Re: Expiration Module Not Returning the Error Message
On Tue, Sep 6, 2011 at 11:41 AM, Det Det wrote: > Hi, > The expiration module works but it is not returning the error message. > Everytime I include the Expiration attribute and set date accordingly. The > user is denied login. The reason is because the account expired and NOT > because there is "no known good password found" as shown below. How to tell > RADIUS to stop processing anything after expiration check? I suspect it > proceeds the rest of the checks and so the error message has been > overwritten by other modules' error message. > > > +++[sql2] returns ok > ++- redundant-load-balance group redundant_load_balance_sql returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop Works for me. From modules/expiration: "It should be included in the *end* of the authorize section in order to handle user Expiration" (or just uncomment expiration line in sites-available/default). The debug log should show something like this [expiration] Checking Expiration time: '2011 Sep 6 03:00:00' [expiration] Account has expired [expiration]expand: Password Has Expired -> Password Has Expired ++[expiration] returns userlock Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]): [testuser] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 242 to 127.0.0.1 port 52990 Reply-Message += "Password Has Expired\r\n" If it doesn't, then either: - you're using an old FR version with some bugs regarding expiration on it, in which case you should upgrade, or - you didn't list expiration in authorize section, or - you didn't have Expiration attribute for your user (in users file/sql/whatever) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
On 6 Sep 2011, at 06:04, James J J Hooper wrote: > On 06/09/2011 00:36, Rob Turner wrote: > >> Default in modules/acct_unique: >> >> acct_unique { >> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, >> NAS-Port" >> } >> >> The man page for rlm_acct_unique shows: >> >> acct_unique { >> key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port" >> } >> >> Anyone know when this was changed? > Apparently, a long time ago: > https://github.com/alandekok/freeradius-server/commits/master/raddb/modules/acct_unique See policy.conf on the master branch for an acctuniqueid scheme which sucks less... This will be the default for new 3.x configs as the policy overloads the module. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module Not Returning the Error Message
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is "no known good password found" as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message. +++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
On 06/09/2011 00:36, Rob Turner wrote: Default in modules/acct_unique: acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } The man page for rlm_acct_unique shows: acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port" } Anyone know when this was changed? Apparently, a long time ago: https://github.com/alandekok/freeradius-server/commits/master/raddb/modules/acct_unique -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
This is an issue for us as well. It seems in our case, the NAS retransmits the start packet 60 seconds later and this has an impact on the acctuniqueid as shown in the example below: Tue Aug 30 13:32:49 2011 Event-Timestamp = "Aug 30 2011 13:32:48 EDT" User-Name = "u...@example.com" NAS-IP-Address = 69.72.31.155 NAS-Identifier = "mtar-apx01.1dial.com" Ascend-Owner-IP-Addr = 0.0.0.0 NAS-Port = 4652 Ascend-NAS-Port-Format = 4 NAS-Port-Type = Async Service-Type = Framed-User Class = 0x4241534943495350 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = "592238627" Acct-Authentic = RADIUS Ascend-Auth-Delay = 1580 Ascend-Data-Rate = 21600 Ascend-Xmit-Rate = 4 Ascend-Modem-PortNo = 92 Ascend-Modem-SlotNo = 14 Ascend-Modem-ShelfNo = 1 Calling-Station-Id = "..." Ascend-Calling-Id-Type-Of-Num = Unknown Ascend-Calling-Id-Number-Plan = Unknown Ascend-Calling-Id-Presentatn = Allowed Ascend-Calling-Id-Screening = 40 Called-Station-Id = "..." Ascend-Data-Svc = Switched-Voice-Bearer Framed-Protocol = PPP Framed-IP-Address = 208.103.135.234 Proxy-State = 0x3138 Proxy-State = 0x313435 Proxy-State = 0x323034 Realm = "example.com" Acct-Unique-Session-Id = "547e6cd62913bca0" Timestamp = 1314725569 Tue Aug 30 13:33:49 2011 Event-Timestamp = "Aug 30 2011 13:32:48 EDT" User-Name = "u...@example.com" NAS-IP-Address = 69.72.31.155 NAS-Identifier = "mtar-apx01.1dial.com" Ascend-Owner-IP-Addr = 0.0.0.0 NAS-Port = 4652 Ascend-NAS-Port-Format = 4 NAS-Port-Type = Async Service-Type = Framed-User Class = 0x4241534943495350 Acct-Status-Type = Start Acct-Delay-Time = 60 Acct-Session-Id = "592238627" Acct-Authentic = RADIUS Ascend-Auth-Delay = 1580 Ascend-Data-Rate = 21600 Ascend-Xmit-Rate = 4 Ascend-Modem-PortNo = 92 Ascend-Modem-SlotNo = 14 Ascend-Modem-ShelfNo = 1 Calling-Station-Id = "..." Ascend-Calling-Id-Type-Of-Num = Unknown Ascend-Calling-Id-Number-Plan = Unknown Ascend-Calling-Id-Presentatn = Allowed Ascend-Calling-Id-Screening = 40 Called-Station-Id = "..." Ascend-Data-Svc = Switched-Voice-Bearer Framed-Protocol = PPP Framed-IP-Address = 208.103.135.234 Proxy-State = 0x3230 Proxy-State = 0x3832 Proxy-State = 0x3934 Realm = "example.com" Acct-Unique-Session-Id = "0041ee21d0b1c6b1" Timestamp = 1314725629 As with many companies using load balancing, it may not be good to use Client-IP-Address to key on as this changed 60 seconds later. Default in modules/acct_unique: acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } The man page for rlm_acct_unique shows: acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port" } Anyone know when this was changed? - Original Message - From: "Arran Cudbard-Bell" To: "FreeRadius users mailing list" Sent: Saturday, June 18, 2011 7:50:49 AM Subject: Re: different acctuniqueids with common keys? On Jun 18, 2011, at 1:26 PM, and...@sybaweb.com wrote: > On Sat, 18 Jun 2011 07:39:53 +0200, Arran Cudbard-Bell wrote: >> As Alan says it's the NAS not including a consistent set of >> Attribute and or values. > > The key attributes per the config (acct_unique { key = "User-Name, > Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" > }) *are* consistent in the radacct table yet the value of acctuniqueid is > not. I suppose the missing values could have been populated later. Um yes. Especially if you're using interim updates. -Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok writes: > Alan Buxey wrote: >> hmm, command.c and auth.c appears to have been updated but >> still see no joy with 'radmin' as munin user (who is in radiusd group) >> >> Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to >> /var/run/radiusd/radiusd.sock from gid 101 > > My guess is that the "get peer id" function is returning only *one* > group. Munin is first part of the "munin" group, but secondly part of > the "radmin" group. So... the sockets asks "which group is connecting", > and gets told "munin". I assume that's because the function uses the sockopt " SO_PEERCRED Return the credentials of the foreign process connected to this socket. This is only possible for connected AF_UNIX stream sockets and AF_UNIX stream and datagram socket pairs created using socketpair(2); see unix(7). The returned credentials are those that were in effect at the time of the call to connect(2) or socketpair(2). Argu‐ ment is a ucred structure. This socket option is read-only. " So how about just running 'sg radiusd radmin'? Would that work? And be an acceptable workaround? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional Dynamic VLAN
Hello Guys, I need the following in a wireless environment, using 802.1X authentication based on LDAP, need to do dynamic VLAN assignment. Need to consult an LDAP attribute, and from this attribute to determine which VLAN to send to my wireless controler. I need something like this: ... if ( habitantWirelessActive == FALSE ){ update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := 100 } }else{ update reply { Tunnel-Type := "VLAN" Tunnel-Medium-Type := "IEEE-802" Tunnel-Private-Group-Id := 30 } } ... habitantWirelessActive the attribute is the LDAP, each user has this attribute in a Boolean set to TRUE or FALSE. How can I make this check? Another question is about where I make this verification, the correct location is the session post-auth? I thank the attention. João -- João Paulo de Lima Barbosa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: > hmm, it used to work - i guess the fix to fix the brokeness also broke > this setup. I think the change is related to checking the peer ID on the new connection, rather than the old one. See commit f0e7064e58f712853c429dcb27e53861f1a9cde1 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Jim Madden wrote: > FWIW, found this in ./freeradius-server-2.1.12/src/main/auth.c Whoops. Fixed that, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
FWIW, found this in ./freeradius-server-2.1.12/src/main/auth.c 502c502 < #ifdef WITH_POXT_PROXY_AUTHORIZE --- > #ifdef WITH_POST_PROXY_AUTHORIZE On Aug 29, 2011, at 7:13 AM, Alan DeKok wrote: > I've put some pre releases of 2.1.12 on the web site: > > http://git.freeradius.org/pre/ > > Please let me know if there are any problems. If not, this can become > 2.1.12. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, > My guess is that the "get peer id" function is returning only *one* > group. Munin is first part of the "munin" group, but secondly part of > the "radmin" group. So... the sockets asks "which group is connecting", > and gets told "munin". > > I'm not sure there's a clean solution to that. hmm, it used to work - i guess the fix to fix the brokeness also broke this setup. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: > hmm, command.c and auth.c appears to have been updated but > still see no joy with 'radmin' as munin user (who is in radiusd group) > > Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to > /var/run/radiusd/radiusd.sock from gid 101 My guess is that the "get peer id" function is returning only *one* group. Munin is first part of the "munin" group, but secondly part of the "radmin" group. So... the sockets asks "which group is connecting", and gets told "munin". I'm not sure there's a clean solution to that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: > maybe change that string to a global that can be pulled in from > an include? - this could then be used in other places where old > copyright statements lurk Maybe. It's not a high priority. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
hi, probably want to change this line in radmin.c too printf("Copyright (C) 2008 The FreeRADIUS server project and contributors.\n"); maybe change that string to a global that can be pulled in from an include? - this could then be used in other places where old copyright statements lurk alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, > > > > :-) must've gone to a private repo! :-) > > ... and now a public repo, if you'd care to pull and try again. hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 15:53:18 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 5 Sep 2011, at 15:06, Alan Buxey wrote: > Hi, > >>> hmm, latest GIT version checked out and compiled...still seems to >>> do the same: >>> >> >> Checked the freeradius.org repo and the github repo and there's been no >> relevant commits... >> >> *poke* Alan D, git push... > > :-) must've gone to a private repo! :-) ... and now a public repo, if you'd care to pull and try again. > > > PS thanks to this thread I've tweaked some of my settings too - and i love > that RANDOM > idea. i'm wondering if theres any mileage in doing the same thing for > Session-Time > auth replies? for when a drove of people fireup their laptops/phones etc at > start of lecture > hours or when labs get booted up at same time with WoL ? > WoL stuff certainly. Also when you get a Switch/AP reboot and a bunch of devices come online at the same time, so you don't hammer the server with a bunch of simultaneous re-auths. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, > > hmm, latest GIT version checked out and compiled...still seems to > > do the same: > > > > Checked the freeradius.org repo and the github repo and there's been no > relevant commits... > > *poke* Alan D, git push... :-) must've gone to a private repo! :-) PS thanks to this thread I've tweaked some of my settings too - and i love that RANDOM idea. i'm wondering if theres any mileage in doing the same thing for Session-Time auth replies? for when a drove of people fireup their laptops/phones etc at start of lecture hours or when labs get booted up at same time with WoL ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 5 Sep 2011, at 14:42, Alan Buxey wrote: > Hi, > >>> munin has been added to the radiusd group which is defined in the >>> control virtual server - and this used to work all okay >>> with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have >>> borked the access to radiusd.sock for other groups. >> >> I've committed a fix to the v2.1.x branch of git which should address >> this. > > hmm, latest GIT version checked out and compiled...still seems to > do the same: > Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac OSX FreeRadius EAP Authentication making progress - But still not there
I'd recommend you start poking at this to see why ntlm_auth is failing. Are you having Samba problems, is your machine part of whatever domain it's trying to authenticate against? I noticed there's no Domain in the User-Name field, whereas when I'm looking at Domain authentications, I usually see \ coming from the users. I'm not certain how that'll affect Samba's behavior, but it's worth double checking so that you're confident about it. - Jacob On 5 Sep 2011, at 00:26, DavidS wrote: > [2011/09/04 21:07:10, 0, pid=1176] > /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) > could not obtain winbind domain name! > Exec-Program output: Reading winbind reply failed! (0xc001) > Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) > Exec-Program: returned: 1 > [mschap] External script failed. > [mschap] FAILED: MS-CHAP2-Response is incorrect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, > > munin has been added to the radiusd group which is defined in the > > control virtual server - and this used to work all okay > > with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have > > borked the access to radiusd.sock for other groups. > > I've committed a fix to the v2.1.x branch of git which should address > this. hmm, latest GIT version checked out and compiled...still seems to do the same: Mon Sep 5 13:39:33 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 13:32:28 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run more than one radius on single machine
On 05/09/11 10:06, Fajar A. Nugraha wrote: On Mon, Sep 5, 2011 at 3:44 PM, waq wrote: Dear, Its my requirement to run more than one radius on a single machine Why? Using virtual servers is usually easier. They can listen to different IP/port, and have different configuration. See sites-available/inner-tunnel for example of using a "listen" section inside a virtual server. There are some reasons. Fault isolation for one - although FreeRADIUS is pretty reliable, no software is perfect and if you have radius services of differing levels of criticality (e.g. "vpn access == important", "802.1x access to local LAN == critical") you might want prevent one segfault from affecting another. We do this can anybody help me how to achieve this If you REALLY want to run run multiple instances of radiusd, then start by having separate configuration directory (e.g. /etc/raddb, /etc/raddb2, and so on) for each instance and call radiusd with "-d" That is one option. Another option is to use /etc/raddb/instance.conf as the config file, and start "radiusd -n instance". This is what we do, and makes the config management easier if you share a lot of common code. parameter. And you'd also need to change some settings on radiusd.conf (e.g. raddbdir, run_dir, or possibly just "name"). And you need to make sure all of them bind to different IP/port/socket. Last time I tried this it works, but the startup script didn't work as expected (e.g. it kills both radiusd instances and only start one). Didn't have time to look more into it since I didn't need it anymore. We wrote an instance-aware init script for this. It wasn't hard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run more than one radius on single machine
On Mon, Sep 5, 2011 at 3:44 PM, waq wrote: > Dear, > > Its my requirement to run more than one radius on a single machine Why? Using virtual servers is usually easier. They can listen to different IP/port, and have different configuration. See sites-available/inner-tunnel for example of using a "listen" section inside a virtual server. > can anybody help me how to achieve this If you REALLY want to run run multiple instances of radiusd, then start by having separate configuration directory (e.g. /etc/raddb, /etc/raddb2, and so on) for each instance and call radiusd with "-d" parameter. And you'd also need to change some settings on radiusd.conf (e.g. raddbdir, run_dir, or possibly just "name"). And you need to make sure all of them bind to different IP/port/socket. Last time I tried this it works, but the startup script didn't work as expected (e.g. it kills both radiusd instances and only start one). Didn't have time to look more into it since I didn't need it anymore. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Been running a week now, and the prerelease still looks good here as well. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
run more than one radius on single machine
Dear, Its my requirement to run more than one radius on a single machine can anybody help me how to achieve this I am using CentOS 5.5 64bit, Oracle 10.2.0 , Freeradius 2.1.10 -- View this message in context: http://freeradius.1045715.n5.nabble.com/run-more-than-one-radius-on-single-machine-tp4769691p4769691.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, > it's now running on our most busy server. Both -X and > background-multithreaded do their usual job. I do not see any problems > so far. > > That said, I was at that point with 2.1.11 as well, and it caught fire > after 48+ hours only. So, there might still be surprises. I'll keep it > running under surveillance for the rest of the week. By next Monday, > I'll speak up again and let you know if my setup (still) works fine. Keeps on running like Forest Gump. Stefan > > Greetings, > > Stefan Winter > > Am 29.08.2011 16:13, schrieb Alan DeKok: >> I've put some pre releases of 2.1.12 on the web site: >> >> http://git.freeradius.org/pre/ >> >> Please let me know if there are any problems. If not, this can become >> 2.1.12. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html