Replicator - PostgreSQL for DB backend
Hi Peter, We use a modified (well hacked) version of PostgreSQL Replicator and have experienced no significant problem. These were our primary DBMS replication requirements: 1. We needed a solution to operate securely within our distributed data environment 100 physical locations, and 10,000 virtual datamarts. 2. We needed a replication topology that was scalable and reliable with no single-point-of-failure, as present in most DBMS Replication topologies. (Another reason why MySQL was not attractive, as at the time only master-slave replication was supported) 3. We required the ability to do asynchronous queries. 4. We required the metadata catalog and file replica catalog to be distributed yet appear virtually centralized. 5. Since we were creating a virtual metadata catalog and a unique autonomous security monitoring and incident handling system, access to all of the source code was required. After looking at a few othersÂ… DBBALANCER http://dbbalancer.sourceforge.net/ we picked PostgreSQL Replicator http://pgreplicator.sourceforge.net/ and made a few customized changes to the source to accommodate our unique security monitoring and incident handling system. I am now in the early stages of planning a complete design of our own PostgreSQL BDMS replicating technology featuring our autonomous security monitoring and incident handling method. I am not sure if the project will be a public or private. On 14 Jul 2003 at 16:44, Peter Nixon wrote: On Mon, 14 Jul 2003 04:24 pm, Bernie, CTA wrote: On 14 Jul 2003 at 10:30, Peter Nixon wrote: Hi List I would like to take a quick straw poll. a) If you use a Database backend for FreeRadius which one do you use? We are an BSDi / Open BSD environment Accounting - Redundant Postgres DB == to other DBMS such as MySQL, Oracle its: 1. No license fee 2. Less Security Vulnerabilities 3. Easier to replacate 4. Lends to a Decentralized / Virtually Centralized DBMS topology, which is better for security applications 5. Better Transaction Processing Performance 6. Less overhead 7. Control of source 8. Scales well 9. Faster Yep. No arguements from me on these :-) For general purpose DB work Postgres pretty much walks all over the competition when you take all these factors into account. I can only imagine needing to pay for a commercial DB if I was handling Terabytes of data. (Postgres happily handles many gigabytes of data per table for me currently) Do you mind telling me what replication system you use (Postgres has several) and how you find it? Are there any gotchas/problems? (I currently run my DBs standalone as I simply don't have the reliability issues with postgres that used to force me to replicate/cluster my MySQL boxes..) TIA -- - - Bernie Chief Technology Architect Chief Security Officer [EMAIL PROTECTED] Euclidean Systems, Inc. *** // There is no expedient to which a man will not go //to avoid the pure labor of honest thinking. // Honest thought, the real business capital. // Observe Think Plan Think Do Think *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replicator - PostgreSQL for DB backend
On 16 Jul 2003 at 8:54, Sean wrote: On Wed, 16 Jul 2003, Bernie, CTA wrote: We use a modified (well hacked) version of PostgreSQL Replicator and have experienced no significant problem. big scissors Just out of curiosity, I am wondering why postgres looked like a better solution than an ldap based solution. LDAP is supposed to be scalable and replicable, and designed for mostly read-only data which to me is what you were looking for. Don't get me wrong, I can also see where replicable postgres stuff would be nice and I would be interested in it for another project (that quite possibly will never get off the gorund), but the first read through your requirements seemed like it was screaming ldap =) Well, for starters we could not tolerate the security vulnerabilities found in certain LDAP implementations, which if exploited could result in denial-of-service attacks and unauthorized privileged access. Furthermore, I believe that the overhead involved implementing and maintaining an LDAP solution cannot be justified when considering security, performance and economics. - - Bernie Chief Technology Architect Chief Security Officer [EMAIL PROTECTED] Euclidean Systems, Inc. *** // There is no expedient to which a man will not go //to avoid the pure labor of honest thinking. // Honest thought, the real business capital. // Observe Think Plan Think Do Think *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Survey - Which DB backend do you use?
On 14 Jul 2003 at 10:30, Peter Nixon wrote: Hi List I would like to take a quick straw poll. a) If you use a Database backend for FreeRadius which one do you use? We are an BSDi / Open BSD environment Accounting - Redundant Postgres DB == to other DBMS such as MySQL, Oracle its: 1. No license fee 2. Less Security Vulnerabilities 3. Easier to replacate 4. Lends to a Decentralized / Virtually Centralized DBMS topology, which is better for security applications 5. Better Transaction Processing Performance 6. Less overhead 7. Control of source 8. Scales well 9. Faster Auth/Authr - Multiple flat files crypted pass (by Realm) with custom admin system (1000 and 5000 users per Realm / Group) Reason: Compared to DBMS its: 1. Faster 2. Easier to Maintain 3. More Reliable 4. More Secure 5. Independent Fault Tolerant 6. More flexibility for customization. b) If you do not use a DB backend for FreeRadius, but do have a DB on your server or in your rack, what DB is it? see A c) If you do not use a DB backend for FreeRadius, but do have a DB on your server or in your rack, why don't you use it as a backend to FreeRadius? see A Please reply to this thread on the mailing list or to me directly (I am one of the developers) if you wish to keep the info private. I will post a summary in a few days. Thanks in Advance -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Bernie Chief Technology Architect Chief Security Officer [EMAIL PROTECTED] Euclidean Systems, Inc. *** // There is no expedient to which a man will not go //to avoid the pure labor of honest thinking. // Honest thought, the real business capital. // Observe Think Plan Think Do Think *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius AP on same physical machine. Possible?
On 31 Mar 2003, at 0:00, Nikhil Chauhan wrote: Hello: Is it possible that freeRadius and AP functionality (on a WLAN NIC card) be on the same physical machine... Comments appreciated. bhh It is possible to have both Radius and an AP on the same physical machine, at least for those running a flavor of BSD. We have built one, incorporating two Network Interfaces, to research and test our wireless security technology. However, I advise that doing this for any production design would not be wise, as there in no easy way to keep the AP daemon and users in jail (insulated / isolated). A User or Trojan code could gain access to the system's resources through conceivably exploitable vulnerabilities in the AP application/interface, and thus attack or bypass freeradius's authentication/authorization structure. IMO - From a security point of view, best practice is to keep the Radius Authentication/Authorization and Accounting on separate and dedicated machines. - Bernie Chief Technology Architect Chief Security Officer [EMAIL PROTECTED] Euclidean Systems, Inc. *** // There is no expedient to which a man will not go //to avoid the pure labor of honest thinking. // Honest thought, the real business capital. // Observe Think Plan Think Do Think *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange behaviour during PAP authentication
take two... On 31 Mar 2003, at 21:10, Jochen Kaiser wrote: Dear List, I am experiencing a strange behaviour during pap authentication. I tried this with freeradius 0.7 and 0.8.1, both running under freebsd 4.7. My steps: 0. preparation of radiusd.conf under modules section: pap { encryption_scheme = crypt } under authentication section: authtype PAP { pap } 1. create an account in users file: perl -e 'print crypt(passwort,aa) ' aaFO1iP18KyBk [Here the relevant part of the 'users' file:] [...] cryjk Auth-Type := pap, User-Password == aaFO1iP18KyBk Idle-Timeout := 3000 [...] bhh try: [user] Auth-Type := PAP, Crypt-Password == [crypted password] - Bernie Chief Technology Architect Chief Security Officer [EMAIL PROTECTED] Euclidean Systems, Inc. *** // There is no expedient to which a man will not go //to avoid the pure labor of honest thinking. // Honest thought, the real business capital. // Observe Think Plan Think Do Think *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange behaviour during PAP authentication
On 31 Mar 2003, at 21:46, Jochen Kaiser wrote: THX for your hint, at laest the try ;-) [users] cryjk Auth-Type := pap, Crypt-Password == aaFO1iP18KyBk Idle-Timeout := 3000 Also, you can not generate the crypt password with perl -e 'print crypt(passwort,aa) ' Use: cryptpasswd --des passwort and get... f4TGeVz4/0dxs - Bernie Chief Technology Architect Chief Security Officer [EMAIL PROTECTED] Euclidean Systems, Inc. *** // There is no expedient to which a man will not go //to avoid the pure labor of honest thinking. // Honest thought, the real business capital. // Observe Think Plan Think Do Think *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: R: system architecture
On 25 Nov 2002, at 12:04, Maurizio Martinoli wrote: From: Maurizio Martinoli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:R: R: R: R: system architecture Send reply to: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]?subject=subscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe Date sent: Mon, 25 Nov 2002 12:04:23 +0100 i am only talking about the authentication, i am not talking about the transferred data, don't worry. If the AP works just as a HUB what kind of machine should i have between the AP and the RADIUS? hbh At min... If the AP is local to the Radius Server, i.e., on the same LAN, then a HUB or Switch. If remote, then a Router or wireless gateway to some infrastructure (RF/T1 etc), to physical location of Radius. More complex topologies will include a FW between the AP and Radius bernie [EMAIL PROTECTED] -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Per conto di Simon White Inviato: lunedì 25 novembre 2002 11.59 A: [EMAIL PROTECTED] Oggetto: Re: R: R: R: system architecture 25-Nov-02 at 11:51, Maurizio Martinoli ([EMAIL PROTECTED]) wrote : well if my AP does not support RADIUS then there should be a middle machine that takes the packets from the AP, encapsulate them in RADIUS format and sends them to the RADIUS server. What i don't understand is what kind of software this machine should have. Could you tell me? Eh? You're missing the point of authentication I think. You are surely not going to authenticate EVERY packet via Radius are you? You usually use authentication to determine whether someone even gets an IP to be able to use the network in the first place, you can't send every packet through some kind of approval server...! -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. -MTDS tel |+212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS with dynamic IP
On 8 Nov 2002, at 12:59, Joost wrote: From: Joost [EMAIL PROTECTED] Subject:NAS with dynamic IP To: [EMAIL PROTECTED] Send reply to: [EMAIL PROTECTED] mailto:freeradius-users-request;lists.cistron.nl?subject=subscribe mailto:freeradius-users-request;lists.cistron.nl?subject=unsubscribe Date sent: Fri, 08 Nov 2002 12:59:39 +0100 Hi, Is it possible to allow NASes (clients) with a dynamic IP address? How do I have to config the clients.conf file (or something else) to do so? Thanks! BR Use a secure NAT box with RFC1918 IP space in front of your Clients. Otherwise, why would you don't want RADIUS to freely decide who it is authorized to talk to? bernie [EMAIL PROTECTED] Joost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-User Questions
On 5 Nov 2002, at 14:44, WA Support wrote: From: WA Support [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Simultaneous-User Questions Send reply to: [EMAIL PROTECTED] mailto:freeradius-users-request;lists.cistron.nl?subject=subscribe mailto:freeradius-users-request;lists.cistron.nl?subject=unsubscribe Date sent: Tue, 05 Nov 2002 14:44:19 -0700 What I want to do is check for username and called-station-id. The NAS reporst this back to freeradius, since it is recorded in the detail file. It should be very simple to rework the source for freeradius, i.e., radiusd.c, and check for both the username and the called-station-id, right? If all you want to do is to check username and called-station-id, then why not use some regx logic: proxy to here... # Can we talk? tester Auth-Type := Reject, Called-Station != number # Good, then let me in? tester Auth-Type := XYZ, Password == letmein, Simultaneous-Use := 1 Fall-Through = Yes DEFAULT ... etc bernie [EMAIL PROTECTED] But, from the perl world, checkrad.pl is used to check for simultaneous use, according to the docs that came with freeradius. However, I can not see that anything calls checkrad.pl. Does anyone know what does call checkrad.pl? Thanks, Murrah Boswell Alan DeKok wrote: WA Support [EMAIL PROTECTED] wrote: What I am trying to do is support the case where I have a user at IPS1 with the same username as a user at IPS2. For general information about this situation, see: doc/duplicate-users From what I can read, freeradius just queries the CVX (in this case) for the username and if it sees a session with that username, it will not allow another one, correct? Yes. How can I make freeradius check for the username AND the Called-Number? No, it checks for a specific user has logged into a specific port. The issue appears to be that you want to keep track of users locally by information OTHER than their username, but to check for Simultaneous-Use on the NAS by username and NAS port. I'm not sure how to do this right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sighup kills radiusd
On 24 Oct 2002, at 23:37, Aragon Gouveia wrote: From: Aragon Gouveia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: sighup kills radiusd Send reply to: [EMAIL PROTECTED] mailto:freeradius-users-request;lists.cistron.nl?subject=subscribe mailto:freeradius-users-request;lists.cistron.nl?subject=unsubscribe Date sent: Thu, 24 Oct 2002 23:37:18 +0200 | By CTA [EMAIL PROTECTED] |[ 2002-10-24 22:42 +0200 ] Looks like you have a problem with GDB/KDE (3.0?) on FreeBSD- 4.5 ?, etc, or memory leak in one of your libs. Get the latest FBSD and KDE source and re-build. Am running 4.7-RELEASE (no KDE). You reckon rebuilding from latest RELENG_4 tree will solve it? R Good start, as 4.7 had a broken lib. Also, be sure to have 128m RAM, and that radiusd is not loaded by inetd. Use HUP pid to kill and/or kick the daemon. Lastly, don't run as a root process, e.g., make user/group radius. Once you tweak BSD you will find that FreeRad on BSD out runs Linux 2 : 1. good luck... bernie [EMAIL PROTECTED] Regards, Aragon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sighup kills radiusd
On 24 Oct 2002, at 14:12, Chris Parker wrote: To: [EMAIL PROTECTED] From: Chris Parker [EMAIL PROTECTED] Subject:Re: sighup kills radiusd Send reply to: [EMAIL PROTECTED] mailto:freeradius-users-request;lists.cistron.nl?subject=subscribe mailto:freeradius-users-request;lists.cistron.nl?subject=unsubscribe Date sent: Thu, 24 Oct 2002 14:12:37 -0500 At 08:41 PM 10/24/2002 +0200, Aragon Gouveia wrote: | By Chris Brotsos [EMAIL PROTECTED] |[ 2002-10-24 17:49 +0200 ] You will actually want to run the server via gdb. gdb /path/to/radiusd/radiusd gdb set args -x -x gdb run Neat. Here's the output: GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd...(no debugging symbols found)... (gdb) set args -x -x (gdb) run Starting program: /usr/local/sbin/radiusd -x -x [ snip ] Program received signal SIGHUP, Hangup. 0x281139bc in _thread_sys_poll () from /usr/lib/libc_r.so.4 (gdb) bt #0 0x281139bc in _thread_sys_poll () from /usr/lib/libc_r.so.4 #1 0x28112db8 in _thread_kern_sched_state_unlock () from #/usr/lib/libc_r.so.4 2 0x281126cf in _thread_kern_scheduler () #from /usr/lib/libc_r.so.4 3 0x0 in ?? () (gdb) Any ideas? :) Looks like a system problem to me. Sorry. :( Are you up on the latest system patches? I don't run FBSD so I can't give you much more help here. R Looks like you have a problem with GDB/KDE (3.0?) on FreeBSD- 4.5 ?, etc, or memory leak in one of your libs. Get the latest FBSD and KDE source and re-build. bernie [EMAIL PROTECTED] -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\--- --- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have receive this email in error, please immediately notify the sender by email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html