Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote: > I'm sorry, your explanation wasn't clear to me. How can I expose > Module-Failure-Message to or reference Module-Failure-Message within > rlm_sql? > > This, also, didn't work for me: > > post-auth { > ... > Post-Auth-Type REJECT { > update reply { > Reply-Message += "You got: > %{Module-Failure-Message}" > } OK... if the Module-Failure-Message doesn't exist, it won't work. But the log message *uses* it: Login incorrect (rlm_pap: CLEAR TEXT password check failed) .. The text between the () *is* the Module-Failure-Message attribute. See src/main/auth.c. So we know it exists, the previous log message you posted shows it. And the server core doesn't delete it, so it *should* always exist after the PAP module creates it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this Install Guide Complete?
Huckle Berry wrote: > I have a server that is running a relatively clean install of Ubuntu > 9.10 Server. Due to the known licensing issue restrictions I cannot > simply use the debian freeradius package. This was fixed in 2.1.8. > I would like to know if the > following outline would install freeradius with support for SSL on my > server. Comments from those who actually run freeradius on Ubuntu 9.10 > server would be appreciated. http://wiki.freeradius.org/Build Has instructions for building on debian && ubuntu. I've updated the Wiki to reflect this. > These have been the instructions that I have garnered from the Internet > at large, yet I doubt they are complete. Is there anything the > freeradius community would like to add? Please check out the wiki type "ubuntu", and the second or third page is "build", with text about building debian packages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this Install Guide Complete?
I have a server that is running a relatively clean install of Ubuntu 9.10 Server. Due to the known licensing issue restrictions I cannot simply use the debian freeradius package. I would like to know if the following outline would install freeradius with support for SSL on my server. Comments from those who actually run freeradius on Ubuntu 9.10 server would be appreciated. $cd ~ $apt-get source freeradius $cd ./freeradius-2.1.0+dfsg [change ./debian/rules as follows: change --without-rlm_eap_tls \ --without-rlm_eap_ttls \ --without-rlm_eap_peap \ to --with-rlm_eap_tls \ --with-rlm_eap_ttls \ --with-rlm_eap_peap \ change --without-openssl \ to --with-openssl \ ] [change ./debian/control add 'libssl-dev' to the end of the line that starts 'Build-Depends:' ] $fakeroot dpkg-buildpackage -b -uc $sudo dpkg -i ../freeradius_2.1.0-0_i386.deb These have been the instructions that I have garnered from the Internet at large, yet I doubt they are complete. Is there anything the freeradius community would like to add? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Correct. Just use JRadiusSimulator to make MS-CHAP and work fine. Thanks -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 20:59 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > This is the test with AD user: > > AP#test aaa group radius userad userpass new-code > Trying to authenticate with Servergroup radius > User rejected > > rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 > User-Password = "userpass" > User-Name = "userad" > NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error logs on freeradius 2.1.8
Alan DeKok wrote: > Oninz Unix wrote: > >>I know some os the thread almost similar to my problem, but let >>me send some logs from my freeradius logs. >> >>Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383. >>Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382. >>Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379. >>Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383. >>Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377. > > ... > >>Error: WARNING: Unresponsive child for request 384, in module >>sql2_redundant component accounting > > ... > >>I hope you could help me were to start to debug and solve the problem. > > > You have a firewall between the RADIUS server and database. The > firewall is dropping the RADIUS -> database TCP connections. > > I have *no* idea why anyone thinks this is a good idea. The firewall > (if any) should be configured to allow ANY TCP (RADIUS -> DB : port). > But many people create rules allowing only "established" TCP > connections, and then the firewall helpfully loses track of which > sessions are established. > > Stop breaking your network. Somewhat off topic, but relevant. This is a generic problem with firewalls, and there appears to be no solution which the security paranoid will accept. If you think this is bad, try working with a mob who insist on dropping all ICMP traffic (including frag required) at some or all firewalls. Firewalls are normally configured to drop any established connection from the tables where no traffic is sent for a configurable time. This is to stop the tables growing uncontrollably. If you are in this unfortunate position your only solution is to enable TCP keepalive on all connections, and reduce the TCP keepalive timer to below the firewall's connection drop timer. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
I'm sorry, your explanation wasn't clear to me. How can I expose Module-Failure-Message to or reference Module-Failure-Message within rlm_sql? This, also, didn't work for me: post-auth { ... Post-Auth-Type REJECT { update reply { Reply-Message += "You got: %{Module-Failure-Message}" } attr_filter.access_reject sql } ... } --Aaron On 4/28/2010 4:11 PM, Alan DeKok wrote: If it exists, yes. It's added by the PAP module for authentication rejects. For authentication success... there's no failure message. This is not true, at least in my case. See above. Maybe I need to take extra steps to expose that attribute in another part of the config, or maybe I need to reference it with some sort of prefix, I don't know. That's why I'm asking. I did explain that... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
Alan Thanks! That did the trick. It was actually libreadline5 etc but you got me in the right direction. I tried to add this to the wiki but could not find a way to get a login... Much appreciated your speedy response anyhow. Cheers Tim On 28/04/2010 09:50, Alan DeKok wrote: > Tim Robinson wrote: >> Hi all >> >> I am having problems building FR 2.1.8 on Debian 5.0.4 >> > >> radmin.c:437: warning: implicit declaration of function 'using_history' > > $ apt-get install libreadline libreadline-dev > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Best Regards Tim Robinson, Director TxRx Communications Ltd +44 1256 810630 Registered in England 6260998 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote: > On 4/28/2010 3:23 PM, Alan DeKok wrote: >> >>Uh... did you update your schema to have a "message" colummn? > > Yes, I have extended my radpostauth table with columns to hold the > message and the nasipaddress. It is working perfectly if I use > '%{reply:Reply-Message}', but it is always empty if I use > '%{Module-Failure-Message}' in the same INSERT. This is why I'm > confirming if I should have access to '%{Module-Failure-Message}' within > rlm_sql. If it exists, yes. It's added by the PAP module for authentication rejects. For authentication success... there's no failure message. > This is not true, at least in my case. See above. Maybe I need to take > extra steps to expose that attribute in another part of the config, or > maybe I need to reference it with some sort of prefix, I don't know. > That's why I'm asking. I did explain that... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
On 4/28/2010 3:23 PM, Alan DeKok wrote: Uh... did you update your schema to have a "message" colummn? Yes, I have extended my radpostauth table with columns to hold the message and the nasipaddress. It is working perfectly if I use '%{reply:Reply-Message}', but it is always empty if I use '%{Module-Failure-Message}' in the same INSERT. This is why I'm confirming if I should have access to '%{Module-Failure-Message}' within rlm_sql. Module-Failure-Message is an attribute... just like anything else. If you can figure out out to store attributes into SQL, you can store Module-Failure-Message in SQL. This is not true, at least in my case. See above. Maybe I need to take extra steps to expose that attribute in another part of the config, or maybe I need to reference it with some sort of prefix, I don't know. That's why I'm asking. --Aaron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote: > Huh. Here's my complete SQL query: > > postauth_query = "INSERT INTO ${postauth_table} \ > (username, pass, reply, authdate, message, > nasipaddress) \ > VALUES ( \ > '%{User-Name}', \ > '%{%{User-Password}:-%{Chap-Password}}', \ > '%{reply:Packet-Type}', '%S', \ > '%{Module-Failure-Message}', \ Uh... did you update your schema to have a "message" colummn? > '%{NAS-IP-Address}')" > > I did not add this yet: > > post-auth { > ... > > update reply { > Reply-Message += "You got: %{Module-Failure-Message}" > } > ... > } I said that was for testing. Did you try it for testing? It's an example of using the attribute... you *will* need to make sure you use it in the appropriate manner for what you want. See "man unlang" for documentation on what the aboce example does. Hint: it doesn't have anything to do with SQL. > Do I need that entry in the post-auth block? %{Module-Failure-Message} > doesn't seem to be available by default in rlm_sql. I have no idea what this means. Module-Failure-Message is an attribute... just like anything else. If you can figure out out to store attributes into SQL, you can store Module-Failure-Message in SQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Huh. Here's my complete SQL query: postauth_query = "INSERT INTO ${postauth_table} \ (username, pass, reply, authdate, message, nasipaddress) \ VALUES ( \ '%{User-Name}', \ '%{%{User-Password}:-%{Chap-Password}}', \ '%{reply:Packet-Type}', '%S', \ '%{Module-Failure-Message}', \ '%{NAS-IP-Address}')" I did not add this yet: post-auth { ... update reply { Reply-Message += "You got: %{Module-Failure-Message}" } ... } Do I need that entry in the post-auth block? %{Module-Failure-Message} doesn't seem to be available by default in rlm_sql. --Aaron On 4/28/2010 2:57 PM, Alan DeKok wrote: Aaron Paetznick wrote: %{Module-Failure-Message} seems to be empty for me. Is there a scope/prefix I should try? Hmm... it *should* be there along with the packet attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
brisston...@free.fr wrote: > I have to proxy all authentication request to virtual server (not just PEAP). > We > have differents kind of internals users (student, staff, guest, ...). Each of > them is managed by one virtual server associated to one realm, example : for > the > student : So... are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? > I can only specify one IP adresse and one port in NAS configuration (wired > dot1x > and wireless network) and I will use the proxy port (1812). > > Maybe there is another method to do that... But I think that use a proxy is > the > best way. You've described your configuration at a *very* high level. I still have no idea what you're trying to do, or what is actually happening in your system. Perhaps explaining things in detail would help, or showing the output of debug mode as suggested in the FAQ, README, INSTALL, "man" page, web page, configuration files, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > This is the test with AD user: > > AP#test aaa group radius userad userpass new-code > Trying to authenticate with Servergroup radius > User rejected > > rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, > length=52 > User-Password = "userpass" > User-Name = "userad" > NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote: > %{Module-Failure-Message} seems to be empty for me. Is there a > scope/prefix I should try? Hmm... it *should* be there along with the packet attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Writing Accounting Detail log to DataBase
Nasser Heidari wrote: > Dear All, > I want to know how can I insert accounting detail log to Mysql database. Read raddb/sql.conf Look for "sql" in raddb/sites-enabled See the Wiki for SQL. This is documented in many, many, places. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Writing Accounting Detail log to DataBase
Dear All, I want to know how can I insert accounting detail log to Mysql database. Thanks . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
%{Module-Failure-Message} seems to be empty for me. Is there a scope/prefix I should try? --Aaron On 4/28/2010 9:37 AM, Alan DeKok wrote: Aaron Paetznick wrote: I'd consider capturing the whole thing, but I'd be happy with just the "rlm_pap: CLEAR TEXT password check failed" part. Do I have access to that level of info from within rlm_sql? Look at Module-Failure-Message. It's populated by the PAP module with the various reasons for reject. e.g., for testing: post-auth { ... update reply { Reply-Message += "You got: %{Module-Failure-Message}" } ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Accounting Records only to another MySQL Server
I think I answered my own question. Its all in proxy.conf This looks like exactly what I need to scale out my freeradius servers and leverage my MySQL -> Master-> Master backend. From: eric.hernan...@allegiantair.com To: freeradius-users@lists.freeradius.org Date: 04/28/2010 09:38 AM Subject:Proxy Accounting Records only to another MySQL Server Sent by:freeradius-users-bounces +eric.hernandez=allegiantair@lists.freeradius.org Accounting methods The following accounting logging methods are supported by the server Local 'detail' files Local 'wtmp' and 'utmp' files Proxy to another RADIUS server Replicate to one or more RADIUS servers SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc) from http://freeradius.org/features.html Hi All, Is it possible to have a freeradius box, that use a local copy of mysql for everything except accounting. The accouting records would be written via a proxy to another MySQL box? If so where do i configure it? Thanks, -Eric- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Accounting Records only to another MySQL Server
Accounting methods The following accounting logging methods are supported by the server Local 'detail' files Local 'wtmp' and 'utmp' files Proxy to another RADIUS server Replicate to one or more RADIUS servers SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc) from http://freeradius.org/features.html Hi All, Is it possible to have a freeradius box, that use a local copy of mysql for everything except accounting. The accouting records would be written via a proxy to another MySQL box? If so where do i configure it? Thanks, -Eric- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and dynload problem
Alan DeKok wrote: > Aurélien Geron wrote: >> Basically, if I understand correctly, his idea is to have the python fellows >> declare the proper dependencies in every *.so file, so that the >> libpython2.5.so.1 file gets loaded automatically when the "math" module (or >> any other dynamic module) gets loaded. Maybe that's the ideal solution, I >> really don't know. But it seems to me that we should try to fix freeRADIUS >> so that it works around this bug before python dependencies are fixed (it >> make take a while or even never happen). So I thing the only >> short-medium-term solution is to use LINKFORSHARED linker options. >> >> Thanks for reading this huge message. I hope we can beat this bug. > > OK. I'll see about putting that fix into 2.1.9. > > Alan DeKok. That's great, thanks a lot Alan. If I can be of any help (for example, for testing), please let me know. Aurélien Geron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hello Again. This is the test with local user: AP#test aaa group radius userlocal localpass new-code Trying to authenticate with Servergroup radius User successfully authenticated rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=174, length=53 User-Password = " localpass " User-Name = " userlocal " NAS-IP-Address = xx.xx.xx.xx +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "local01", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry local01 at line 79 [files] expand: Ola, %{User-Name} -> Ola, local01 ++[files] returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 174 to 10.1.3.17 port 1645 Reply-Message = "Ola, local01" Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 174 with timestamp +416 Ready to process requests. This is the test with AD user: AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = "userpass" User-Name = "userad" NAS-IP-Address = xx.xx.xx.xx +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 175 to 10.1.3.17 port 1645 Waking up in 4.9 seconds. Cleaning up request 6 ID 175 with timestamp +531 Ready to process requests. -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 16:40 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: > User define in user “files” work fine, but user on AD don’t. > > In freeradius using the test bellow, I can access users on AD. Have you followed the "Active Directory" howto on http://deployingradius.com? > r...@mhvrad01:/usr/local/etc/raddb# radiusd -X ... > Ready to process requests. ... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
Hi thanks for your reply. I have to proxy all authentication request to virtual server (not just PEAP). We have differents kind of internals users (student, staff, guest, ...). Each of them is managed by one virtual server associated to one realm, example : for the student : realm student.university.fr { virtual_server = student } server student { } I can only specify one IP adresse and one port in NAS configuration (wired dot1x and wireless network) and I will use the proxy port (1812). Maybe there is another method to do that... But I think that use a proxy is the best way. Selon Alan DeKok : > brisston...@free.fr wrote: > > I have some troubles to proxy PEAP requests to (internal) virtual server : > > I have one proxy server (with realms define in proxy.conf file) that > forward the > > request internally to a virtual server define in site-enabled directory. > > Why is there a need to proxy the PEAP packets? > > > For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication > is > > successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this > > error message : "Multiple levels of TLS nesting is invalid". > > Deleting all of the other messages doesn't help. > > Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: > User define in user “files” work fine, but user on AD don’t. > > In freeradius using the test bellow, I can access users on AD. Have you followed the "Active Directory" howto on http://deployingradius.com? > r...@mhvrad01:/usr/local/etc/raddb# radiusd -X ... > Ready to process requests. ... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
> Why is not working ntlm_auth for ms-chap ? It would be easier to answer your question if you included the debug output for a rejected request as opposed to just the startup messages.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
After edit mschap file module by uncommented line containing ntlm_auth =, i used a AP Cisco client from freeradius to test with "test aaa group radius user userpass new-code" User define in user "files" work fine, but user on AD don't. In freeradius using the test bellow, I can access users on AD. r...@m:~# ntlm_auth --request-nt-key --domain=XXX --username= password: NT_STATUS_OK: Success (0x0) Why is not working ntlm_auth for ms-chap ? thanks r...@mhvrad01:/usr/local/etc/raddb# radiusd -X FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Apr 28 2010 at 12:00:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 102
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote: > I'd consider capturing the whole thing, but I'd be happy with just the > "rlm_pap: CLEAR TEXT password check failed" part. Do I have access to > that level of info from within rlm_sql? Look at Module-Failure-Message. It's populated by the PAP module with the various reasons for reject. e.g., for testing: post-auth { ... update reply { Reply-Message += "You got: %{Module-Failure-Message}" } ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and dynload problem
Aurélien Geron wrote: > Basically, if I understand correctly, his idea is to have the python fellows > declare the proper dependencies in every *.so file, so that the > libpython2.5.so.1 file gets loaded automatically when the "math" module (or > any other dynamic module) gets loaded. Maybe that's the ideal solution, I > really don't know. But it seems to me that we should try to fix freeRADIUS > so that it works around this bug before python dependencies are fixed (it > make take a while or even never happen). So I thing the only > short-medium-term solution is to use LINKFORSHARED linker options. > > Thanks for reading this huge message. I hope we can beat this bug. OK. I'll see about putting that fix into 2.1.9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error logs on freeradius 2.1.8
Oninz Unix wrote: > I know some os the thread almost similar to my problem, but let > me send some logs from my freeradius logs. > > Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383. > Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382. > Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379. > Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383. > Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377. ... > Error: WARNING: Unresponsive child for request 384, in module > sql2_redundant component accounting ... > I hope you could help me were to start to debug and solve the problem. You have a firewall between the RADIUS server and database. The firewall is dropping the RADIUS -> database TCP connections. I have *no* idea why anyone thinks this is a good idea. The firewall (if any) should be configured to allow ANY TCP (RADIUS -> DB : port). But many people create rules allowing only "established" TCP connections, and then the firewall helpfully loses track of which sessions are established. Stop breaking your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
On Wed, Apr 28, 2010 at 09:43:50AM +0100, Tim Robinson wrote: > I am having problems building FR 2.1.8 on Debian 5.0.4 > $ tar zxf freeradius-server-2.X.Y.tar.gz > Any ideas please? I have googled for days on this In all your googling you managed to miss the simple fact that you don't actually have to do any of this because it's been done already? :o http://packages.debian.org/lenny-backports/freeradius http://wiki.debian.org/Backports -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
brisston...@free.fr wrote: > I have some troubles to proxy PEAP requests to (internal) virtual server : > I have one proxy server (with realms define in proxy.conf file) that forward > the > request internally to a virtual server define in site-enabled directory. Why is there a need to proxy the PEAP packets? > For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is > successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this > error message : "Multiple levels of TLS nesting is invalid". Deleting all of the other messages doesn't help. Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error message connection to MySQL. (Error Message :rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0)
You very helpfully deleted all the interesting information from the debug log (please always post the full log). But you can do this yourself. Take a look at sql initialization section and see what it's saying about initializing the sql driver, in this case it should be rlm_sql_mysql, that should answer most of your questions. As to whether rlm_sql_mysql is in a different RPM, I can't help you as I don't know Debian packaging, but it's easy to tell if one of the RPM's you did install installed it, just looking in the freeradius library directory (which is defined at the top of the main freeradius config file (probably /etc/raddb/radiusd.conf) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
> Hmm... that will cause all of the users to be rejected. Delete it. > Yes > > > I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, > > *DEFAULT Auth-Type := Reject > > That's not necessary. It should be deleted from the page. > > Thanks -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error logs on freeradius 2.1.8
Hi, I know some os the thread almost similar to my problem, but let me send some logs from my freeradius logs. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382. Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379. Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377. Then Error: Discarding duplicate request from client auths2 port 61015 - ID: 221 due to unfinished request 385 Then Error: WARNING: Unresponsive child for request 384, in module sql2_redundant component accounting Then Error: rlm_sql_oracle: execute query failed in sql_query: ORA-03113: end-of-file on communication channel Error: rlm_sql_oracle: OCI_SERVER_NOT_CONNECTED I hope you could help me were to start to debug and solve the problem. Allen B. Umlas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dan Schaffer is not in the office
I will be out of the office starting 04/28/2010 and will not return until 05/03/2010. I will respond to your message when I return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
Tim Robinson wrote: > Hi all > > I am having problems building FR 2.1.8 on Debian 5.0.4 > > radmin.c:437: warning: implicit declaration of function 'using_history' $ apt-get install libreadline libreadline-dev Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
Hi all I am having problems building FR 2.1.8 on Debian 5.0.4 I have followed the process: Building Debian packages $ tar zxf freeradius-server-2.X.Y.tar.gz $ cd freeradius-server-2.X.Y $ fakeroot dpkg-buildpackage -b -uc ... All looks well until gcc -o .libs/radclient .libs/radclient.o /home/tim/freeradius-server-2.1.8/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -Wl,--rpath -Wl,/usr/lib/freeradius creating radclient /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wca st-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls - Wundef -I/home/tim/freeradius-server-2.1.8/src -DHOSTINFO=\"i486-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.8\" -DOPENSSL_NO_KRB5 -c radmin.c gcc -g -O2 -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-str ings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/tim/freeradius-se rver-2.1.8/src -DHOSTINFO=\"i486-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.8\" -DOPENSSL_NO_KRB5 -c radmin.c -fPIC -DPIC -o .libs/radmin.o radmin.c:55: warning: function declaration isn't a prototype radmin.c: In function 'main': radmin.c:437: warning: implicit declaration of function 'using_history' radmin.c:437: warning: nested extern declaration of 'using_history' radmin.c:438: warning: implicit declaration of function 'rl_bind_key' radmin.c:438: warning: nested extern declaration of 'rl_bind_key' radmin.c:438: error: 'rl_insert' undeclared (first use in this function) radmin.c:438: error: (Each undeclared identifier is reported only once radmin.c:438: error: for each function it appears in.) radmin.c:530: warning: implicit declaration of function 'add_history' radmin.c:530: warning: nested extern declaration of 'add_history' make[5]: *** [radmin.lo] Error 1 make[5]: Leaving directory `/home/tim/freeradius-server-2.1.8/src/main' make[4]: *** [common] Error 2 make[4]: Leaving directory `/home/tim/freeradius-server-2.1.8/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/home/tim/freeradius-server-2.1.8/src' make[2]: *** [common] Error 2 make[2]: Leaving directory `/home/tim/freeradius-server-2.1.8' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/tim/freeradius-server-2.1.8' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 wendolene:/home/tim/freeradius-server-2.1.8# uname -a Linux wendolene 2.6.24-etchnhalf.1-686 #1 SMP Thu Feb 25 05:42:02 UTC 2010 i686 GNU/Linux wendolene:/home/tim/freeradius-server-2.1.8# less /etc/deb debconf.confdebian_version wendolene:/home/tim/freeradius-server-2.1.8# less /etc/debian_version wendolene:/home/tim/freeradius-server-2.1.8# Any ideas please? I have googled for days on this Cheers Rgds Tim -- With Best Regards Tim Robinson, Director TxRx Communications Ltd +44 1256 810630 http://www.txrxcomms.co.uk Registered in England 6260998 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault
Kristoffer Milligan wrote: > Thanks for the prompt reply on my previous inquiry regarding the > compiling error. Worked perfectly with a new checkout. > > A new problem has arrived though. I am trying to do some authentication > on the WiMAX platform. > ... > Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_process returned 3 > Segmentation fault > > > Any ideas why radiusd is segfaulting? It works for me. I suggest: $ make distclean $ ./configure $ make again. The internal code has changed quite a bit. Maybe you're running into a situation where it's using two different versions of the code at the same time. If that still SEGVs, see doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault
Hello again list, Thanks for the prompt reply on my previous inquiry regarding the compiling error. Worked perfectly with a new checkout. A new problem has arrived though. I am trying to do some authentication on the WiMAX platform. radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Apr 27 2010 at 08:06:03 Everything seems to be working fine. Client sends access request. server sends challenge. This happens back and forth as it should, the user is identified and the final challenges are ment to be exchanged: Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got tunneled Access-Accept Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. Followed by Sending Access-Challenge of id 39 to 192.168.106.11 port 1812 EAP-Message = 0x0107005f1580005517030100503aaea6b28c1d5d90e71ec96d69f5846508965193166f92b750af976df6b0363867e15725dfc8a2370622601bc3e9487f6aa9843bf2e469cc773c7e9815c52e15755de3a962215e0674d1368fbab98f24 Message-Authenticator = 0x State = 0x912a18ab942d0dffd8d9c931385c748e Wed Apr 28 09:04:01 2010 : Info: (6) Finished request 6. Wed Apr 28 09:04:01 2010 : Debug: Going to the next request Wed Apr 28 09:04:01 2010 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.106.11 port 1812, id=40, length=194 User-Name = "{am=1}15a251baf3194e3ca5681323e8284...@domain.tld" EAP-Message = 0x020700061500 Message-Authenticator = 0xfbce37cd2ed55658b94dbf0312e430fb NAS-Identifier = "AAALAB" NAS-IP-Address = 192.168.106.11 Calling-Station-Id = "00-12-CF-C7-4D-A8" WiMAX-BS-Id = 0x002f01010101 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 State = 0x912a18ab942d0dffd8d9c931385c748e Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authorize {...} Wed Apr 28 09:04:01 2010 : Info: (7) ++[preprocess] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) ++[wimax] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) ++[chap] returns noop Wed Apr 28 09:04:01 2010 : Info: (7) ++[mschap] returns noop Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Looking up realm domain.tld for User-Name = "{am=1}15a251baf3194e3ca5681323e8284...@domain.tld" Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Found realm "domain.tld" Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Stripped-User-Name = "{am=1}15a251baf3194e3ca5681323e82848a0" Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Realm = "nextnet.no" Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Authentication realm is LOCAL. Wed Apr 28 09:04:01 2010 : Info: (7) ++[suffix] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP packet type response id 7 length 6 Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Continuing tunnel setup. Wed Apr 28 09:04:01 2010 : Info: (7) ++[eap] returns ok Wed Apr 28 09:04:01 2010 : Info: (7) Found Auth-Type = EAP Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authenticate {...} Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Request found, released from the list Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP/ttls Wed Apr 28 09:04:01 2010 : Info: (7) [eap] processing type ttls Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Authenticate Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] processing EAP-TLS Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Received TLS ACK Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] ACK handshake is finished Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_verify returned 3 Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_process returned 3 Segmentation fault Any ideas why radiusd is segfaulting? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error message connection to MySQL. (Error Message :rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0)
Hi, I try to authenticate freeradius 2.1.8 using mysql5.0.26. Information of my system: 1. OS is SuSE Linux SLES10 SP2. 2. I have installed following RPM for FreeRadius 2.1.8: #rpm -qa |grep freeradius freeradius-server-utils-2.1.8-1.1 freeradius-client-libs-1.1.6-4.1 freeradius-server-2.1.8-1.1 freeradius-client-devel-1.1.6-4.1 freeradius-server-devel-2.1.8-1.1 freeradius-client-1.1.6-4.1 freeradius-server-debuginfo-2.1.8-1.1 freeradius-server-libs-2.1.8-1.1 3. installed following MySQL RPM: # rpm -qa |grep mysql apache2-mod_auth_mysql-3.0.0-14.2 mysql-5.0.26-12.18 mysql-shared-5.0.26-12.18 perl-DBD-mysql-3.0002-15.2 php5-mysql-5.2.5-9.5 mysql-client-5.0.26-12.18 I have successfully installed the RPM for freeradius and test for authentication using file "users" is successful. When I tried to authenticate via MySQL, it failed. There is no connection record to MySQL in log file of MySQL. Searching the WWW, I found out there is a RPM named freeradius-mysql* for Red Hat FC. There is no such RPM for SuSE in download website of freeradius.org. Is corresponding RPM required for SLES10SP2? Where to download? Or, such functionality is already included in one of my installed RPM? Terminal 1 message: # radtest user1 test1 localhost 1812 RAD7429secret Sending Access-Request of id 250 to 127.0.0.1 port 1812 User-Name = "user1" User-Password = "test1" NAS-IP-Address = 158.182.158.61 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=250, length=20 Terminal 2 message: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32768, id=250, length =57 User-Name = "user1" User-Password = "test1" NAS-IP-Address = 158.182.158.61 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-deta il-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100428 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d exp ands to /var/log/radius/radacct/127.0.0.1/auth-detail-20100428 [auth_log] expand: %t -> Wed Apr 28 20:38:07 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [sql] expand: %{User-Name} -> user1 [sql] sql_set_user escaped user --> 'user1' rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 250 to 127.0.0.1 port 32768 Waking up in 4.9 seconds. Cleaning up request 0 ID 250 with timestamp +10 Ready to process requests. --- Cheers, Joe __ Information from ESET Smart Security, version of virus signature database 5066 (20100427) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html