Re: Encode multiple sub-attributes in single vsa?
On Tue, Oct 9, 2012 at 6:36 PM, Alan DeKok al...@deployingradius.com wrote: Build it from source, with ./configure --enable-developer It worked, Thanks! F.R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
No. You cannot do a successful auth against an incorrect password as you haven't got agreement from both ends and therefore no keying material required for WPA-RADIUS...therefore no key for the wireless association. Password change can only be performed INSIDE the PEAP negotiation. As has already been said, latest version already supports this...some clients do to. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
Return rlm_module_updated alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All and Logging
Possiblebut unlikely to get what you want if you are using EAP methods and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: store encypted passwords
U should use crypt function on mysql when update crypt-password value
I.e: update radcheck set value=crypt('password') where
ATTRIBUTE='crypt-password' and USERNAME='foo';
Or maybe you mean stay plaintext is from debuged running freeradius? It
should be like that because pap auth, for make sure auth is using the
crypted password one just remove cleartext-password record for apropiate
user. I had use crypt password w ubuntu freeradius and workin good
Cmiiw and sorry for my bad english
Regards
Bandel
On Oct 9, 2012 9:10 PM, jon jon free9...@gmail.com wrote:
I was mixed up on what table I am talking about its the radcheck
table. I was using navicat to set the attribute to Crypt-Password and
refreshing the database. The password stayed in plain text.
On Mon, Oct 8, 2012 at 4:29 PM, Matthias Nagel
matthias.h.na...@gmail.com wrote:
Hello,
first, please use the correct way of quoting for mailing list. This is
to say, write your comments below the original text that it refers to. That
way readers who pick up a thread later can follow more easily. But now back
to topic.
Am Montag 08 Oktober 2012, 16:17:52 schrieb jon jon:
On Mon, Oct 8, 2012 at 4:02 PM, Matthias Nagel
matthias.h.na...@gmail.com wrote:
Hello,
I have set up FreeRADIUS Version 2.1.10 on an Ubuntu server 12.04,
Mysql Server version: 5.5.24. Everything is up and running but the
users passwords are stored in plain text in raddacct. I tried changing
the attribute to Crypt-Password but it doesn't change anything.
What do you mean by doesn't change anything? If you have changed the
attribute name to Crypt-Password and you also modified the attribute's
value accordingly, what do you expect? If it still works, then be happy.
doesn't change anything = password is still showing as plain text. What
do mean by modified the attribute's value accordingly?
You wrote that you changed clear text passwords to crypt-passwords. This
means to me you updated your database, hence your database does not show
clear text passwords anymore. What exactly did you do, when you changed
from clear text to crypt-passwords?
I assumed to did something like this:
UPDATE radcheck set attribute = 'Crypt-Password', value =
SOME_FANCY_CONVERT_FUNCTION( value ) WHERE some_senseful_condition_here;
Anyway, I now notice that you were speaking of radacct. This table is
not to show any password at all.
Do I
need to make a change to a config file also? Not sure what type of
encryption would be best one that works MD5?
For a copatibilty of password encryption schemes and protocols, see
here:
http://deployingradius.com/documents/protocols/compatibility.html
Thanks,
Matthias
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
On 10/10/2012 12:31 AM, Jason Agress wrote: Hi all, We're currently using Microsoft IAS for RADIUS on our Cisco managed wireless network. We do wireless logon on our clients, which requires the user to first authenticate to RADIUS to initiate the wireless connection, then authenticate against Active Directory to complete the login process. The problem we run into is when a user's password expires and RADIUS authentication is unsuccessful; since the wireless connection cannot be made, AD cannot be contacted to authenticate the user and, ideally, prompt to change the password. I've read lots about this problem with FreeRADIUS and have seen some implied solutions, but nothing concrete. So here's my question: With FreeRADIUS, is there a way to allow successful RADIUS authentication with an expired password? You can't do that, no. Successful auth against AD requires AD to cooperate, and it won't do that if the password has expired - but see right at the very end. As Alan says, you can instead do MSCHAP password changes with the master branch of FreeRADIUS and a client that supports it. But TBH I'm surprised this isn't working with IAS. What software are you running on the clients? Any non-standard supplicants? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
On 10/10/2012 03:21 AM, Jason Agress wrote: Will that allow successful RADIUS authentication - and, therefore wireless access - before the password change is initiated? Because our clients are Macs that won't prompt for password change until after they are connected to the wireless and authenticating against AD. Ah. Then no, mschap password changes won't help. FreeRADIUS just calls out to AD to auth users. If AD refuses to auth because the password is expired, the only thing you can do is a password change, which requires client support. Since you're using Macs, you do have one option - change your EAP method to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth types you can force an accept on. Other auth types use challenge/response methods that require both side to prove to each other that they know the credentials. To implement this, you'd: 1. Install FreeRADIUS 2. Get EAP working with a local user 3. Get EAP working with AD users via Samba Everything up to this point is documented - see the wiki or deployingradius.com. Once you've got that far, you need to setup two things: * TTLS * A script to auth PAP against AD, wrapping ntlm_auth The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, check for expired and force a success. Anyway - if you're willing to move from PEAP to TTLS, get the basics working then if you need advice, ask here again - people will be glad to help. It's relatively straightforward, but all the pieces might not be documented in obvious places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
On 10/10/2012 04:56 AM, Fajar A. Nugraha wrote: Interestingly enough, debian packages enable that option while redhat doesn't. What are the performance implications of enabling it? Is it something huge, or only several-percent-penalty and careful-you-can-shoot-yourself-in-the-foot kind of thing? I'm not sure there are any performance implications per-se. If I read the ./configure script correctly, what it primarily does is enable debugging symbols (-g) and a whole bunch of C warnings. However, debugging symbols are conditionally enabled if the compiler supports them further up anyway, so really it's just the warnings AFACIT. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-transmits arriving via a different proxy / EAP duplicate detection
On 09/10/12 19:17, alan buxey wrote: Hi, As I iterate through our logging config, I'm gaining increasing visibility of all kinds of peculiar stuff. This one I spotted today - we are seeing remote RADIUS servers (eduroam visited sites) sending retransmits via different intermediate proxies. I've seen this a couple of times int he past - and recently too. the recent one was fixed by ensuring that the RADIUS server was listening only The pattern we see is quite odd. I suspect the core issue is being exacerbated by misbehaving clients or visited-site radius servers. The reason I suspect this is that, if it were genuine packet loss, you'd expect to see retransmits at all stages of the EAP session. But we almost exclusive see retransmits in response to a reject (very common) or an accept (rarely). In particular, there seem to be some sites where retransmits come in if we send a reject. I don't know if this is a particular supplicant or a particular radius server. Or maybe I'm mis-reading the evidence. But it does seem odd... I'm wondering whether to open a JRS support ticket or not (any suggestions ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-transmits arriving via a different proxy / EAP duplicate detection
Phil Mayers wrote: First, the FreeRADIUS duplicate detect / retransmit logic doesn't apply because the source IP, shared secret, Proxy-State and Message-Authenticator are all different, even though all other attributes are identical. This is correct behaviour AFAICT from the RFCs. Second, because the retransmits aren't eaten by the duplicate detection, they arrive as real packets in the server core, but are rejected because the State attribute is no longer valid - this is because FR mutates State on every round-trip, mixing in the EAP type/id/exchange number. There is a solution. But it involves new code. Does anyone have any thoughts on the matter? Absent RADIUS-over-TCP, this seems like a really tricky one... Nah. Create a new state tracking module. a) runs before sending reply, and caches State - request/reply b) runs on receiving packet, and looks for duplicate state if found, and request looks similar, send duplicate reply That would bypass all of the EAP code, and add another layer of duplicate detection after the packets are duplicate code. There should really also be a state tracking API in the server core. Certain modules (i.e. securid) roll their own, and it's not overly efficient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec
Could you implement (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Challenge (11) Enter otp: 97350 server response type = Access-Accept (2) This sort of thing with rlm_exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
Thanks, that makes sense. Just out of curiosity, which types of clients typically support the MSCHAP password change? Does Windows? Alan Buxey a.l.m.bu...@lboro.ac.uk writes: No. You cannot do a successful auth against an incorrect password as you haven't got agreement from both ends and therefore no keying material required for WPA-RADIUS...therefore no key for the wireless association. Password change can only be performed INSIDE the PEAP negotiation. As has already been said, latest version already supports this...some clients do to. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
This is very promising! Thank you! Is there any significant downside to using EAP-TTLS/PAP over PEAP? FreeRadius users mailing list freeradius-users@lists.freeradius.org writes: On 10/10/2012 03:21 AM, Jason Agress wrote: Will that allow successful RADIUS authentication - and, therefore wireless access - before the password change is initiated? Because our clients are Macs that won't prompt for password change until after they are connected to the wireless and authenticating against AD. Ah. Then no, mschap password changes won't help. FreeRADIUS just calls out to AD to auth users. If AD refuses to auth because the password is expired, the only thing you can do is a password change, which requires client support. Since you're using Macs, you do have one option - change your EAP method to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth types you can force an accept on. Other auth types use challenge/response methods that require both side to prove to each other that they know the credentials. To implement this, you'd: 1. Install FreeRADIUS 2. Get EAP working with a local user 3. Get EAP working with AD users via Samba Everything up to this point is documented - see the wiki or deployingradius.com. Once you've got that far, you need to setup two things: * TTLS * A script to auth PAP against AD, wrapping ntlm_auth The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, check for expired and force a success. Anyway - if you're willing to move from PEAP to TTLS, get the basics working then if you need advice, ask here again - people will be glad to help. It's relatively straightforward, but all the pieces might not be documented in obvious places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
Hi, Thanks, that makes sense. Just out of curiosity, which types of clients typically support the MSCHAP password change? Does Windows? Windows does - I've used it. for 'incorrect try again' and for 'change password' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
Hi, Is there any significant downside to using EAP-TTLS/PAP over PEAP? A few things, one is that you really need to trust the CA/RADIUS server - as your credentials are all passed in the clear inside the TLS tunnel - so if you are talking to a dodgy server you then send them everything secondly...many clients dont support it nativelyso you need to install an extra supplicant to do it. not an issue if you are only trying to ensure that Mac users can change password when things are wonky and Windows users use PEAP (which has the 'change/incorrect' support - but how do you stop Mac users using PEAP and still getting themselves stuck? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: .rpmnew files during RPM upgrade
On 10/09/2012 08:57 PM, Fajar A. Nugraha wrote: On Wed, Oct 10, 2012 at 5:39 AM, John Dennis jden...@redhat.com wrote: On 09/11/2012 07:42 AM, Alan DeKok wrote: Jonathan Gazeley wrote: It seems to me that the broken behaviour is not with RPM but with FreeRADIUS. Can the regular expression that includes config files and modules be tweaked to exclude *.rpmnew files? As always, patches are welcome. O.K. I did just that. The freeradius-2.2.0 RPM's I've been pushing now includes a patch to ignore config filenames that should be excluded from being loaded. I'll send the patch to the developers list via a github pull request. The list is hardcoded, at the moment it excludes: Any basename beginning with a dot (.) Any basename beginning with a hash (i.e. pound sign, octothorp) (#) Any basename ending with a tilde (~) Any basename ending with the substring .rpmsave Any basename ending with the substring .rpmnew Any basename ending with the substring .bak Can you please add .dpkg-new, .dpkg-dist, and .dpkg-old as well? Sure, no problem, done. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Query help
I have been looking at this further am I am having trouble finding the answer.
Is anyone able to point me into the right direction.
-Original Message-
From: Jonathan Bastin [mailto:jonathan.bas...@peerpointinternet.co.uk]
Sent: 09 October 2012 14:56
To: 'FreeRadius users mailing list'
Subject: RE: Query help
This is the full dump I get
rad_recv: Access-Request packet from host 193.000.221.00 port 1645, id=213,
length=141
Framed-Protocol = PPP
User-Name = 02085000...@peerpointinternet.co.uk
CHAP-Password = 0x045f3e13da52acf8b9e784c0c125ed102f
Connect-Info = 11066368/1094656
NAS-Port-Type = Virtual
NAS-Port = 832
NAS-Port-Id = Uniq-Sess-ID832
Service-Type = Framed-User
NAS-IP-Address = 193.000.221.00
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} - 02085000...@peerpointinternet.co.uk
[sql] sql_set_user escaped user -- '02085000...@peerpointinternet.co.uk'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '02085000...@peerpointinternet.co.uk' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = '02085000...@peerpointinternet.co.uk' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username =
'02085000...@peerpointinternet.co.uk' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'Serg_100GB' ORDER BY id
[sql] User found in group Serg_100GB
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'Serg_100GB' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++? if (%{sql: SELECT radgroupcheck.value FROM radusergroup Inner Join
++radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname
++WHERE radusergroup.username = '%{User-Name}' AND
++radgroupcheck.attribute = 'CS-Total-Octets-Monthly';}= %{sql:
++SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct WHERE
++UserName='%{User-Name}' AND AcctStartTime
++(DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY));})
sql_xlat
expand: %{User-Name} - 02085000...@peerpointinternet.co.uk
sql_set_user escaped user -- '02085000...@peerpointinternet.co.uk'
expand: SELECT radgroupcheck.value FROM radusergroup Inner Join
radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE
radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute =
'CS-Total-Octets-Monthly'; - SELECT radgroupcheck.value FROM radusergroup
Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname
WHERE radusergroup.username = '02085000...@peerpointinternet.co.uk' AND
radgroupcheck.attribute = 'CS-Total-Octets-Monthly'; rlm_sql (sql): Reserving
sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3
expand: %{sql: SELECT radgroupcheck.value FROM radusergroup Inner Join
radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE
radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute =
'CS-Total-Octets-Monthly';} - 10737500 sql_xlat
expand: %{User-Name} - 02085000...@peerpointinternet.co.uk
sql_set_user escaped user -- '02085000...@peerpointinternet.co.uk'
expand: SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='%{User-Name}' AND AcctStartTime (DATE_SUB(CURDATE(),INTERVAL
DAYOFMONTH(CURDATE())DAY)); - SELECT SUM( AcctInputOctets + AcctOutputOctets)
FROM radacct WHERE UserName='02085000...@peerpointinternet.co.uk' AND
AcctStartTime (DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY));
rlm_sql (sql): Reserving sql socket id: 2 sql_xlat finished rlm_sql (sql):
Released sql socket id: 2
expand:
Re: Query help
On 10/10/12 14:23, Jonathan Bastin wrote:
I have been looking at this further am I am having trouble finding the answer.
Is anyone able to point me into the right direction.
You might find it a bit easier to debug if you perform the two SQL
queries (for the quota, and the current limit) separately, then compare
the values. For example:
update control {
Tmp-Integer-0 := %{sql:select quota_limit ...}
Tmp-Integer-1 := %{sql:select sum(...) from radacct where ...}
}
if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) {
reject
}
This will at least make it more obvious what is going on. To be frank, I
can't really understand what's going on in that debug.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Realm in table radacct
Hello together, I have setuped a radius system like eduroam with 3 server. I use daloradius for user and accounting management. Authentication and accounting works with realm, but the field realm is empty in table radacct. Furthermore, I want to know how I use / configure Hot Spots in daloradius. I can't find any description about that. It's rly hard to learn freeradius without a good wiki or something else. There are two locations A @sb-dfki.de and B @kl-dfki.de with their radius server. And a global Server only for Radius proxyforwarding. I've got my client and an access point 172.16.18.82 on location A. I think my configuration is ok. If not, pls tell me. You can see my Debuglogs with a Login by mar...@kl-dfki.de Location A http://pastebin.com/A1HNtSeu Location B http://pastebin.com/Q2DWbTes Thank you! Xylakant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Query help
Thank you so much for the pointer. I am with you I couldn't understand the
last debug. Here is the new one.
rad_recv: Access-Request packet from host 193.000.221.000 port 1645, id=19,
length=141
Framed-Protocol = PPP
User-Name = 0208...@peerpointinternet.co.uk
CHAP-Password = 0x048bf9799185d69af262db5d5c0e4c9ba2
Connect-Info = 11066368/1094656
NAS-Port-Type = Virtual
NAS-Port = 903
NAS-Port-Id = Uniq-Sess-ID903
Service-Type = Framed-User
NAS-IP-Address = 193.000.221.000
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} - 0208...@peerpointinternet.co.uk
[sql] sql_set_user escaped user -- '0208...@peerpointinternet.co.uk'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '0208...@peerpointinternet.co.uk' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radreply
WHERE username = '0208...@peerpointinternet.co.uk' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username =
'0208...@peerpointinternet.co.uk' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Serg_100GB' ORDER
BY id
[sql] User found in group Serg_100GB
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'Serg_100GB' ORDER
BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
sql_xlat
expand: %{User-Name} - 0208...@peerpointinternet.co.uk
sql_set_user escaped user -- '0208...@peerpointinternet.co.uk'
expand: SELECT radgroupcheck.value FROM radusergroup Inner Join
radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE
radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute =
'CS-Total-Octets-Monthly'; - SELECT radgroupcheck.value FROM radusergroup
Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname
WHERE radusergroup.username = '0208...@peerpointinternet.co.uk' AND
radgroupcheck.attribute = 'CS-Total-Octets-Monthly';
rlm_sql (sql): Reserving sql socket id: 1
sql_xlat finished
rlm_sql (sql): Released sql socket id: 1
expand: %{sql: SELECT radgroupcheck.value FROM radusergroup Inner
Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE
radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute =
'CS-Total-Octets-Monthly';} - 10737500
sql_xlat
expand: %{User-Name} - 0208...@peerpointinternet.co.uk
sql_set_user escaped user -- '0208...@peerpointinternet.co.uk'
expand: SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='%{User-Name}' AND AcctStartTime
(DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY)); - SELECT SUM(
AcctInputOctets + AcctOutputOctets) FROM radacct WHERE
UserName='0208...@peerpointinternet.co.uk' AND AcctStartTime
(DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY));
rlm_sql (sql): Reserving sql socket id: 0
sql_xlat finished
rlm_sql (sql): Released sql socket id: 0
expand: %{sql:SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM
radacct WHERE UserName='%{User-Name}' AND AcctStartTime
(DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY));} - 64695817844
++[control] returns ok
++? if (control:Tmp-Integer-0 %{control:Tmp-Integer-1})
expand: %{control:Tmp-Integer-1} - 271308404
? Evaluating (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) - TRUE
++? if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) - TRUE
++- entering if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) {...}
+++[reject] returns reject
++- if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{User-Name} -
Re: No Realm in table radacct
xylak...@vorsicht-bissig.de wrote: Authentication and accounting works with realm, but the field realm is empty in table radacct. Does the accounting packet have a username with a realm? The debug log says no. Please *read* the debug log. It has a lot of information and can be hard to understand. But it shouldn't be hard to look for an accounting packet, and then look for realm. If there are no references to realm... that explains why the realm isn't in the radacct table. You can see my Debuglogs with a Login by mar...@kl-dfki.de No. Read the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query help
Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. Yes. All numbers in RADIUS are 32-bit. I think v3 will extend the internal code in the server to use 64-bit numbers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Query help
Dam. Is anyone able to assist me convert to perl as I am only a novice programmer at best. I am willing to make a donation to who that helps or a different location on confirmation of code working. -Original Message- From: freeradius-users-bounces+jonathan.bastin=peerpointinternet.co.uk@lists.freer adius.org [mailto:freeradius-users-bounces+jonathan.bastin=peerpointinternet.co.uk@lis ts.freeradius.org] On Behalf Of Alan DeKok Sent: 10 October 2012 15:36 To: FreeRadius users mailing list Subject: Re: Query help Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. Yes. All numbers in RADIUS are 32-bit. I think v3 will extend the internal code in the server to use 64-bit numbers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. The author's incumbent expressions, views and thoughts are their own and not necessarily representative of those of the Peer Point Internet Ltd or associated companies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Yes I, know. I always read the debug. But I don't know to change it! My biggest problem is, that I can't find any good descriptions about freeradius config. Everything I learn by reading other stuff from forum and blogs. The wiki of freeradius is bad. I've got a old book Radius from O'reilley, but this so about freeradius v1. So couldy you help me? Thank you Original-Nachricht Datum: Wed, 10 Oct 2012 10:32:02 -0400 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: No Realm in table radacct xylak...@vorsicht-bissig.de wrote: Authentication and accounting works with realm, but the field realm is empty in table radacct. Does the accounting packet have a username with a realm? The debug log says no. Please *read* the debug log. It has a lot of information and can be hard to understand. But it shouldn't be hard to look for an accounting packet, and then look for realm. If there are no references to realm... that explains why the realm isn't in the radacct table. You can see my Debuglogs with a Login by mar...@kl-dfki.de No. Read the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query help
On 10/10/12 15:25, Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. If this is the case I presume my only resort it perl. If this is the case could someone help me convert this? You could divide by some large factor inside the SQL database, which is likely using 64-bit or arbitrary precision internally. e.g. select sum() / 100 select quota / 100 ...to convert to megabytes, and then compare like that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
I am too much a newbie to understand what you are suggesting. Should I replace: return RLM_MODULE_OK with: return RLM_MODULE_UPDATED in the perl script? On Tue, Oct 9, 2012 at 11:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Return rlm_module_updated alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
xylak...@vorsicht-bissig.de wrote: Yes I, know. I always read the debug. But I don't know to change it! The User-Name comes from the user. Log in using a realm, and FreeRADIUS will use it. My biggest problem is, that I can't find any good descriptions about freeradius config. I guess the thousands of lines of documentation in the config files don't help. Everything I learn by reading other stuff from forum and blogs. The wiki of freeradius is bad. It is written by volunteers. I've got a old book Radius from O'reilley, but this so about freeradius v1. And it's content is largely copied from the FreeRADIUS documentation. So couldy you help me? With *what*? Ask good questions. What do you want to do? Magically invent a realm where none exists? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
The user mar...@kl-dfki.de is saved in the mySql database as user markus on Server B. So i activate module suffix to check for the realm and then it checks this user in the database. This works, but the server answers only, that he knows markus, not mar...@kl-dfki.de. What should I do to configure my radiusserver to recive the realm of markus? THX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
On 09/10/12 23:32, Andrew Precht wrote:
to: module = /etc/raddb/sjpl.pl
Also, in the perl file I have uncommented the line: func_authenticate
= authenticate
Next, in /etc/raddb/sites-enabled/default I added perl to the
authenticate {} section.
Your problem is that the script is just wrong.
You're running in the authorize section:
Access-Request packet from host 192.168.251.93 port 50827, id=0,
length=54
User-Name = 21197904090320
User-Password = 1533
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
rlm_perl: Added pair User-Name = 21197904090320
rlm_perl: Added pair User-Password = 1533
++[perl] returns ok
...but you're not arranging for yourself to be run in the authenticate
section:
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 21197904090320, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
...i.e. Auth-Type is unset, so authenticate never runs.
There are many ways to solve this. Here's one:
authorize {
...
perl
if (ok) {
update control {
Auth-Type = perl
}
}
...
}
authenticate {
...
Auth-Type perl {
perl
}
...
}
Alternatively you could make your perl script set the Auth-Type item
in the control list. And so on.
The point is you need to set an Auth-Type, and make your perl script
handle it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
A quick guess, your mysql user-name is set to be stripped-user-name? Check sql.conf and dialup.conf alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
On 10/10/12 18:30, Andrew Precht wrote:
Found Auth-Type = perl
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group perl {...}
rlm_perl: perl_embed:: module = /etc/raddb/sjpl.pl , func =
authenticate exit status= Undefined subroutine main::get called at
/etc/raddb/sjpl.pl line 92.
Pretty clear - you've got a bug in the perl script. Fix it. You need a
func_authenticate in your perl script, and it needs to *work*. Fix the
code on line 92 of the script.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorization with rlm_sql not working
Stefano Zanmarchi wrote:
Hi,
our Freeradius is working fine with PEAP (NT hash passwords stored in
Openldap).
We'd like to add MAC authorization using Mysql: only people with MAC
contained in
radcheck should have access (provided they also type in the right password!).
So you need to check passwords, and allow only known MACs.
Radcheck has only one entry:
+++++---+
| id | username | attribute | op | value
|
+++++---+
| 1 | uto.u...@studenti.unipd.it | Calling-Station-Id | == |
98-4B-4A-F5-BF-40 |
+++++---+
See the rlm_sql documentation. This entry says:
for user uto.u...@studenti.unipd.it, check that Calling-Station-Id is
98-4B-4A-F5-BF-40.
It doesn't *do* anything with that information.
The problem is that uto.u...@studenti.unipd.it gets an AccessAccept packet,
regardless of his Calling-Station-Id.
Yes. Because you're probably also checking passwords, and allowing
good passwords with bad MACs.
Don't know if it's related but strangely (to me) when
uto.u...@studenti.unipd.it
has Calling-Station-Id 98-4B-4A-F5-BF-40 (the one in radcheck) radiusd
performs
this sql query:
SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'uto.u...@studenti.unipd.it' ORDER BY id
and the radiusd -X output shows [sql] User found in radcheck table
Same user, different Calling-Station-Id (73-1C-5C-B4-E0-55, not the
one in radcheck),
shows [sql] User uto.u...@studenti.unipd.it not found.
Exactly. The user and MAC entry is found when it matches. It's not
found when it doesn't match.
I enclose these files:
Please don't.
You can fix the issue by doing:
authorize {
...
sql
if (notfound) {
reject
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius force authentication reject for some users?
Hi List, I am using radius based otp ubikey authentication like this: http://www.linuxforu.com/2011/08/setip-two-factor-authentication-using-openotp/ is there nice way to reject some users? just want to reject radius authentication for user foo. this user has account on otp, but want to reject all authentication attempts on radius? is there option to force-reject-authentication for user foo2,foo3? on freeradius? thanks, -- Eero - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
OK. I think I've got the script fixed.
But, I'm now getting: Denied access by RADIUS
Here is my debug:
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/radius
run_dir = /var/run/radiusd
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
Re: your mail
Andrew, It appears that the problem is in your perl script: ++[perl] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject You need to fix your script. You can run it by hand with perl -d to see how it behaves, or insert print statements in it, etc., until it works the way it should. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
