad_eap_test/README) should be latency, not an indication that something failed. CMIIW. yes, sorry. understand that false ok, then it seams that radius server is ok, but the clients are generating false eap packets. i will post debug from those later, but debugging there is limited ;( -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. no the real clients are Ubiquiti (www.ubnt.com) Nanostation M5 on Ubiquiti Rocket M5 AccessPoints. we encountered the problem that sometimes the rekey'ing from eap not works and disconnects the client. the radius logs then an access-reject now i am sure that the ubnt clients maybe the problem. now i am thinking of the next debug steps -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
Output from the ubnt client: Aug 7 07:15:18 wpa-supplicant: CTRL-EVENT-EAP-STARTED EAP authentication started Aug 7 07:15:21 wpa-supplicant: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected Aug 7 07:15:57 pppd[1714]: No response to 5 echo-requests Aug 7 07:15:57 pppd[1714]: Serial link appears to be disconnected. Aug 7 07:15:57 pppd[1714]: Connect time 719.4 minutes. Aug 7 07:15:57 pppd[1714]: Sent 144586850 bytes, received 1342640159 bytes. Aug 7 07:16:06 pppd[1714]: Connection terminated. Aug 7 07:16:06 pppd[1714]: Modem hangup Aug 7 07:16:22 pppd[1714]: Timeout waiting for PADO packets Aug 7 07:16:22 pppd[1714]: Unable to complete PPPoE Discovery Aug 7 07:16:30 dnsmasq[1716]: no servers found in /etc/resolv.conf, will retry Aug 7 07:16:31 wpa-supplicant: CTRL-EVENT-EAP-FAILURE EAP authentication failed Aug 7 07:16:33 wpa-supplicant: Authentication with 00:27:22:4c:9c:1a timed out. Aug 7 07:16:33 wireless: ath0 Sending disassoc to 00:27:22:4c:9c:1a. Reason: Station has left the basic service area and is disassociated (8). Aug 7 07:16:33 wireless: ath0 New Access Point/Cell address:Not-Associated Aug 7 07:16:33 wpa-supplicant: CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, We're (again) close to releasing 2.2.0. This time for real. In order to make the server more future-proof, I've made some changes to the TTLS parser. This will solve issues in the long term. But it needs more testing now. Please try the git v2.1.x branch with various supplicants, and TTLS. Please post here if it works / fails. I've just installed it on one of our servers (today's GIT). Compiles and starts just fine; I've directed all our eduroam traffic at it (mix of PEAP and TTLS) and see lots of Access-Accepts. It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Well... EAP-TLS seems not to work for me. My iPhone gets Rejects now. primary server (2.1.12): Wed Aug 8 12:57:46 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:27:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:30:18 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:31:04 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:42:39 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:42:43 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 14:43:41 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 14:43:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) backup server (2.2.0-pre): Wed Aug 8 15:35:44 2012 : Auth: Login incorrect: [certuser-2010-...@restena.lu/via Auth-Type = eap-staff] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) I have neither touched the iPhone nor the server; primary and backup run the same configuration - synced via SVN. I can revert back to 2.1.12 on the backup to verify that that fixes it to be sure... Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, I have neither touched the iPhone nor the server; primary and backup run the same configuration - synced via SVN. I can revert back to 2.1.12 on the backup to verify that that fixes it to be sure... Never mind; a file in sites-enabled was out of sync with the primary, and did something that never worked, also not with 2.1.12. Now working fine with 2.2.0-pre. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS WinXP, default_md MD5, default_eap_type
Hello, the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5 that is used as a message digest in certificate generation (configured in the .cnf files you mentioned) have *nothing* to do with each other. I.e. you can change one without side-effects on the other. Since there is no EAP-SHA1, it does not make sense to add a sha1 { } section in eap.conf. The replacements for MD5 in EAP are things like TTLS, PEAP, TLS, and others. They are mentioned in eap.conf. If you want to get rid of EAP-MD5, configure one of those. Greetings, Stefan Winter On 11.07.2012 21:17, Si St wrote: The following questions about changing default_md and default_eap_type is solely for the matter that I should have RADIUS work on some Linux-machines and some Windows-machines all of them hopefully with TLS client sertificates mainly. There are some diversities as to MD5 and post SP1 WinXP: http://freeradius.org/doc/EAP-MD5.html QUOTE: Windows XP (before SP1) Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices. Go to the Network Connections window. Right-click the connection corresponding to the adapter which is going to use EAP authentication. Go to the Authentication tab. If it doesn’t appear (yes, it’s weird sometimes) try to unplug and plug your adapter till it does (if PCMCIA...) Otherwise, download the software for the adapter configuration like e.g. ACU for the Cisco adapters and try to de- and reactivate the card. In the Authentication dialog, assure the box Use IEEE802.1X network authentication is checked. Set your EAP type there (EAP/MD5 Challenge). That’s all. Now deactivate and reactivate your LAN-connection on this adapter and it should work. ENDQUOTE. This recommendation is put forth in the etc/raddb/certs/README: QUOTE: MD5 has known weaknesses and is discouraged in favor of SHA1 (see http://www.kb.cert.org/vuls/id/836068 for details). If your network equipment supports the SHA1 signature algorithm, we recommend that you change the ca.cnf, server.cnf, and client.cnf files to specify the use of SHA1 for the certificates. To do this, change the 'default_md' entry in those files from 'md5' to 'sha1'. ENDQUOTE. In the eap.conf this is put forth: QUOTE: # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } ENDQUOTE. QUESTIONS: -Should I stick only to the changes of default_md in ca.*,server.*, and client.cnf and leave the eap.conf unchanged, or should I add a module like: sha1 { } or change the md5{} to sha1{} or should it be done differently? . I count for the postulate in eap.conf that: QUOTE: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. ENDQUOTE and therefore I do no not need to change so much in eap.conf -Should I by all means keep winXP-userclient to a PEAP solution because the nice doc in: http://freeradius.org/doc/EAPTLS.pdf for Windows is outdated or wont work today? It could be that I complicate the matter here by mixing together parts that do not belong to each other, but I have to ask - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stuck with exec script from radgroupreply sql table
Hello List, I am stuck with executing a script from my radgroupreply sql table and hope someone can point me into the right direction, as I have been fiddling around with this for days and lost my way. I want to set a dynamic Session-Timeout for certain groups. For testing purposes I created a TESTGROUP in the database table radgroupreply with an entry like this: id GroupName Attribute Value op 263TESTGROUP Session-Timeout `%{exec:/var/skripte/test.sh}` == my test.sh looks like this: #!/bin/bash logger done echo 9 When I start radiusd in debug mode everything looks good, the user is found, the group is found, then the script is executed. But then there is no exec output... I am sure I am missing a crucial step! Hope someone can help. Here is the log output: [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testradius' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = 'testradius' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'TESTGROUP' ORDER BY id [sql] User found in group TESTGROUP [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'TESTGROUP' ORDER BY id [sql] Executing /var/skripte/test.sh [sql] result 0 [sql] expand: %{exec:/var/skripte/test.sh} - rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop User-Password in the request is correct. Login OK: [testradius] (from client LOCALHOST_TESTING port 1234) # Executing section post-auth from file /etc/raddb//sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 21 to 192.168.171.174 port 54825 Framed-IP-Address == 10.0.0.1 Service-Type == Framed-User Framed-Protocol == PPP Framed-MTU == 1500 Framed-Routing == None Session-Timeout == 0 Context-Name == local Finished request 2. Thanks! Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Stuck with exec script from radgroupreply sql table
lscrlstld schrieb: I want to set a dynamic Session-Timeout for certain groups. For testing purposes I created a TESTGROUP in the database table radgroupreply with an entry like this: id GroupName Attribute Value op 263TESTGROUP Session-Timeout `%{exec:/var/skripte/test.sh}` Try to use a mysql procedure to return this value in the stand query. Hm thanks. I try to achieve, that users in certain groups have another Session-Timeoutthan users from other groups. I am not THAT much into mysql, but is it possible to form this into a sane query? Implement IF clauses depending if a user is in TESTGROUP and then returning AV pairs? Aren't such control flow functions quite slow in mysql? But executing a script might not be a fast solution too :) thx regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, I am struggling to configure my FreeRADIUS server for eduroam (www.eduroam.org), as I understood that some subscribers have done the configuration successfully, I come here to get help. I have been running my FreeRADIUS server with out problem for several years, identifying to an openLdap backend. I managed to configure a test WiFi access point to identify with 802.1x against that same radius/ldap server. But I have a problem to configure eduroam, so I would be glad if I could see a working example. It would help if you told us *what* the problem is. Looking at what you write, you have a working FreeRADIUS, working openLDAP backend, and have configured it to do IEEE 802.1X on a WiFi access point. That is 99% of what eduroam needs. So, what's missing? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions on the finer points of CUI
On 28.06.2012 09:07, Scott Armitage wrote: All, I was after some clarification about the implementation of CUI in freeRADIUS. My first point is the use of Client IP Address. I notice that client IP Address makes a regular appearance but I'm wondering whether it should. Looking at the cui.conf the post-auth insert adds the Client IP Address. postauth_query = INSERT IGNORE INTO ${cui_table} \ (clientipaddress, callingstationid, username, cui, lastaccounting) \ VALUES \ ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'; likewise the schema (in cui.sql) even has the Client IP Address as a primary key which to me seems wrong. In the world of eduroam my RADIUS server can proxy off to one of 3 National Proxies each will have a different Client IP Address, therefore a single client could have 3 entries in the cui table depending upon which National proxy dealt with the request. I don't see the point of the Client IP Address being in there. If each home server is using a salt (together with the operator name) then even the same username and calling station id will return a different CUI for different home servers. Maybe some could explain what I'm missing and why the Client IP Address is there? The $cui_table is merely a helper table to bind returned CUI values from the home server during the *authentication* phase to a possible subsequent Accounting packet for that same session. It is logically maintained at the SP side of the transactions (i.e. towards Access Points and Controllers). When doing auth, Calling-Station-Id and a User-Name are present in the request. The response contains the associated Chargeable-User-Identity, and may or may not contain a User-Name, and that User-Name may or may not be the same as the request had. If the NAS doesn't bin auth-CUI to acct-CUI itself (which is true for most NASes), the SP-side RADIUS server needs to do guesswork to add the CUI attribute to the outgoing accounting request (for all such requests: starts, interims and stops). It can see the binding primarily by observing that the calling-station ID is the same. It can not use the User-Name in Accounting because some NASes use the value of an Access-Accept instead of the original value. In principle, one could stop here. However, if a user moves from one NAS to another, he needs to reauthenticate and has the same Calling-Station-Id. This new authentication might get the same CUI or another (as you rightly note, the next request can go to a different home server, who might calculate his own CUI). In that case, there are two entries for the same Calling-Station-Id with different CUIs, and the server won't know which one to attach to the next outgoing Accounting-Request - BAD. That's why the Client-IP-Address is a secondary key: since we're talking SP-side, the client is the Access-Point or Controller, and the tuple of (CSI;Client-IP) makes the CUI value unique: This device *on this client* at a particular point in time. You might argue that the user could close the session and then re-auth on the *same* NAS. That's true, but it is not a problem: if that previous session was closed in order with an Accounting-Stop, the temporary entry in $cui_table gets deleted, and the new session gets the new one. If not, since the key of CSI and Client-IP is identical, the new session overwrites the CUI value of the previous one. This should also explain your subsequent queries below. Greetings, Stefan Winter Staying with the Client IP Address, my next point surrounds the Accounting. The cui.conf shows that accounting updates the table using Client IP Address in the search: accounting_start_query = UPDATE ${cui_table} \ SET \ lastaccounting = CURRENT_TIMESTAMP \ WHERE clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; How would this work? The NAS doesn't know what the Client IP Address is and doesn't send it in Accounting packets. Finally, why does the Accounting stop for cui remove the cui from the database: accounting_stop_query = DELETE FROM ${cui_table} WHERE \ clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'; Surely I'd want to keep this? If 2 weeks later I get a copyright infringement notice for a client, I'd want the CUI when contacting the home site of the user. Thanks Scott Armitage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA
Re: more EAP/TTLS trouble
Hi, The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy. As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell ultimate versions of an OS for $150-200 when they dont even support as many features as a free, open source system? I just got into work, so I'll be looking over the suggestions and making more attempts at this. Thanks again for all the help! Here's one more: many folks in eduroam have gone through the exact same considerations, and some indeed need TTLS-PAP. If it is unavoidable, there is a GPLed version of SecureW2 which can deliver TTLS-PAP to older versions of Windows. I'm sure you can find it on the internet somewhere. Stefan On Wed, May 30, 2012 at 8:15 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 30/05/12 13:44, Steve Hopps wrote: IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. It's certainly a shame that Windows 7 doesn't support TTLS/PAP. PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap oracle like ntlm_auth running on Samba as a member of the domain. If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited. EAP-TLS, perhaps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hello, noone with a hint? Stefan On 07.05.2012 11:13, Stefan Winter wrote: Hi, at a client's site, I have to some chopping off parts of User-Name, pretty straightforward, but for some reason it doesn't work (2.1.12): In inner-tunnel, authenticate, MSCHAPv2 for PEAP: authenticate { Auth-Type MS-CHAP { if(%{Stripped-User-Name} =~ /().*/){ update request { SAMAccountName := %{1} } } else { update request { SAMAccountName := %{Stripped-User-Name} } } mschap } So, if the Stripped-User-Name is longer than 20 chars, chop it off and store it in SAMAccountName, otherwise, just store the full Stripped-User-Name in SAMAccountName. SAMAccountName is defined in the dictionary as an internal attribute: ATTRIBUTE SAMAccountName 3003 string During run-time, the following strange thing happens... # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] ? Evaluating (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++- entering else else {...} [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] +++[request] returns reject [mschapv2] ++- else else returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. So... short User-Name, the else path is taken, Stripped-User-Name expands nicely... and then, the update request group returns reject?!? I tried to use update control instead, which fails too, and used a non-internal attribute for that name as well. It just won't work. Is that maybe one of the known quirks in 2.1.12? Would using the current stable branch work better? Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hi, yet another subtlety I didn't know of... I'm checking with my client whether either moving it to authorize or putting the ok in front will do the trick. I'll let the list know of the outcome so that the collective list intelligence a.k.a. archive will have the answer for later. Thanks, Stefan On 09.05.2012 09:56, Alan DeKok wrote: Stefan Winter wrote: noone with a hint? Hmm... the default return code for things in the authenticate section is reject. And the update sections just pass through the *previous* return code. You might try this as a hack: Auth-Type MS-CHAP { ok if (..) { } else { } mschap } The ok at the start will over-ride the default reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang fails for some strange reason...
Hi, both methods worked: moving into authorize (but after calling the suffix module, which sets Stripped-User-Name), and also the ok hack in authenticate. We chose to move to authorize, as it's more easily understandable. Thanks for the help! Greetings, Stefan Winter On 09.05.2012 11:17, Stefan Winter wrote: Hi, yet another subtlety I didn't know of... I'm checking with my client whether either moving it to authorize or putting the ok in front will do the trick. I'll let the list know of the outcome so that the collective list intelligence a.k.a. archive will have the answer for later. Thanks, Stefan On 09.05.2012 09:56, Alan DeKok wrote: Stefan Winter wrote: noone with a hint? Hmm... the default return code for things in the authenticate section is reject. And the update sections just pass through the *previous* return code. You might try this as a hack: Auth-Type MS-CHAP { ok if (..) { } else { } mschap } The ok at the start will over-ride the default reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang fails for some strange reason...
Hi, at a client's site, I have to some chopping off parts of User-Name, pretty straightforward, but for some reason it doesn't work (2.1.12): In inner-tunnel, authenticate, MSCHAPv2 for PEAP: authenticate { Auth-Type MS-CHAP { if(%{Stripped-User-Name} =~ /().*/){ update request { SAMAccountName := %{1} } } else { update request { SAMAccountName := %{Stripped-User-Name} } } mschap } So, if the Stripped-User-Name is longer than 20 chars, chop it off and store it in SAMAccountName, otherwise, just store the full Stripped-User-Name in SAMAccountName. SAMAccountName is defined in the dictionary as an internal attribute: ATTRIBUTE SAMAccountName 3003 string During run-time, the following strange thing happens... # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] ? Evaluating (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++? if (%{Stripped-User-Name} =~ /().*/) - FALSE [mschapv2] ++- entering else else {...} [mschapv2] expand: %{Stripped-User-Name} - christian.test [mschapv2] +++[request] returns reject [mschapv2] ++- else else returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. So... short User-Name, the else path is taken, Stripped-User-Name expands nicely... and then, the update request group returns reject?!? I tried to use update control instead, which fails too, and used a non-internal attribute for that name as well. It just won't work. Is that maybe one of the known quirks in 2.1.12? Would using the current stable branch work better? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SHA-256,384,512?
Hi, I'm trying to figure out if FreeRADIUS supports SHA-2 (256,384,512 variants) or just SHA1. Some attributes have only SSHA in their name, without a -1 so I thought they could do more than SHA-1. Looking at the source code of 2.1.12, it doesn't look like it though, SHA seems to be synonymous for SHA-1. Can I get a quick confirmation that the SHA-2 family is not supported for password hashes? Anything coming up in that regard in 3.0? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: which 3rd party CA for EAP
Hi, We are trying to setup eap for different mobile devices. We don't need certificates for each user, we want to authorize againt the radius with username and password only. With self signed certificates its working if the mobile devices installs the root ca certifcate. We tried several 3rd party certificates: StartSSL, united ssl, godaddy, test certificates from thawte. Apple and windows clients are claiming, that the certificate is not trusted. Has anybody a working solution with 3rd party certificates and can tell us which certifcate could be used and what needs to be configured in eap.conf? You should be aware that the trusted status of a CA is completely independent in bowsers vs. for EAP. Browsers have a (large|too large) set of CAs which they consider trusted. EAP supplicants typically trust NO CA unless explicitly configured to. In the Windows case, the supplicant will trust the 3rd party certs just fine as soon as you open the EAP properties and check the box of that CA. So, very often you will require extra manual/scripted configuration whether you use a self-signed CA or not; merely the actual import of the certificate file can be omitted if the CA is shipped. I.e. you don't gain a lot, and spend more money when using a trusted CA, so in the vast majority of cases, it is the wiser way to use a self-signed CA. Greetings, Stefan Winter Kind Regards Uwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: ldap-radius integration
Please don't write private mail to me with FreeRADIUS questions. Forwarding to freeradius-users. Original Message Subject:ldap-radius integration Date: Fri, 30 Mar 2012 12:35:53 -0700 From: exu...@gmail.com To: stefan.win...@restena.lu could you give me some refrence material or the steps involved in integrating radius and ldap? Iam stuck with the error [ldap] bind as cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf cant understand how to proceed..! PS: Im using ubuntu 11.10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: ldap-radius integration
could you give me some refrence material or the steps involved in integrating radius and ldap? Iam stuck with the error [ldap] bind as cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf cant understand how to proceed..! PS: Im using ubuntu 11.10 You need to tell FreeRADIUS login credentials for your LDAP administrator account. According to the query, the username for that is Manager and the LDAP server is radius.example.com. I believe these are the default (shipped) values that come with FreeRADIUS. Replace them with the *real* login details of your LDAP admin account. In general: *read* the debug output and *apply common sense*. Greetings, Stefan Winter P.S.: your Operating System is irrelevant for this error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
generate a random value with unlang?
Hi, in some weird business case, I would like to generate a one-time use token for later consumption in post-auth. So when the user is accepted, trigger an {sql:INSERT randomvalue INTO someplace} The value should be new for every Access-Accept. I wonder how to generate such a random value with unlang. Is there some {%rand} or anything like that? Currently I do it embedded in the INSERT: INSERT ... SHA1(RAND())... INTO someplace but our MySQL admins don't like me doing that. So I'd prefer to do this on FreeRADIUS and send a simple string to the DB. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadSec FR3.0 to Radiator: Received packet will be too large
Hi, We're piloting RadSec as a federation server uplink. They use Radiator. When we first attempted to connect we'd get a Received packet will be too large! carp from main/tls.c. They checked on their end and say they have no fragment size option for RadSec TLS connections, only for EAP-TLS connections. The above doesn't make much sense to me... there are size limits in RADIUS, but not regarding the TLS stream around them. The limits in question are: - EAP-Message total length must be = MTU between NAS and device (EAP cannot be fragmented on layer 2) - RADIUS datagram total length 4096 Bytes (arbitrary RFC limit) The RADIUS/TLS wrapper around those datagrams is not size-limited at all - it carries streams on n RADIUS datagrams. The TCP stack will take care of sending the data in chunks like with any other TCP based protocol. My guess is that main/tls.c thinks it operates within a EAP context and tries to warn of too big data chunks, while there is actually nothing to warn about. Greetings, Stefan Winter So we applied the below as a test and it works, but I was wondering as to the wisdom of it... interestinga RADSEC packet can be much bigger than that too - 2048 gives some room for a big certificate - but not if its double-chained with intermediate and its got a nice security size instead of being a little 512bit RSA one. typically EAP-TLS can be fragmented on the server due to it going through to the end-clients ..and being UDP things get a little nasty...whereas with RADSEC theres no reason why a single TCP request couldnt be quite large and needing to be fragmented by the routers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Source for freeradius-server-2.0.4
ftp://ftp.freeradius.org/pub/freeradius/old/ On 11.02.12 03:32, Charles H. Fisher wrote: I have heavily patched version of freeradius-server-2.0.4 That I would like to migrate forward to the current version. This requires that I know what changes were made to the standard 2.0.4. I have not been able to find a copy of it on the internet, and the archives on this site do not have any of older files any later than the end of the 1.x series. Do you know where I can find a copy of the freeradius-server-2.0.4 source tarball. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Hi, that's a discussion / holy war admins are fighting over for *years* in the eduroam roaming consortium. I agree with all what was said in the thread, regarding security vs. convenience. Just to add one thing to the mix: if you allow bring your own device for your network, you'll have much less control over what hardware comes to visit you. For some supplicants it is very hard/impossible to add an own self-signed CA to the trust root. In these cases, being able to verify the issuing CA against the hard-wired trust store is arguably more secure than not being able to validate the cert at all with a self-signed CA. For Android 4.0 for example, pushing a new CA into the trust store is hard. Doing it in a non-interactive autoconfig way is to my knowledge impossible. So, BYOD is a factor to consider. Greetings, Stefan Winter McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. Self-signed CA. *Always*. And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? Yes. I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Well, I wrote that README. It's correct. Here's a question for management. Do they want anyone on the planet to be able to set up a copy of their WiFi SSID, and grab user information? If yes, use a public CA. If no, use a self-signed CA. With web surfing, your web browser verifies that the site at facebook.com is holding an SSL certificate which says facebook.com. This prevents anyone else from using a facebook.com certificate, because no one else can control the facebook.com domain. For WiFi, there is no such control. If your company SSID is example.com, *anyone* can duplicate that SSID. The EAP supplicant doesn't check if the SSID matches the certificate. It can't check, for a whole host of reasons. So the situations are different. The result is that the security methods are different, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Next release of the server?
Hi, 2.2.0 is explicitly compatible with 2.1.12. The only change is to fix something which was *broken* in 2.1.12. Is there really much point in calling it 2.2.0 then? If people don't like a 13 patch-level number, it could also be called 2.1.14 :-) Cranking up the minor version number just leads to many people asking the kind of can I upgrade questions we've just gone through. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN attribution in an eduroam setting - proxied users
Hello Rui, As for the VLAN attribution wether the user is a roaming user (i.e. goes to a proxy to be authenticated), I have done several tries, without sucess. Haven't managed to do it through the users file above;my last attemp was trying to setting them up in the /etc/freeradius/attrs file with attr_filter.post-proxy, however it seems to interfere with the AEP/password negotiation. The setup is as follows, and I would like to ask for an alternative of where to insert the roaming VLAN. post-proxy { post_proxy_log attr_filter.post-proxy # here --- Post-Proxy-Type Fail { detail } } The attr_filter module only controls what to strip out of the incoming reply, it can not be used to add new attributes. What you specified in the file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 216, means: Only leave these attributes in the reply packet if they have exactly these values, otherwise strip them out. That is obviously not what you want. The solution is rather simple with unlang: post-proxy { post_proxy_log update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := 216 } Post-Proxy-Type Fail { detail } } (syntax is free-handed, you should try this on a testing server first) Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
Hi, why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? To be honest, I'm thinking of a similar thing. Given how painful a CA rollover can be, I'm planning to rollover to a CA with validity somewhere beyond Stefan's retirement date, which is unfortunately later than 2037. Given that the extra effort to extend the lifetime of a CA is *zero* (just enter a different date in openssl.cnf) and the pain to eventually stumble over an expiring CA is non-zero - I prefer to do the zero work. Of course things might change, my CA keys might get too short, and I might be forced to roll over anyway - there is at least a *chance* that I can prevent a need to rollover, and so I'll do it. 3011 is stretching it though, admitted. Stefan anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Hi, You haven't done that. You're smart if you spend the time to understand what you're talking I know what I am talking about. When there is something I don't know, however - I ask, politely, and expect the same from others (that doesn't include you, apparently). I think what Alan was trying to point out is that it is easy to find answers to your basic questions without asking this mailing list. The security of RADIUS is incredibly well-documented, and not specific to FreeRADIUS. So if your problem is that you don't know whether or not a RADIUS shared secret is sent in clear text or not - and jump to false conclusions based on your *belief* how it *might* work (even if you are wrong in your assumptions) then that is typically called noise on a mailing list. You might rather want to clarify that aspect yourself. I just typed RADIUS shared secret into Google, and found actual on-topic results - on page one. Microsoft Technet unfortunately, but better than nothing. Now to get more down to the topic. You mention that security is paramount, which is correct. When you are using EAP-TLS or EAP-TTLS, security of your transmitted credentials comes by virtue of the TLS tunnel that is established within that EAP method. The transport-layer security of RADIUS adds nothing to the security of these credentials. In that case, it doesn't matter much - for security reasons - whether your Access Points talk RADIUS (IP+shared secret) or RADIUS/TLS. What *is* revealed if you use only RADIUS, is some of the not-so-significant attributes in the Access-Request like the MAC address of the connecting client in Calling-Station-Id. That you might possibly see as a rather minimal privacy invasion if an eavesdropper listens on the packet; in that case, RADIUS/TLS would be a way of mitigating that. Your thread contains lots of confusion, false assumptions and wrong conclusions. There is always a danger that that kind of half-knowledge spreads and leads to FUD. So to be abundantly clear: Transport security - * traditional: fixed bindings of IP address+shared secret; uses MD5 for hash calculation * TLS security: either TLS-PSK (drop-in replacement for shared secret) or certificate based Credential security -- * most EAP types roll their own, which makes transport security less relevant * EAP-TLS, TTLS, PEAP, FAST are among those * FreeRADIUS supports all of these EAP types just fine * some weak EAP types don't provide that security on their own, and either - need to be tunneled within TTLS and friends - or - - need to be secured by transport security I think this answers all the questions in your thread and counteracts all the conclusions you jumped onto mid-way. If I may add: almost none of these questions were specific to *FreeRADIUS - the product* - they were about the RADIUS protocol. This mailing list is not the place to ask random questions about RADIUS. Read up on it on the internet, buy a book, or visit a course about RADIUS. The mailing list is about configuring FreeRADIUS. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Hi, Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? The CRL needs to be in the same directory as the CAs, and needs to be hashed with c_rehash just like the CA certs. CRLs automatically get the hash suffix .r0 instead of .0. You will still need to restart FreeRADIUS after downloading a new CRL; re-reading them at runtime is not possible due to glorious openSSL. Stefan Thank you — Martin Čmelík 2011/11/14 Alan DeKok al...@deployingradius.com: Martin Čmelík wrote: nobody knows how setup freeradius to check new CRL lists? FreeRADIUS uses OpenSSL for CRLs (and everything SSL). OpenSSL does not support dynamically adding CRLs at run time. See the ocsp support in 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Beginner's Guide
Hi, I'm a complete newbie to RADIUS, looking to make use of the features of my new smart switches and wireless access point to secure my home network, so the title certainly sounds right. Has anyone had a look at this book yet? If so, what are your thoughts? I have finally found the time to give it a look, too. Here's my review: Book Review: FreeRADIUS Beginner's Guide The book „FreeRADIUS Beginner's Guide – Manage your network resources with FreeRADIUS“ by Dirk van der Walt has set itself a bold goal: to transform an ordinary Unix/Linux system administrator from a „Zero“ to a „Hero“ in the topic of Authentication, Authorisation and Accounting with FreeRADIUS. The book is in a very modest price range and available in traditional printed and also an eBook version right here: http://www.packtpub.com/freeradius-master-authentication-authorization-accessing-your-network-resources/book?tag=rk/freeradiusbg-abr1/0911 From my own experience, getting in first contact with the RADIUS protocol in general and FreeRADIUS in particular can be a dreadful exercise: there are many complex concepts to grasp and huge configuration files to master; and plenty of opportunity to break things if you touch the configuration without knowing the do's and don'ts. The FreeRADIUS software package has ample documentation in the form of man pages and comments in configuration files. What was sorely missing – up until now – was documentation that would take an innocent reader by the hand and show him the wonders of RADIUS without too much confusion. Dirk's book certainly achieves this goal, and more. It dives straight into the matter, touches the RADIUS specification only as much as is needed to understand the software that delivers it. The reader learns how easy it is to get to the „Hello, world!“ equivalent of RADIUS – the first successful authentication, an Access-Accept packet. From then on, the book builds on the milestones achieved by the reader and adds more and more features and complexity. Near the end of the book, the reader has all the required knowledge to run his own little hotspot, a federated „single-sign-on domain“ based on RADIUS or even be part of a large roaming consortium. Being heavily involved in RADIUS myself, as the lead RD engineer for the „eduroam“ roaming consortium in Europe, and as lecturer on the topic of Secure Network Admission at the University of Luxembourg, I was amazed how often I found myself thinking „Right, couldn't have said it better“ when the author explained some of the particularly hairy concepts – EAP with outer identity just being one example. Of course, there are always those few little things everyone likes to do a bit differently; I'm very much a compile-from-source person and was slightly disappointed to read that the author rather encourages his readers to use distribution packages or build their own RPMs/DEBs. Then again, the target audience is starting from zero, and adding “compile your own” to the stack of things to learn is probably asked a bit much. Another question of taste is the client to use for testing the more complex authentication mechanisms – the book uses a GUI client, JRadiusSimulator, while I very much prefer „eapol_test“ from the wpa_supplicant software suite. It can be so nicely scripted and is as flexible as a Swiss army knife – perfect for Nagios monitoring. In my humble opinion, it would have deserved a significant mention. Lastly, there is a nagging little oversight when it comes to the description of proxying on page 250: Proxying, when done in combination with mutually authenticating EAP methods and with anonymous outer identities doesn't expose usernames nor credentials to the roaming partner. The book doesn't make that aspect overly clear. Then again, peeking at the title, this topic is way advanced and few people will get to a point in their RADIUS life where they would need it. Summarising, I can highly recommend this book as a starter to get into FreeRADIUS. I'm sure the FreeRADIUS users' mailing list would see much less traffic on basic operational and conceptual questions if everyone were to read this book. If you need to get acquainted with FreeRADIUS, do yourself a favour and grab a copy. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
systemd and FreeRADIUS
Hi, seems like openSUSE is going the fancy way and throws good old INIT overboard with their next release. System initialisation and housekeeping is changing towards systemd instead. So, in 20-something days I'll try to get my first FreeRADIUS running on that, and can't use my good old init scripts any more (I guess I could with some systemd-to-INIT legacy support, but I like eating fresh dogfood). Is there already someone working on systemd description files for FreeRADIUS? If not, I'll (have to :-) ) give it a go myself... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Alan wrote: if (%{client:nas_type} == foo) { // map policies for client foo } What would you recommend to do, if your client is a proxy server? NAS-ID? An even simpler solution is to just return all of the VSAs to each NAS. As was said earlier, each NAS will ignore the ones it doesn't understand, and apply the ones it does. Nice idea, as long as a NAS vendor does not introduce another or additional way(/attribute) to do things in never NAS OS Versions. In that case you would possible get in trouble if you have both NAS OS versions in your network and feed them with mixed attributes. Starent did this in the past, where they had a bunch of QoS attributes in one Version and a single Attribute (177) to handle them all at once in never versions. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Alan wrote: What would you recommend to do, if your client is a proxy server? NAS-ID? No. Don't send policies back. You don't control the NAS. So you have no business sending it NAS-specific policies. I never talked about sending policies to the NAS. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Would one use %{NAS-ID} instead of %{client:nas_type}? Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
I give up... No time for distorting arguments. Regards Stefan -Original Message- From: freeradius-users- bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius- users-bounces+a.freeradius=premit...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, October 09, 2011 7:35 PM To: FreeRadius users mailing list Subject: Re: Dynamic Attributes Based on NAS Type ! Stefan A. wrote: I never talked about sending policies to the NAS. That *was* the subject of conversation. If you're not going to talk about that, start a new thread. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Uh... the nas_type field is whatever you want. Put in nas_type = proxy for a proxy server. You can then key off of that, and send *no* NAS-specific attributes back. Would one use %{NAS-ID} instead of %{client:nas_type}? No. The NAS-Identifier is created by the NAS, which may be 2-3 hops away from the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the existence of a specific VSAs (specified per NAS type) in the request to select the VSAs to be used in responses. e.g: if we found the Starent Networks VSA 'SN-Service-Type' in the request, we reply with 'SN-QOS-Profile' to set up QoS This is save, as we won't see any Starent VSAs in Cisco or Chillispot NASses. To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org ] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 4:40 PM To: FreeRadius users mailing list Subject: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Norbert, sorry, but you are taking a sledgehammer to crack the nut. If you read it one of the ideas of having different virtual servers is separation of policies for different NASses you are right. Suman was asking on how to send several NASses into the same policy. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org ] On Behalf Of Wegener, Norbert Sent: Saturday, October 08, 2011 8:02 PM To: FreeRadius users mailing list Subject: AW: Dynamic Attributes Based on NAS Type ! The general idea is to setup a virtual server for each type of NAS and make sure, that every NAS is loaded into the correct virtual server. With best regards, _ Norbert Wegener Siemens IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. _ Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org] im Auftrag von Suman Dash [sumand...@gmail.com] Gesendet: Samstag, 8. Oktober 2011 16:39 Bis: FreeRadius users mailing list Betreff: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? No...? There's http://www.willhackforsushi.com/FreeRADIUS_WPE.html, but it's not a complete solution in itself... Uh, what a lame thing. It will only work on the assumption that the user does not check the server certificate, which really bad practice. The rest is a setup of FreeRADIUS which is designed to be compatible with as many EAP types as possible; so as not to disturb the end user experience. It also can't figure out if the user entered his real credentials or had a typo/intentionally put in something different. The patch is a few sample clients, nothing more. A nice exercise, for sure, but calling this Pwnage Edition is somewhat exaggerated. As I read the headline, I expected more bang for the buck :-) Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin
Hi, radiusd -X is of no use in debugging dialup admin. It's a PHP tool running on a web server, whereas FreeRADIUS' radiusd is a stand-alone process doing RADIUS. Their only interface is that FreeRADIUS writes into a DB, and dialup admin reads data from that same DB; the two sides of it use a common schema. You need to configure both sides regarding database hostname, username, password. Setting it in raddb/* is NOT doing any good. So, if your dialup admin throws an error - look at the web server's error log. It will help you much more. Greetings, Stefan Winter Am 19.09.2011 05:14, schrieb shawky skaff: Hi, I am having issues viewing content on the dialup screen, I can see the html links, when I select one of them say acconuting I just receive a error saying DEBUG(SQL,MYSQL DRIVER): Connect: User=root,Password=* *I have allowed all sql options in site-enabled default file. Running radiusd -X gives me the following output [root@radius conf]# radiusd -X FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Keeps on running like Forest Gump. Stefan Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Authentication failure issue
Hello, while you marked lots of stuff in yellow, you missed the REALLY helpful part: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! How about doing exactly that...? Stefan Winter Am 05.08.2011 06:14, schrieb fieldpeak: Hello Friends, I met a issue regarding password/authentication with FreeRadius, Could anybody help for the issue, Thanks! User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user The details in below mails. Regards, Charles Forwarded conversation Subject: *Authentication failure issue* From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Dear Friends, I'm trying integrate Freeswitch with Freeradius, I met below issue, can anyone help, thanks in adance. Freeradius server log: rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49, length=111 User-Name = 1001 User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 Called-Station-Id = 888 h323-conf-id = 749d2b5a-16ad-48e4-af58- 24011949d1b5 Calling-Station-Id = 1001 NAS-Port = 0 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] expand: %t - Wed Aug 3 12:06:33 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 1001, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - 1001 [sql] sql_set_user escaped user -- '1001' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1001' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '1001' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User 1001 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1001 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 49 to 127.0.0.1 port 52684 Waking up in 4.9 seconds. Cleaning up request 8 ID 49 with timestamp +7674 Ready to process requests. WARNING! No known good password found for the user Regards, Charles -- From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Hello Gurus, I've double checked the shared secret on both server and NAS are the same, the problem still exist, it trouble me a few days, can anyone kindly help? nas: /usr/local/etc/radiusclient/servers localhost/localhosttesting123 server: /usr/local/etc/raddb/clients.conf secret= testing123 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Re: Fwd: Authentication failure issue
Hi, if the password is mangled that way, there is not much other reason than a misconfigured shared secret. I can't tell you which config file exactly does what on your system; that depends on the configure settings you used to install FreeRADIUS, and on where and how you installed the NAS stuff with radiusclient. You could post a *full* debug output of radiusd -X, *including* what's printed on server startup - it will print out which files it reads for its configuration. Stefan Am 05.08.2011 10:21, schrieb fieldpeak: Hi Stefan, Sorry for the confusion, actullay i have checked both secret on both NAS and server sides, it is same. below is debug output, the confusion pasword Q?²Êà ëê¢p?¤F?+Õa is very suspecious, it should be '' that i configure in database. maybe i check the wrong conf files for secrect, below is files that i checked. is it correct? NAS: usr/local/etc/radiusclient/ servers localhost/localhost testing123 Server: /usr/local/etc/raddb/clients.conf secret = testing123 debug output: Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password Q?²Êà ëê¢p?¤F?+Õa [pap] Using clear text password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1001 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 38 for 1 seconds Regards, Charles 2011/8/5 Stefan Winter stefan.win...@restena.lu mailto:stefan.win...@restena.lu Hello, while you marked lots of stuff in yellow, you missed the REALLY helpful part: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! How about doing exactly that...? Stefan Winter Am 05.08.2011 06:14, schrieb fieldpeak: Hello Friends, I met a issue regarding password/authentication with FreeRadius, Could anybody help for the issue, Thanks! User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user The details in below mails. Regards, Charles Forwarded conversation Subject: *Authentication failure issue* From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Dear Friends, I'm trying integrate Freeswitch with Freeradius, I met below issue, can anyone help, thanks in adance. Freeradius server log: rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49, length=111 User-Name = 1001 User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 Called-Station-Id = 888 h323-conf-id = 749d2b5a-16ad-48e4-af58- 24011949d1b5 Calling-Station-Id = 1001 NAS-Port = 0 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 http://127.0.0.1/auth-detail-20110803 [auth_log] expand: %t - Wed Aug 3 12:06:33 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 1001, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - 1001 [sql
Re: Fwd: Authentication failure issue
Hi, your FreeRADIUS Server reads the clients from this file: including configuration file /usr/local/etc/raddb/clients.conf which is what you edited - good. Now you have to check where radiusclient reads its secret from. Can't help you with that. Stefan Am 05.08.2011 11:09, schrieb fieldpeak: Hi Stefan, Attached is the fully log from FreeRadius start, i tried to identify it myself however i'm new comer to FR, can you please advise, thanks a lot! Regards, Charles 2011/8/5 Stefan Winter stefan.win...@restena.lu mailto:stefan.win...@restena.lu Hi, if the password is mangled that way, there is not much other reason than a misconfigured shared secret. I can't tell you which config file exactly does what on your system; that depends on the configure settings you used to install FreeRADIUS, and on where and how you installed the NAS stuff with radiusclient. You could post a *full* debug output of radiusd -X, *including* what's printed on server startup - it will print out which files it reads for its configuration. Stefan Am 05.08.2011 10:21, schrieb fieldpeak: Hi Stefan, Sorry for the confusion, actullay i have checked both secret on both NAS and server sides, it is same. below is debug output, the confusion pasword Q?²Êà ëê¢p?¤F?+Õa is very suspecious, it should be '' that i configure in database. maybe i check the wrong conf files for secrect, below is files that i checked. is it correct? NAS: usr/local/etc/radiusclient/ servers localhost/localhost testing123 Server: /usr/local/etc/raddb/clients.conf secret = testing123 debug output: Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password Q?²Êà ëê¢p?¤F?+Õa [pap] Using clear text password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 1001 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 38 for 1 seconds Regards, Charles 2011/8/5 Stefan Winter stefan.win...@restena.lu mailto:stefan.win...@restena.lu mailto:stefan.win...@restena.lu mailto:stefan.win...@restena.lu Hello, while you marked lots of stuff in yellow, you missed the REALLY helpful part: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! How about doing exactly that...? Stefan Winter Am 05.08.2011 06:14, schrieb fieldpeak: Hello Friends, I met a issue regarding password/authentication with FreeRadius, Could anybody help for the issue, Thanks! User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user The details in below mails. Regards, Charles Forwarded conversation Subject: *Authentication failure issue* From: *fieldpeak* fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com mailto:fieldp...@gmail.com Date: 2011/8/4 To: freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Dear Friends, I'm trying integrate Freeswitch with Freeradius, I met below issue, can anyone help, thanks in adance. Freeradius server log: rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49, length=111 User-Name = 1001 User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002 Called-Station-Id = 888
num_answers_to_alive
Hi, the configuration of 2.1.10 has the parameter num_answers_to_alive in proxy.conf. Looking at the source code, I found that instead, in realms.c, the config option num_pings_to_alive is used. num_answers is read from the config, but never referenced. If that's the case, then the config option in proxy.conf should be changed to be num_pings_to_alive, otherwise people will likely fail to tweak the value. Speaking of tweaking the value, I also found if (home-num_pings_to_alive 3) home-num_pings_to_alive = 3; if (home-num_pings_to_alive 10) home-num_pings_to_alive = 10; The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send response to client
Hi, Am 27.06.2011 07:55, schrieb Christ Schlacta: is it at all possible to send a message to a windows 7 or windows vista client that the client is guaranteed to see when authentication is rejected? more details: wireless WPA2-EAP-TLS There is no such guarantee. RADIUS ends at the access-point; from then on, everything must be fitted into an EAPoL exchange. I'm not aware of any supplicant that processes EAP-Notifications at the time of rejection, and also not aware that an Access Point would encapsulate a Reply-Message into such a notification. Even if there was a supplicant and AP to do that, you couldn't be sure that the end device is actually using that supplicant. Greetings, Stefan Winter on a Ubiquiti PicoStation 2 firmware 5.3.2 (I believe it includes some form of hostapd, but I'm not sure which version) Freeradius Version 2.1.9 Clients running Windows 7 or Windows Vista with no special software installed. the procedure is OS, Wired Driver, ethernet cable, Windows Update once for drivers, Wireless certificate, connect to Wifi, (Note this point) finish updates. It's at the Note this point point that I want the clients to be able to recieve a rejection response with some level of certainty. what users add to their system later is welcome to break it, if they're willing to deal with it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed creating handler
Hi, I'm running FreeRADIUS 2.1.11 on Gentoo compiled with specific patches (qafixes, versionless, pkglibdir) and a small patch of my own (byminute, adds an extra var in xlat.c, nothing big). I'm experiencing a weird crash of which I've found absolutely nothing online: Failed creating handler. Source code says this one comes from src/main/event.c when calling fr_event_insert() but I can't figure out anything else. My new 2.1.11 died after about 24h of happy RADIUSing - twice now. It's too busy to run -X, so I don't have a lot of logs. radius.log logs the last previous auth OK - and then the process is gone. Would this behaviour fit to this problem cause? Worth trying the usec fix in GIT? Greetings, Stefan Winter The server does decoupled accounting, one site has only one module in accounting, rlm_detail and the other listens on the detail logs with only one module in accounting, rlm_python. cleanup_delay is 5, max_requests 10240, 16 threads, max_requests_per_server = 1500 Any idea what could be the problem? tx, amne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.11 has been released
Hi, a similar issue with the config parser here... The following worked nicely in 2.1.10, but barks with Unexpected text else (and with the obvious change to elsif, Unexpected text elsif). if ( %{NAS-Identifier} == ejabberd ) { update request { RESTENA-Service-Type = Staff-Jabber } } else if ( %{NAS-Identifier} == AAI-Staff-IdP ) { update request { RESTENA-Service-Type = Staff-AAI } } else update request { RESTENA-Service-Type = Staff-%{client:staff_type} } But... what's wrong with that? How would I have to fix the syntax to be acceptable? Apologies for not spotting it earlier... I run 2.1.x on a test server, but the test server's config is only slightly more simple than the production one - it has no else in that authorize block. Stefan Winter Am 20.06.2011 16:47, schrieb Alan Buxey: Hi, It's been a long time since 2.1.10. We're happy to release version 2.1.11, which has many of useful new features, and a number of minor bugs fixed. yay! :-) virtual champagne cork released however, a nice quirky change in config parser means that any unlang style code with an 'if' condition check that end with no space before curlies eg if (condition){ rather than if (condition) { causes the daemon to not start... quick one-line config changer on the command line is: sed -i -e 's/){/) {/g' * this fixed at least 45 instances of such coding ctyle in my virtual servers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.11 has been released
Hello Alan, all, thanks for that quick lesson :-) I stand corrected; and with the right ordering, things are now working as they should. I did wonder a few times why that attribute RESTENA-Service-Type wasn't properly populated in some cases :-) But no bad things happened, just things being logged into a different directory than expected. Thanks again, Stefan Am 21.06.2011 11:53, schrieb Alan DeKok: Stefan Winter wrote: a similar issue with the config parser here... The following worked nicely in 2.1.10, but barks with Unexpected text else (and with the obvious change to elsif, Unexpected text elsif). if ( %{NAS-Identifier} == ejabberd ) { update request { RESTENA-Service-Type = Staff-Jabber } } else Except that's wrong... it doesn't do what you want! The else is ignored. But... what's wrong with that? How would I have to fix the syntax to be acceptable? $ man unlang :) Everything needs to go on its own line: if (...) { ... } elsif (...) { ... } Using } elseif won't work. The elsif will *always* be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql Errors
Hi, is there an option to turn just SQL Errors and warnings on, to be written to disk? We are running 300 to 1000 Auth Requests per second (plus about 2-3000 Acct) In some rare cases, FR seems to ignore the reply attributes, which are comming from the DB. In that cases, we give the user a clean reject. The Reply-Message reports 'no Ticket', which should be reported ony if there is currently no Ticket available. My opinion is, that not FR is ignoring attributes, but SQL is simply not delivering them ... from time to time, possibly by timeouts I assume, that FR would recognise it by reporting some timeouts or other errors/warnings, but to get them, I need the debug mode, which is too hard to get written to disk at that transaction rate. Our FR does MySQL redundant loadbalancing via 6 mysqld to a MySQL Cluster with memory tables only. Thanks. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
Hi, The github Facebook logins will work, so it should be *much* easier for people to contribute to the Wiki. Ah! Federated login! Any plans to add OpenID? I have this nice OpenID provider hanging around here... Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
Hi, Sure... but we have hard-code the URL, and register the app. That takes ~10 min, but it needs to be done. OpenID is different from OAuth (or SAML): it is completely self-asserted. If you enable OpenID on your resource, the user is asked Which URL can authenticate you - user enters it, gets redirected there, and comes back with some token when done. So, my identity on OpenID is for example https://clueless.restena.lu/swinter - and that's the input I provide. The concept is kind of cute, but some people are scared by the self-assertedness of identity. Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang Question about evaluating unavailable attributes to FALSE
Hi, if I'm using an expression like if (control:VSA1=~/something/ || control:VSA2 =~/something_else/) {...} I do get the information(Attribute control:VSA1 was not found) in case the VSA is not in the control context. As the condition is '||', I would expect, that FR tries the next option, but it does not. It sets the hole Expression to FALSE. If I exchange the Options, it works for me, because VSA2 is always available. if (control:VSA2=~/something/ || control:VSA1 =~/something_else/) {...} If I preset VSA1, it works too, but will add slightly more load. Is there a solution for the missing Attribute to be ignored in '||' conditions i.e. setting it discrete to FALSE, so tht FR is able to evaluate the rest of the || expression? Would this be advisable? Thank you. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug in proxy code with IPv6?
Hello, this is about 2.1.10. In my proxy.conf, I have two clauses for a host ( see [1] and [2] below), once with ipaddr for IPv4 and once with ipv6addr for IPv6. If I set the pool to use the IPv4 one (see [3]) , packets get proxied just fine. If I replace with IPv6, no packet leaves the server (i.e. tcpdump on the FR machine sees no packet leaving) [4]. With tcpdump not seeing anything, I'm pretty sure that something's wrong inside FR - i.e. not a firewall problem. Host firewall is off anyway. In -X [5], the server *says* it's going to proxy the packet, but a simultaneous tcpdump just doesn't see it, and there's no auth happening. As soon as I change the proxy pool definition back to the v4 variant, things start working again. That's a bit strange... Greetings, Stefan Winter [1] IPv4 proxy definition: home_server radius-int-1-v4 { type = auth+acct ipaddr = 158.64.X.Y port = 1812 secret = ... response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } [2] IPv6 proxy defintiion: home_server radius-int-1-v6 { type = auth+acct ipv6addr = 2001:a18:X:Y::Z port = 1812 secret = .. response_window = 20 zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } [3] working pool (the non-working one only replaces -v4 with -v6): home_server_pool RESTENA-internal { type = fail-over home_server = radius-int-1-v4 home_server = ... more servers ... } [4] access point tries to auth user, packet goes into FR server, but nothing leaves; in non-proxy operation, server works nicely, see Status-Server reply: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:45:50.592669 IP ap-2.rest.restena.lu.csd-monitor galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24 length: 226 14:45:54.644141 IP ap-2.rest.restena.lu.csd-monitor galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x44 length: 226 14:45:55.590066 IP ap-2.rest.restena.lu.csd-monitor galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24 length: 226 14:45:56.985799 IP haldir.restena.lu.59546 galadriel.restena.lu.radius: RADIUS, Status Server (12), id: 0x00 length: 38 14:45:56.986208 IP galadriel.restena.lu.radius haldir.restena.lu.59546: RADIUS, Access Accept (2), id: 0x00 length: 20 [5] -X: Ready to process requests. rad_recv: Access-Request packet from host 158.64.A.B port 3072, id=126, length=226 User-Name = certuser-2010-...@restena.lu Service-Type = Framed-User NAS-IP-Address = 158.64.A.B NAS-Port = 3 NAS-Port-Id = 3 Called-Station-Id = 00-A0-57-16-91-27:eduroam-restena Calling-Station-Id = 64-B9-E8-A0-2E-A4 Connect-Info = CONNECT 54 Mbps 802.11g NAS-Identifier = ap-2.rest NAS-Port-Type = Wireless-802.11 Framed-MTU = 1500 EAP-Message = 0x020100210163657274757365722d323031302d3030314072657374656e612e6c75 Message-Authenticator = 0x181d5b6f8959d9d079807ea00c77bcbc server eduroam { # Executing section authorize from file /usr/local/freeradius/config//raddb/sites-enabled/eduroam +- entering group authorize {...} ++[request] returns notfound [auth_log] expand: /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail - /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail [auth_log] /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail expands to /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail [auth_log] expand: %t - Wed May 11 14:57:05 2011 ++[auth_log] returns ok [suffix] Looking up realm restena.lu for User-Name = certuser-2010-...@restena.lu [suffix] Found realm restena.lu [suffix] Adding Realm = restena.lu [suffix] Proxying request from user certuser-2010-001 to realm restena.lu [suffix] Preparing to proxy authentication request to realm restena.lu ++[suffix] returns updated } # server eduroam # Executing section pre-proxy from file /usr/local/freeradius/config//raddb/sites-enabled/eduroam +- entering group pre-proxy {...} ++- entering policy cui_pre-proxy {...} +++? if (Packet-Type == Access-Request) ? Evaluating (Packet-Type == Access-Request) - TRUE +++? if (Packet-Type == Access-Request) - TRUE +++- entering if (Packet-Type == Access-Request) {...} expand: modules.sql[cui].sp_operator_name - modules.sql[cui].sp_operator_name expand: 1%{config:modules.sql[cui].sp_operator_name} - 1restena.lu [proxy-request] returns noop +++- if (Packet-Type == Access-Request) returns noop ++- policy cui_pre-proxy returns noop [pre_proxy_log] expand: /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail - /var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail [pre_proxy_log] /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail expands to /var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail [pre_proxy_log] expand: %t - Wed
Re: Bug in proxy code with IPv6?
Hi, That's a bit strange... Bug #143, fixed in the v2.1.x branch. Cool! Looking forward to 2.1.11... Stefan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html