Re: 0.9.3 has been released
On Thu, Nov 20, 2003 at 03:51:13PM -0500, Alan DeKok wrote: Bug reports are nice. Lack of notification is stupid. With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ok
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging is no longer working
Hi all I have just upgraded from 0.9.1 to 0.9.3. And I can still authenticate (from a Cisco VPN 3000 to freeRADIUS). But I can no longer receive authentication messages in the log files (as seen below): Fri Nov 21 07:33:23 2003 : Auth: rlm_unix: [auser]: invalid password Fri Nov 21 07:33:23 2003 : Auth: Login incorrect: [auser] (from client vpn port 2854) Fri Nov 21 07:33:30 2003 : Auth: Login OK: [user1] (from client vpn port 2854) Fri Nov 21 08:13:46 2003 : Auth: Login OK: [user2] (from client vpn port 2884) The configuration files (radiusd.conf, clients.conf and naslist) are the same as the old ones. I cannot find any info that the anything should have changed with regards to logging. I have log_auth = yes in radiusd.conf and I have also tried including -y on the commandline for radiusd. Does anyone have any ideas? MVH / Best regards Mikael M. Hansen IT-administrator Computer Science Dept. email: [EMAIL PROTECTED] Aalborg University phone: +45 9635 8905 Fredrik Bajers Vej 7E room: E2-121 DK-9220 Aalborg, Denmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Dear Alan DeKok, --Thursday, November 20, 2003, 11:51:13 PM, you wrote to [EMAIL PROTECTED]: AD As it turns out, however, the problem isn't as bad as it could have AD been. The bug he reported can cause the server to crash, but is AD difficult to exploit. Any attack code MUST be in the form of a valid AD RADIUS packet, which significantly limits the possible exploits. AD However, there was another bug which the reporter did NOT discover, AD which causes the server to de-reference a NULL pointer, and thus AD crash, whenever an Access-Request packet containing a Tunnel-Password AD attribute is received. Both bugs are not exploitable to code execution (first one because target buffer is on heap, not on stack and it's impossible to overwrite local variable inside memcpy, like in case of apache-nosejob exploit, so memcpy will always segfault and never return). It's fully identical to bug (2) described in http://www.security.nnov.ru/search/document.asp?docid=2578 Either I missed this bug during audit 1,5 years ago or it was introduced later. On the moment of audit tunneling support code presented in the sources in non-working state. -- ~/ZARAZA ... . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: 0.9.3 has been released
Dear 3APA3A, --Friday, November 21, 2003, 12:46:01 PM, you wrote to [EMAIL PROTECTED]: 3 http://www.security.nnov.ru/search/document.asp?docid=2578 Either I 3 missed this bug during audit 1,5 years ago or it was introduced 3 later. Ammm... 3 years ago :) time goes fast :)) Probably it's time to do security audit again... revision 1.63 date: 2001/11/29 09:45:00; author: 3APA3A; state: Exp; lines: +51 -7 ! Vendor-Specific attribute check added to rad_receive to avoid memory corruption in case of invalid attribute length inside Vendor-Specific attribute ! dict_vendorcode() call removed from rad_decode(). We do not need it any more. -- ~/ZARAZA - ! () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Your prescripti/on delivered to your house by tomorrow!
Re: 0.9.3 has been released
On Thursday 20 November 2003 20:07, Paul Hampson wrote: As a bonus, the rlm_ippool pod2man call got fixed for perl 5.6, and rlm_eap has been silenced in the case where it is called upon a non-EAP packet. There are pacakges for Debian at http://www.tbble.com/freeradius/ They're numbered 0.9.2-4 since (a) I'm moving and don't have time to muck with the new source archive; and (b) we're this close to getting into Debian/unstable so I don't want to muck with things too much until that's done. Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ are the same as the 0.9.3 tarball above, but with major Debian packaging improvements (bg thanks to Steve Langasek for his guidance here) which will hopefully go into 1.0.0 and 0.9.4's tarballs. -- Paul, I see that these deb packages have the same dependency issues we discussed in December with libiodbc2 and libltdl3. The Depends says: freeradius: Depends: libiodbc2 (= 3.51.1-3) but 3.51.1-1 is installed Depends: libltdl3 (= 1.5-3) but 1.5-2 is installed freeradius-mysql: Depends: zlib1g (= 1:1.2.1) but 1:1.1.4-16 is installed I am running Sarge, and I tried to search through unstable. Where do those versions of those libraries come from? Several of the debian web servers have been compromised and are down for inspection, so I am not able to search for the necessary versions of these libraries. http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt I am going to get the cvs and build my own deb packages without these dependencies and without the extra modules like before, but I just wanted to see what your current thoughts are on this issue. Thanks for your work! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Thursday 20 November 2003 20:07, Paul Hampson wrote: As a bonus, the rlm_ippool pod2man call got fixed for perl 5.6, and rlm_eap has been silenced in the case where it is called upon a non-EAP packet. There are pacakges for Debian at http://www.tbble.com/freeradius/ They're numbered 0.9.2-4 since (a) I'm moving and don't have time to muck with the new source archive; and (b) we're this close to getting into Debian/unstable so I don't want to muck with things too much until that's done. Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ are the same as the 0.9.3 tarball above, but with major Debian packaging improvements (bg thanks to Steve Langasek for his guidance here) which will hopefully go into 1.0.0 and 0.9.4's tarballs. -- Paul, Ignore the prevous msg, I put Dec instead of Sept in the first line. I see that these deb packages have the same dependency issues we discussed in September with libiodbc2 and libltdl3. The Depends says: freeradius: Depends: libiodbc2 (= 3.51.1-3) but 3.51.1-1 is installed Depends: libltdl3 (= 1.5-3) but 1.5-2 is installed freeradius-mysql: Depends: zlib1g (= 1:1.2.1) but 1:1.1.4-16 is installed I am running Sarge, and I tried to search through unstable. Where do those versions of those libraries come from? Several of the debian web servers have been compromised and are down for inspection, so I am not able to search for the necessary versions of these libraries. http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt I am going to get the cvs and build my own deb packages without these dependencies and without the extra modules like before, but I just wanted to see what your current thoughts are on this issue. Thanks for your work! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't get freeradius-0.9.3 compiled on Redhat 9
Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups
Maybe I am using huntgroups wrong, but I would like huntgroup0 to use ports 1-8, huntgroup1 use ports 9-16 and huntgroup2 use ports 17-24 I am using mysql, and would like to keep using this as much as possible. I added username Huntgroup-Name == test1 to my radcheck table where username has its own entry for Password in that same table. I added test1 NAS-IP-Address == 192.168.69.24, NAS-Port-ID == 1-7 I all I get is a rejected pair when trying to log in. Should this all be in the DB somewhere? Any help? Anson Rinesmith Internet Operations Manager Big River Telephone Company 800-455-1608 x106 573-382-0555 www.bigrivertelephone.com Real People. Real Service. Real Simple. image001.jpg
Authenticating users without a password..
Hi all, I forgot my RADIUS book, otherwise I'd look it up. I've Google'd without success. When I add a user without a password, I get this error message: Auth: Login incorrect: [a-test/no User-Password attribute] (from client10.100.5.10 port 0) If I have the Password AV pair there, but without a password in the Value field, it still fails. When a password is put in the Value field, it works. Thoughts? -- Stephen. h
Re: Authenticating users without a password..
At 10:01 AM 11/21/2003, Stephen Fulton wrote: Hi all, I forgot my RADIUS book, otherwise I'd look it up. I've Google'd without success. When I add a user without a password, I get this error message: Auth: Login incorrect: [a-test/no User-Password attribute] (from client 10.100.5.10 port 0) If I have the Password AV pair there, but without a password in the Value field, it still fails. When a password is put in the Value field, it works. Thoughts? Auth-Type := Accept? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Printable ascii characters
Lance Davis [EMAIL PROTECTED] wrote: sql_escape_func() in rlm_sql.c doesnt think that '#' is an ascii printable character, so replaces it with '=23' , which then fails to match the username :( Is there any reason for this, and also for the other ascii printable characters that are valid in usernames but wouldnt pass the test :- See long discussions in the list archives. That string could probably be made configurable... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Oliver Graf [EMAIL PROTECTED] wrote: With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Foundry command authorization help
Title: Foundry command authorization help I am having some issues with command authorization. Foundry has a Foundry-Command-String attribute and suspect I am just a chucklehead :-) Syntax should be Foundry-Command-String = configure terminal, Foundry-Command-String = int ethernet 20, Foundry-Command-String = speed-duplex *, or Foundry-Command-String = configure terminal, int ethernet 20, speed-duplex *, I have tried both but am suspecting that Foundry does not support what I think they do :-) They have authorization levels 0,4 and 5. But in the cli you can only enter one. I am used to Cisco where you can have multiple ones hence my despair. If anyone has been here before any tips would be greatly appreciated. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
092 Crashes with unknown tokens
I'm working on migrating from a Livingston 2.1.0 radius server to FreeRadius 0.9.2, and I'm running into some odd stuff. The most notable of this stuff is that if there's a key in the users file that FR doesn't recognize, it crashes! That's bad. I haven't yet chased this down, as I wanted to ask if this was already a known issue. Thanks. -Greg G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
092 radping calls radwho incorrectly?
It looks like radping is calling radwho with both a -o and a -e option. radwho doesn't take either of these options, and consequently doesn't run. Hmmm. Here's the other odd thing. I can't see where that radping script is being created. Do I maybe have something from a different radius distro? -Greg G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 092 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: I'm working on migrating from a Livingston 2.1.0 radius server to FreeRadius 0.9.2, and I'm running into some odd stuff. The most notable of this stuff is that if there's a key in the users file that FR doesn't recognize, it crashes! Key? What are keys? I haven't yet chased this down, as I wanted to ask if this was already a known issue. Nope. See 'doc/bugs' for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get freeradius-0.9.3 compiled on Redhat 9
Title: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Want me to email you the rpms I built? Ted On Fri, 2003-11-21 at 10:21, Sebastiaan Mangoentinojo wrote: Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: Can't get freeradius-0.9.3 compiled on Redhat 9
Title: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Could you post the rpm file as well as the steps you used to create the rpm? I have been playing around with trying to build an rpm and have not had much success. dave - Original Message - From: Kaczmarek, Thaddeus To: [EMAIL PROTECTED] Sent: Friday, November 21, 2003 10:40 AM Subject: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Want me to email you the rpms I built? Ted On Fri, 2003-11-21 at 10:21, Sebastiaan Mangoentinojo wrote: Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
RE: Can't get freeradius-0.9.3 compiled on Redhat 9
Title: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Yea that would be nice! :) -Original Message-From: Kaczmarek, Thaddeus [mailto:[EMAIL PROTECTED]Sent: vrijdag 21 november 2003 17:40To: [EMAIL PROTECTED]Subject: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Want me to email you the rpms I built? Ted On Fri, 2003-11-21 at 10:21, Sebastiaan Mangoentinojo wrote: Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: Can't get freeradius-0.9.3 compiled on Redhat 9
Title: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 download freeradius-0.9.3.tar.gz tar xvfz freeradius-0.9.3.tar.gz cp freeradius-0.9.3.tar.gz /usr/src redhat/SOURCES rpmbuild -ba freeradius-0.9.3/redhat/freeradius.spec If that doesn't work you probably don't have some development library installed. rpm -q --whatprovides /usr/include/openssl/des_old.h should return openssl-devel-0.9.7a-20 yum update openssl-devel up2date openssl-devel I will email you the rpms if this does not work for you. Ted On Fri, 2003-11-21 at 11:54, [EMAIL PROTECTED] wrote: Could you post the rpm file as well as the steps you used to create the rpm? I have been playing around with trying to build an rpm and have not had much success. dave - Original Message - From: Kaczmarek, Thaddeus To: [EMAIL PROTECTED] Sent: Friday, November 21, 2003 10:40 AM Subject: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Want me to email you the rpms I built? Ted On Fri, 2003-11-21 at 10:21, Sebastiaan Mangoentinojo wrote: Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Either that, or packet filters that restrict the hosts that can access the radius servers. On a related security note, the src/lib/radius.c program has several references to msg_auth_vector and calc_auth_vector starting around line 1108 with several memcpy and memcmp operations, some of which refer use sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I doubt these lengths would be same. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The meek shall inherit the Earth, the rest of us will go to the stars...'' -Dr. Isaac Asimov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
link to my debian packages based on 0.9.3
All, I posted new versions of my slimed down debian packages: http://mrtizmo.com/freeradius/index.html The big thing I did was to remove the need for iodbc, since it has a lot of nasty dependencies. The page explains what all I removed and how I did so. Please feel free to use what you can. Enjoy! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Foundry command authorization help
From: Kaczmarek, Thaddeus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Foundry command authorization help Date: Fri, 21 Nov 2003 11:21:00 -0500 Reply-To: [EMAIL PROTECTED] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --_=_NextPart_001_01C3B04B.734D7E00 Content-Type: text/plain I am having some issues with command authorization. Foundry has a Foundry-Command-String attribute and suspect I am just a chucklehead :-) Syntax should be Foundry-Command-String = configure terminal, Foundry-Command-String = int ethernet 20, Foundry-Command-String = speed-duplex *, or Foundry-Command-String = configure terminal, int ethernet 20, speed-duplex *, I have tried both but am suspecting that Foundry does not support what I think they do :-) They have authorization levels 0,4 and 5. But in the cli you can only enter one. I am used to Cisco where you can have multiple ones hence my despair. First, the Foundry dictionary file that comes with FreeRADIUS doesn't have those attributes, so you'll need to edit it. What you need to add is pretty straightforward in Foundry's docs. (I'll submit my dictionary file to the project when I'm sure it's got everything; I just added some stuff for their management software yesterday.) Second, you'll need to give the user the appropriate priviledge level, and use the command-exception-flag VSA to tell it to only allow those commands. And then, list all the commands comma-separated in the foundry-command-string attribute. What's below works for me: maint Crypt-Password == junk foundry-privilege-level = 0, foundry-command-string = copy running-config *; enable, foundry-command-exception-flag = 0 This is with a FastIron 1500 running 07.6.03hT51. Good luck, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Foundry command authorization help
At 11:23 AM 11/21/2003, Dave Mussulman wrote: First, the Foundry dictionary file that comes with FreeRADIUS doesn't have those attributes, so you'll need to edit it. What you need to add is pretty straightforward in Foundry's docs. (I'll submit my dictionary file to the project when I'm sure it's got everything; I just added some stuff for their management software yesterday.) Patch please? Or list of the AV's? If no one reports it, it won't get included in later versions either. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Foundry command authorization help
Title: Re: Foundry command authorization help They came with both versions I have tried, 0.91 and 0.93. They were in /usr/share/freeradius folder. Ted On Fri, 2003-11-21 at 12:43, Chris Parker wrote: At 11:23 AM 11/21/2003, Dave Mussulman wrote: First, the Foundry dictionary file that comes with FreeRADIUS doesn't have those attributes, so you'll need to edit it. What you need to add is pretty straightforward in Foundry's docs. (I'll submit my dictionary file to the project when I'm sure it's got everything; I just added some stuff for their management software yesterday.) Patch please? Or list of the AV's? If no one reports it, it won't get included in later versions either. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: rlm_radutmp: Logout entry for NAS has wrong ID
Hello all, Anyone know what causes this log entry: rlm_radutmp: Logout entry for NAS hostname port 0 has wrong ID Specifically the NAS in question is a Cisco 3640 router that is aggregating my ADSL traffic. Users are using PAP authentication. It's always worked fine, except for the wrong ID message when someone logs out... I also have PM3's that are authenticating off of this same server and they work flawlessly... Do Cisco boxes change ID's throughout the life of the session or something? Thanks, Brad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
At 11:18 AM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Either that, or packet filters that restrict the hosts that can access the radius servers. Wouldn't work in this case, since packets are UDP a packet with spoofed source of a valid client will pass the filter. :\ All you'd need to DOS a radius server is a valid client IP. The RADIUS protocol makes it very hard to enforce additional restrictions, as the packet format is all in cleartext ( excepting certain Password attributes ) with no validation or signing. The Message-Authenticator value would serve this purpose, however it is not required, and as such doesn't help in this case, either, and won't until or unless it is made mandatory. That would then break old clients/servers that don't support Message-Authenticator. http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator The light at the end of the tunnel is that is *was* made mandatory for any packet with EAP-Message attributes. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 092 Crashes with unknown tokens
Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: I'm working on migrating from a Livingston 2.1.0 radius server to FreeRadius 0.9.2, and I'm running into some odd stuff. The most notable of this stuff is that if there's a key in the users file that FR doesn't recognize, it crashes! Key? What are keys? Sorry, I didn't explain myself well. Here's a sample entry from my users file. I'm calling the thing to the left of the = sign a key. This entry will crash FR 092, when it gets to the "My-Key = My-Value" entry. test_user Crypt-Password = "07IycyqZJjvKw" Framed-Address = 255.255.255.254, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500, Framed-Netmask = 255.255.255.255, User-Service-Type = Framed-User, My-Key = My-Value, Port-Limit = 1, Framed-Routing = None, Framed-Protocol = PPP I haven't yet chased this down, as I wanted to ask if this was already a known issue. Nope. See 'doc/bugs' for more details. OK. I'll rebuild the server and see what I get. At least I'm doing the first part. :) -Greg G
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Chris Parker wrote: At 11:18 AM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Either that, or packet filters that restrict the hosts that can access the radius servers. Wouldn't work in this case, since packets are UDP a packet with spoofed source of a valid client will pass the filter. :\ All you'd need to DOS a radius server is a valid client IP. The RADIUS protocol makes it very hard to enforce additional restrictions, as the packet format is all in cleartext ( excepting certain Password attributes ) with no validation or signing. It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-). The Message-Authenticator value would serve this purpose, however it is not required, and as such doesn't help in this case, either, and won't until or unless it is made mandatory. That would then break old clients/servers that don't support Message-Authenticator. http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``No matter how much I may exaggerate it, it must have a certain amount of truth...Now rumor travels fast but it don't stay put as long as truth'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
093 Crashes with unknown tokens
Here's what I get from FR 0.93 /usr/local/etc/raddb/users[9]: Parse error (reply) for entry 007gold: Unknown attribute My-Key Errors reading /usr/local/etc/raddb/users radiusd.conf[921]: files: Module instantiation failed. And then back to a prompt. That's bad since I won't always be able to watch the radiusd start up. -Greg G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: Here's what I get from FR 0.93 /usr/local/etc/raddb/users[9]: Parse error (reply) for entry 007gold: Unknown attribute My-Key Errors reading /usr/local/etc/raddb/users radiusd.conf[921]: files: Module instantiation failed. And then back to a prompt. That's bad since I won't always be able to watch the radiusd start up. So... it doesn't crash. It gives an error, which tells you what went wrong, and why. What, exactly is unclear about the error message? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Bill Campbell [EMAIL PROTECTED] wrote: On a related security note, the src/lib/radius.c program has several references to msg_auth_vector and calc_auth_vector starting around line 1108 with several memcpy and memcmp operations, some of which refer use sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I doubt these lengths would be same. Huh? Why? For uint8_t arrays, The 'sizeof' the array is the number of elements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What goes in acct_users a seg fault
I'm trying to figure out what goes into the acct_users. I had thought
it was user entries like those in the users file, but that doesn't seem
to really be the case. It appears to be getting parsed the same way
(based on 'My-Key' entries that get rejected). However, at run-time,
that doesn't appear to be the case. In fact, I get a seg-fault.
rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:36538,
id=167, length=27
User-Name = test1
modcall: entering group preacct for request 0
modcall[preacct]: module preprocess returns noop for request 0
rlm_realm: No '@' in User-Name = test1, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 0
modcall[preacct]: module files returns noop for request 0
modcall: group preacct returns noop for request 0
modcall: entering group accounting for request 0
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address =
xxx.xxx.xxx.xxx,NAS-IP-Address = xxx.xxx.xxx.xxx,,User-Name = test1'
rlm_acct_unique: Acct-Unique-Session-ID = 4a16e50737b1c920.
modcall[accounting]: module acct_unique returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-20031121'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-20031121
Segmentation Fault(coredump)
#
(gdb) bt
#0 0xff0c69a8 in memccpy () from /usr/lib/libc.so.1
#1 0xff10d6bc in fputs () from /usr/lib/libc.so.1
#2 0xfe6a0c0c in do_detail (instance=0x401c020, request=0x142080,
pair=0x142160) at rlm_detail.c:225
#3 0x1d830 in call_modsingle (component=3, sp=0x140800,
request=0x142080, default_result=7) at modcall.c:201
#4 0x1d988 in modcall (component=3, c=0x140800, request=0x142080) at
modcall.c:312
#5 0x1d8d8 in call_modgroup (component=3, g=0x140800, request=0x142080,
default_result=2) at modcall.c:226
#6 0x1da14 in modcall (component=3, c=0x1407c0, request=0x142080) at
modcall.c:303
#7 0x17884 in rad_accounting (request=0x142080) at acct.c:69
#8 0x15118 in rad_respond (request=0x142080, fun=0x177c8
rad_accounting) at radiusd.c:1537
#9 0x14b84 in rad_process (request=0x142080, dospawn=0) at radiusd.c:1244
#10 0x145b4 in main (argc=1, argv=0xef3c) at radiusd.c:1020
Hmm. That line seems to be fputs(ctime_r(request-timestamp,
buffer), outfp);
I can't set a breakpoint there, though. I'm not sure if it's in a
shared library or because it's getting built with -g -O2.
-Greg G
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
At 12:26 PM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Chris Parker wrote: At 11:18 AM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Either that, or packet filters that restrict the hosts that can access the radius servers. Wouldn't work in this case, since packets are UDP a packet with spoofed source of a valid client will pass the filter. :\ All you'd need to DOS a radius server is a valid client IP. The RADIUS protocol makes it very hard to enforce additional restrictions, as the packet format is all in cleartext ( excepting certain Password attributes ) with no validation or signing. It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-). Yes. Kinda a problem there. However, an Auth-Req from a proxy target will not match the clients list and will be discarded. You could run a private network between the NAS and the Radius, but then Radius running on multihomed systems has always been interesting. Certainly doable though, given enough time. IPSec is another tool that could help. Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software. That's a problem with Nortel. If the rest of the world can figure out how to do Radius securely and safely, we shouldn't compromise the whole for the few that can't figure out how to follow the RFC's. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: Here's what I get from FR 0.93 /usr/local/etc/raddb/users[9]: Parse error (reply) for entry 007gold: Unknown attribute My-Key Errors reading /usr/local/etc/raddb/users radiusd.conf[921]: files: Module instantiation failed. And then back to a prompt. That's bad since I won't always be able to watch the radiusd start up. So... it doesn't crash. It gives an error, which tells you what went wrong, and why. What, exactly is unclear about the error message? Nothing is unclear about it. I would prefer that the daemon not fail out if there's a data error in one of the files. It should report that error to a log and continue on. Otherwise, it becomes a fairly trivial task to crash out the daemon. Our users file is fairly dynamic and if someone makes a typo putting in a new entry, I don't want the whole system coming down. -Greg G
Re: 093 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: Nothing is unclear about it. I would prefer that the daemon not fail out if there's a data error in one of the files. It should report that error to a log and continue on. To doing what? Are you really asking that the server send RADIUS responses with the WRONG information in them? Otherwise, it becomes a fairly trivial task to crash out the daemon. It's not a crash. Stop calling it that. It's an error. And if you have write access to the configuration files for the server, it's ALWAYS a trivial task to stop the server. Our users file is fairly dynamic and if someone makes a typo putting in a new entry, I don't want the whole system coming down. Then double check the files before you let the server use them. It's not the servers fault you made a mistake. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What goes in acct_users a seg fault
At 12:39 PM 11/21/2003, Greg G wrote: I'm trying to figure out what goes into the acct_users. I had thought it was user entries like those in the users file, but that doesn't seem to really be the case. It appears to be getting parsed the same way (based on 'My-Key' entries that get rejected). However, at run-time, that doesn't appear to be the case. In fact, I get a seg-fault. Huh? You are making things more difficult for yourself than need be. In most cases you won't need to put anything in acct-users. rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:36538, id=167, length=27 User-Name = test1 modcall: entering group preacct for request 0 http://www.freeradius.org/rfc/rfc2866.html#Accounting-Request Any attribute valid in a RADIUS Access-Request or Access-Accept packet is valid in a RADIUS Accounting-Request packet, except that the following attributes MUST NOT be present in an Accounting- Request: User-Password, CHAP-Password, Reply-Message, State. Either NAS-IP-Address or NAS-Identifier MUST be present in a RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS- Port-Type attribute or both unless the service does not involve a port or the NAS does not distinguish among its ports. So, the packet being sent is an invaled accounting packet, as it doesn't contain NAS-IP-Address or NAS-Identifier. Nor a session-id. That being said, the server shouldn't seg-fault in that instance. It should reject the packet as invalid and not try to process it further. We'll look into this and correct the behaviour. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
0.9.3 install question
I was still running FR 0.8, and because of yesterday's events, decided to go up to 0.93. I did the ./configure, make, make install dance. FR bombed when I tried to run radius, so I put it in debug mode, and saw messages about problems with the dictionary. Perused the INSTALL file, and saw this note: Note that in this release, the location of the dictionary files has changed, to /usr/local/share/freeradius/dictionary. Please ensure that /etc/raddb/dictionary is THE SAME as ./raddb/dictionary. If not, you will have to copy it over by hand; $ cp ./raddb/dictionary /etc/raddb/dictionary But that note seems to contradict itself. It _seems_ as though it should say please ensure that $prefix/etc/raddb/dictionary is the same as /usr/local/share/freeradius/dictionary. So what is the correct process? What I wound up doing was copying $prefix/share/freeradius/dictionary into $prefix/etc/raddb/dictionary . That got me further along the line, but I still had dictionary errors. I eventually copied $prefix/share/freeradius/dictionary* into $prefix/etc/raddb/ , overwriting everything that existed previously. THAT worked, but I'm wondering if this is the intended procedure, or if I just butchered things badly. Secondly, the INSTALL doc continues on to say that I should delete every dictionary file in $prefix/etc/raddb ; is this still correct? (wouldn't that just get me back to the starting point?) Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center When I was four I wanted an Action Man armoured personnel carrier. I didn't have any genuine Action Men - my parents couldn't afford them; instead of a professional army I had a ragtag band of Korean and Chinese irregulars whose political commitment, I hoped, made up for their having no knee or elbow joints. -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
At 12:42 PM 11/21/2003, Greg G wrote: Alan DeKok wrote: Greg G mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: Here's what I get from FR 0.93 /usr/local/etc/raddb/users[9]: Parse error (reply) for entry 007gold: Unknown attribute My-Key Errors reading /usr/local/etc/raddb/users radiusd.conf[921]: files: Module instantiation failed. And then back to a prompt. That's bad since I won't always be able to watch the radiusd start up. So... it doesn't crash. It gives an error, which tells you what went wrong, and why. What, exactly is unclear about the error message? Nothing is unclear about it. I would prefer that the daemon not fail out if there's a data error in one of the files. It should report that error to a log and continue on. Otherwise, it becomes a fairly trivial task to crash out the daemon. Our users file is fairly dynamic and if someone makes a typo putting in a new entry, I don't want the whole system coming down. Sorry, I prefer my failures to be deterministic. I don't want the server carrying on and running with a partial config and doing something un- expected. Garbage in/Garbage out. If you are concerned with making typos, you may want to look at the 'dialup-admin' package, which allows you to easily manage an SQL database rather than a flat users file. Your chances of making a typo would then be greatly reduced imho, and if you did typo on one entry for a user, it would not affect any other users. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: Bill Campbell [EMAIL PROTECTED] wrote: On a related security note, the src/lib/radius.c program has several references to msg_auth_vector and calc_auth_vector starting around line 1108 with several memcpy and memcmp operations, some of which refer use sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I doubt these lengths would be same. Huh? Why? For uint8_t arrays, The 'sizeof' the array is the number of elements. OK. While that may be the case for uint8_t, it seems to me that good coding practice is to use sizeof here and not depend on knowledge of the internal size of the elements. I may be a bit paranoid about this, because I've been know to shoot myself in the feet as a result of structure padding and such. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.'' -- H. L. Mencken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 install question
[EMAIL PROTECTED] wrote: $ cp ./raddb/dictionary /etc/raddb/dictionary But that note seems to contradict itself. It _seems_ as though it should say please ensure that $prefix/etc/raddb/dictionary is the same as /usr/local/share/freeradius/dictionary. No. It says to copy 'raddb/dictionary' from the distribution to $prefix/etc/raddb/dictionary. Look at raddb/dictionary and share/dictionary in the distribution. They're different. So what is the correct process? What I wound up doing was copying $prefix/share/freeradius/dictionary into $prefix/etc/raddb/dictionary . That got me further along the line, but I still had dictionary errors. I eventually copied $prefix/share/freeradius/dictionary* into $prefix/etc/raddb/ , overwriting everything that existed previously. Don't do that. Please. THAT worked, but I'm wondering if this is the intended procedure, or if I just butchered things badly. You didn't break anything, you just made it more difficult to keep track of the dictionary files. Secondly, the INSTALL doc continues on to say that I should delete every dictionary file in $prefix/etc/raddb ; is this still correct? (wouldn't that just get me back to the starting point?) It's correct. See above. You delete the OLD dictionaries, and install the NEW one. The 30-40 others go into blah/share/freeradius/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: Nothing is unclear about it. I would prefer that the daemon not fail out if there's a data error in one of the files. It should report that error to a log and continue on. To doing what? Are you really asking that the server send RADIUS responses with the WRONG information in them? Well, if I have one bad entry in a users file with 10,000 users in it, I'd rather it just ignore that user with the bad entry. Our users file is fairly dynamic and if someone makes a typo putting in a new entry, I don't want the whole system coming down. Then double check the files before you let the server use them. It's not the servers fault you made a mistake. How would you recommend that I do that? The file will parse correctly. And it's not something that should be a *fatal* mistake. It's not really a mistake, either. We use some custom items now and then. -Greg G
Thanks out to Dave M and examples
Title: Thanks out to Dave M and examples joe-admin Auth-Type := System Acct-Authentic == RADIUS, foundry-privilege-level = 0, foundry-command-exception-flag = 1, Cisco-AVPair = shell:priv-lvl=0 joe-user Auth-Type := System Foundry-Privilege-Level = 0, Foundry-Command-String = config terminal; interface *; speed-duplex *, Foundry-Command-Exception-Flag = 0 Cisco-AVPair = shell:priv-lvl=4 This does what I want, just can't figure out what the hell you do with levels 4 and 5, Foundry cli only allows 1 level. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: 0.9.3 install question
[EMAIL PROTECTED] wrote on 11/21/2003 01:04:25 PM: [EMAIL PROTECTED] wrote: $ cp ./raddb/dictionary /etc/raddb/dictionary But that note seems to contradict itself. It _seems_ as though it should say please ensure that $prefix/etc/raddb/dictionary is the same as /usr/local/share/freeradius/dictionary. No. It says to copy 'raddb/dictionary' from the distribution to $prefix/etc/raddb/dictionary. Ah! Secondly, the INSTALL doc continues on to say that I should delete every dictionary file in $prefix/etc/raddb ; is this still correct? (wouldn't that just get me back to the starting point?) It's correct. See above. You delete the OLD dictionaries, and install the NEW one. The 30-40 others go into blah/share/freeradius/ Gotcha; makes sense now. (And luckily, easy enough to undo.) Works as it should now; thanks! Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Chris Parker wrote: Nothing is unclear about it. I would prefer that the daemon not fail out if there's a data error in one of the files. It should report that error to a log and continue on. Otherwise, it becomes a fairly trivial task to crash out the daemon. Our users file is fairly dynamic and if someone makes a typo putting in a new entry, I don't want the whole system coming down. Sorry, I prefer my failures to be deterministic. I don't want the server carrying on and running with a partial config and doing something un- expected. For config issues, I agree, but if there's an unknown key in the *users* file, I don't think the system should stop. Especially if it's a key that's only in one or two users (which is usually the case here). If you are concerned with making typos, you may want to look at the 'dialup-admin' package, which allows you to easily manage an SQL database rather than a flat users file. Your chances of making a typo would then be greatly reduced imho, and if you did typo on one entry for a user, it would not affect any other users. I will look into it, but I also don't want the authentication server to stop if we take the database down for maintenance. We're a bit tied to the file method at the moment, although I suspect that feeding directly from our database will be better and might be in the plan. -Greg G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
How would you recommend that I do that? The file will parse correctly. And it's not something that should be a *fatal* mistake. It's not really a mistake, either. We use some custom items now and then. Then those items should go into a custom dictionary. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What goes in acct_users a seg fault
At 01:11 PM 11/21/2003, Greg G wrote: Chris Parker wrote: So, the packet being sent is an invalid accounting packet, as it doesn't contain NAS-IP-Address or NAS-Identifier. Nor a session-id. Now that's strange, because this packet is being sent from radclient. I thought I had seen it work in 092 with the default acct_users, but it's seg faulting in 093 either way. echo User-Name = test1 | radclient radiusserver.mydomain.net acct a_secret radclient sends what you tell it to send. If you tell it to send an invalid accounting packet ( since you aren't including one of the manadatory attributes ), it will do so. If you want to send a valid accounting packet, add more attributes to your call to radclient. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Bill Campbell [EMAIL PROTECTED] wrote: For uint8_t arrays, The 'sizeof' the array is the number of elements. OK. While that may be the case for uint8_t, it seems to me that good coding practice is to use sizeof here and not depend on knowledge of the internal size of the elements. The problem is that the fields are defined in relation to the protocol: 16 octets. sizeof() is a C programming construct, and thus there may be padding in a struct. We do not want that padding to affect the programs ability to generate or parse 16 octet fields. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: Well, if I have one bad entry in a users file with 10,000 users in it, I'd rather it just ignore that user with the bad entry. Then use SQL. Then double check the files before you let the server use them. It's not the servers fault you made a mistake. How would you recommend that I do that? The file will parse correctly. And it's not something that should be a *fatal* mistake. It's not really a mistake, either. If it's not really a mistake, why are you complaining? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Thanks out to Dave M and examples
Title: Re: Thanks out to Dave M and examples The lower case one is right :-) Ted On Fri, 2003-11-21 at 14:14, Kaczmarek, Thaddeus wrote: joe-admin Auth-Type := System Acct-Authentic == RADIUS, foundry-privilege-level = 0, foundry-command-exception-flag = 1, Cisco-AVPair = shell:priv-lvl=0 joe-user Auth-Type := System Foundry-Privilege-Level = 0, Foundry-Command-String = config terminal; interface *; speed-duplex *, Foundry-Command-Exception-Flag = 0 Cisco-AVPair = shell:priv-lvl=4 This does what I want, just can't figure out what the hell you do with levels 4 and 5, Foundry cli only allows 1 level. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: What goes in acct_users a seg fault
Chris Parker wrote: At 01:11 PM 11/21/2003, Greg G wrote: Chris Parker wrote: So, the packet being sent is an invalid accounting packet, as it doesn't contain NAS-IP-Address or NAS-Identifier. Nor a session-id. Now that's strange, because this packet is being sent from radclient. I thought I had seen it work in 092 with the default acct_users, but it's seg faulting in 093 either way. echo User-Name = test1 | radclient radiusserver.mydomain.net acct a_secret radclient sends what you tell it to send. If you tell it to send an invalid accounting packet ( since you aren't including one of the manadatory attributes ), it will do so. If you want to send a valid accounting packet, add more attributes to your call to radclient. Ah. I see. OK. I'm having trouble figuring out what a good set of attributes are to send through for this. I'm giving it all 4 parameters that it's asking for (User-Name, NAS-IP-Address, NAS-Port-Id, Acct-Session-Id) and it's still seg faulting, so I guess I'll have to wait until this gets fixed anyay. -Greg G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: Well, if I have one bad entry in a users file with 10,000 users in it, I'd rather it just ignore that user with the bad entry. Then use SQL. I may have to, but I can't do that short-term. I really need a radius server that I can force to re-read the users file on-demand. FreeRadius seems to be able to do that, but isn't quite as stable as I'd like. I've found that the SIGHUP will bring down the server if it's still in the start-up phase. It probably should ignore the HUP signal until it's ready. How would you recommend that I do that? The file will parse correctly. And it's not something that should be a *fatal* mistake. It's not really a mistake, either. If it's not really a mistake, why are you complaining? Because FR is exiting when it runs into a key that it doesn't know, thereby bringing down the whole authentication system. I regard that as worthy of complaining about. -Greg G
Re: 093 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: I may have to, but I can't do that short-term. I really need a radius server that I can force to re-read the users file on-demand. FreeRadius seems to be able to do that, but isn't quite as stable as I'd like. I've found that the SIGHUP will bring down the server if it's still in the start-up phase. It probably should ignore the HUP signal until it's ready. Yup. Because FR is exiting when it runs into a key that it doesn't know, thereby bringing down the whole authentication system. I regard that as worthy of complaining about. Then fix it. You have the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Well exuse the hell out of me for not having worked with open source stuff before. You've got a great bedside manner, ya know. -Greg G Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: I may have to, but I can't do that short-term. I really need a radius server that I can force to re-read the users file on-demand. FreeRadius seems to be able to do that, but isn't quite as stable as I'd like. I've found that the SIGHUP will bring down the server if it's still in the start-up phase. It probably should ignore the HUP signal until it's ready. Yup. Because FR is exiting when it runs into a key that it doesn't know, thereby bringing down the whole authentication system. I regard that as worthy of complaining about. Then fix it. You have the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: Well exuse the hell out of me for not having worked with open source stuff before. You've got a great bedside manner, ya know. Ah, yes. The you've got to do what I want NOW for FREE! response. Perhaps you didn't understand my explanations as to why I disagreed with your position. Perhaps you didn't care. Either way, it's not my problem. Grow up. Go read the README again. It's directed at you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: Bill Campbell [EMAIL PROTECTED] wrote: For uint8_t arrays, The 'sizeof' the array is the number of elements. OK. While that may be the case for uint8_t, it seems to me that good coding practice is to use sizeof here and not depend on knowledge of the internal size of the elements. The problem is that the fields are defined in relation to the protocol: 16 octets. sizeof() is a C programming construct, and thus there may be padding in a struct. We do not want that padding to affect the programs ability to generate or parse 16 octet fields. Perhaps it would be good to put some comments in radius.c explaining this, and be consistent in its use. This could save some head scratching in the future, particularly if somebody (like me) who's not all that familiar with the code is looking at it. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Never blame a legislative body for not doing something. When they do nothing, that don't hurt anybody. When they do something is when they become dangerous.'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users digest, Vol 1 #2549 - 10 msgs
Hi everyone. I an new to linux I was wondering if anyone has a static compiled version that I could use. thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 21, 2003 2:36 PM To: [EMAIL PROTECTED] Subject: Freeradius-Users digest, Vol 1 #2549 - 10 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.cistron.nl/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: What goes in acct_users a seg fault (Greg G) 2. Thanks out to Dave M and examples (Kaczmarek, Thaddeus) 3. Re: 0.9.3 install question ([EMAIL PROTECTED]) 4. Re: 093 Crashes with unknown tokens (Greg G) 5. Re: 093 Crashes with unknown tokens (Michael Griego) 6. Re: What goes in acct_users a seg fault (Chris Parker) 7. Re: 0.9.3 has been released (Alan DeKok) 8. Re: 093 Crashes with unknown tokens (Alan DeKok) 9. Re: Thanks out to Dave M and examples (Kaczmarek, Thaddeus) 10. Re: What goes in acct_users a seg fault (Greg G) --__--__-- Message: 1 Date: Fri, 21 Nov 2003 14:11:02 -0500 From: Greg G [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: What goes in acct_users a seg fault Reply-To: [EMAIL PROTECTED] Chris Parker wrote: At 12:39 PM 11/21/2003, Greg G wrote: I'm trying to figure out what goes into the acct_users. I had thought it was user entries like those in the users file, but that doesn't seem to really be the case. It appears to be getting parsed the same way (based on 'My-Key' entries that get rejected). However, at run-time, that doesn't appear to be the case. In fact, I get a seg-fault. Huh? You are making things more difficult for yourself than need be. In most cases you won't need to put anything in acct-users. OK. That wasn't really clear, but that's easy to handle. rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:36538, id=167, length=27 User-Name = test1 modcall: entering group preacct for request 0 http://www.freeradius.org/rfc/rfc2866.html#Accounting-Request Any attribute valid in a RADIUS Access-Request or Access-Accept packet is valid in a RADIUS Accounting-Request packet, except that the following attributes MUST NOT be present in an Accounting- Request: User-Password, CHAP-Password, Reply-Message, State. Either NAS-IP-Address or NAS-Identifier MUST be present in a RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS- Port-Type attribute or both unless the service does not involve a port or the NAS does not distinguish among its ports. So, the packet being sent is an invaled accounting packet, as it doesn't contain NAS-IP-Address or NAS-Identifier. Nor a session-id. Now that's strange, because this packet is being sent from radclient. I thought I had seen it work in 092 with the default acct_users, but it's seg faulting in 093 either way. echo User-Name = test1 | radclient radiusserver.mydomain.net acct a_secret That being said, the server shouldn't seg-fault in that instance. It should reject the packet as invalid and not try to process it further. We'll look into this and correct the behaviour. That works for me. -Greg G --__--__-- Message: 2 From: Kaczmarek, Thaddeus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Thanks out to Dave M and examples Date: Fri, 21 Nov 2003 14:14:29 -0500 Reply-To: [EMAIL PROTECTED] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --_=_NextPart_001_01C3B063.AF8CD880 Content-Type: text/plain joe-admin Auth-Type := System Acct-Authentic == RADIUS, foundry-privilege-level = 0, foundry-command-exception-flag = 1, Cisco-AVPair = shell:priv-lvl=0 joe-userAuth-Type := System Foundry-Privilege-Level = 0, Foundry-Command-String = config terminal; interface *; speed-duplex *, Foundry-Command-Exception-Flag = 0 Cisco-AVPair = shell:priv-lvl=4 This does what I want, just can't figure out what the hell you do with levels 4 and 5, Foundry cli only allows 1 level. Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments
Re: 093 Crashes with unknown tokens
Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: Well exuse the hell out of me for not having worked with open source stuff before. You've got a great bedside manner, ya know. Ah, yes. The "you've got to do what I want NOW for FREE!" response. No, it's the "Hey, asshole, maybe you know the code better than I do" reponse. Perhaps you didn't understand my explanations as to why I disagreed with your position. Perhaps you didn't care. Either way, it's not my problem. You didn't give me any explanation other than "because I said so" and "go sift through my code, loser". -Greg G
Re: 0.9.3 freezing
I just installed 0.9.3 on our secondary RADIUS server and ran into something a bit weird... I had freeradius installed on it before and it worked fine... Now when I try to run it with the newly installed version, this happens: [EMAIL PROTECTED] radius]# /usr/sbin/radiusd Fri Nov 21 18:53:05 2003 : Info: Starting - reading configuration files ... It never forks, it never binds to a port, it never connects to the MySQL back end... It just sits there forever... I tried starting it with the -xyzf options to see if I could get it to spit out debugging info... Nothing... Did the same exact thing as above... In my radius.log file, this is what appears: Fri Nov 21 18:44:43 2003 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Nov 21 18:44:43 2003 : Info: Using deprecated clients file. Support for this will go away soon. Fri Nov 21 18:44:43 2003 : Info: Using deprecated realms file. Support for this will go away soon. Anyone know why it might be failing to start? Thanks! Brad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't get freeradius-0.9.3 compiled on Redhat 9
Title: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 Oh, I just now read this email you send. Let me first try this before you put extra effort in it. I do have the right openssl RPM's so it might work. I'll let you know. Cheers, Seb -Original Message-From: Kaczmarek, Thaddeus [mailto:[EMAIL PROTECTED]Sent: vrijdag 21 november 2003 18:08To: [EMAIL PROTECTED]Subject: Re: Can't get freeradius-0.9.3 compiled on Redhat 9 download freeradius-0.9.3.tar.gz tar xvfz freeradius-0.9.3.tar.gz cp freeradius-0.9.3.tar.gz /usr/src redhat/SOURCES rpmbuild -ba freeradius-0.9.3/redhat/freeradius.spec If that doesn't work you probably don't have some development library installed. rpm -q --whatprovides /usr/include/openssl/des_old.h should return openssl-devel-0.9.7a-20 yum update openssl-devel up2date openssl-devel I will email you the rpms if this does not work for you. Ted On Fri, 2003-11-21 at 11:54, [EMAIL PROTECTED] wrote: Could you post the rpm file as well as the steps you used to create the rpm? I have been playing around with trying to build an rpm and have not had much success. dave - Original Message - From: Kaczmarek, Thaddeus To: [EMAIL PROTECTED] Sent: Friday, November 21, 2003 10:40 AM Subject: Re: Can't get freeradius-0.9.3 compiled on Redhat 9Want me to email you the rpms I built? Ted On Fri, 2003-11-21 at 10:21, Sebastiaan Mangoentinojo wrote: Hi, I spend the better half of the day trying to compile Freeradius on Redhat 9 (I'm going to use it for test purposes), but I'm stuck at the moment. I get the following ./configure warnings: configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h). configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: liblber. configure: warning: silently not building rlm_pam. configure: warning: FAILURE: rlm_pam requires: libpam. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled configure: warning: silently not building rlm_x99_token. configure: warning: FAILURE: rlm_x99_token requires: des_cbc_encrypt. ssl.h is in /usr/include/openssl on my system. I tried to use ./configure with --with-openssl-inc=/usr/include en /usr/include/openssl etc. but with no luck. Openssl on my system is RPM based on my system. I can't easly remove it because it has a whole lot of dependencies with other RPM's I need (I know RPM's suck sometimes). Any tips? Cheers, Seb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and
Re: 093 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: Ah, yes. The you've got to do what I want NOW for FREE! response. No, it's the Hey, asshole, maybe you know the code better than I do reponse. I *do* know the code better than you, and I disagree with your position. All else aside, that should tell you something. You didn't give me any explanation other than because I said so and go sift through my code, loser. Then you didn't read my messages. The insults are instructive. The main README file is ever so applicable to this situation. Go read it, and stop wasting your time posting baseless complaints on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 freezing
I got this problem sorted out. My prefix was defined wrong in radiusd.conf. I got another problem now. I cant seem to make freeradius use the proper myslq socket. In my.cnf I define it as /var/lib/mysql/mysql.sock. All other mysql apps work (the command line interface, mysqldump, etc etc)... Freeradius insists on using /tmp/mysql.sock for some reason... Trying to sort that one out now. Brad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: Ah, yes. The "you've got to do what I want NOW for FREE!" response. No, it's the "Hey, asshole, maybe you know the code better than I do" reponse. I *do* know the code better than you, and I disagree with your position. All else aside, that should tell you something. It does, but not what you'd hoped. It looks like I'm going to wind up using GNU Radius, because it *doesn't* exit when it encounters something it doesn't understand in the user file. It discards the entry for the invalid user. It doesn't seg fault if I make an acct request. And I don't have to fight with someone whose idea of gathering up new coders is "Fix it" without any help or guidance whatsoever. The main README file is ever so applicable to this situation. Go read it, and stop wasting your time posting baseless complaints on the list. So my asking for a feature is a baseless complaint? Rght. -Greg G
Re: 093 Crashes with unknown tokens
Greg G [EMAIL PROTECTED] wrote: It does, but not what you'd hoped. It looks like I'm going to wind up using GNU Radius, because it *doesn't* exit when it encounters something it doesn't understand in the user file. It discards the entry for the invalid user. Meaning that the server doesn't behave as intended, and it's probably difficult for the administrator to figure that out. So you're left with a server which isn't doing what you want... It doesn't seg fault if I make an acct request. shrug You're probably running Solaris. That will get fixed in a future release. And I don't have to fight with someone whose idea of gathering up new coders is Fix it without any help or guidance whatsoever. No... I told you what my opinion was, and why. You didn't understand me, or didn't care enough to listen to me. Your response was a blind repetition of YOU fix it! My response was then simply an echoing of your complaint: No, YOU fix it. I find it instructive that your own words directed at you cause huge amounts of anger and hostility. So my asking for a feature is a baseless complaint? Rght. Not listening to the response makes it baseless. But why am I wasting my time? You've already made it clear that you can't read the documentation, the README, or my replies on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Greg G wrote: Nothing is unclear about it. I would prefer that the daemon not fail out if there's a data error in one of the files. It should report that error to a log and continue on. Otherwise, it becomes a fairly trivial task to crash out the daemon. Our users file is fairly dynamic and if someone makes a typo putting in a new entry, I don't want the whole system coming down. cp users users.old vi users check-radiusd-config if $?; then cp users.old users mail -t ggersh -s Typo in users file startup.log else service radiusd restart fi Or something like that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
Alan DeKok wrote: Greg G [EMAIL PROTECTED] wrote: It does, but not what you'd hoped. It looks like I'm going to wind up using GNU Radius, because it *doesn't* exit when it encounters something it doesn't understand in the user file. It discards the entry for the invalid user. Meaning that the server doesn't behave as intended, and it's probably difficult for the administrator to figure that out. So you're left with a server which isn't doing what you want... No, it's doing just what I want. It's logging the problem with the user entry and getting on with processing. There's no reason that an single authentication item in the users file should halt the server. If it's a problem in the configuration file or something critical like that, absolutely there should be no further action. I understand that you have a different opinion, but that doesn't negate mine, or the fact that this is how I'd like it to work. Pointing me at the readme file isn't much help either, since that boils down to "fix it, or don't. Whatever." -Greg G
newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
Hello, I'm trying to set up a radius server here in my office to permit WLAN usage, and I really feel like I'm coming up against my limits of understanding on the technologies involved. I've successfully compiled yesterday's CVS release which include EAP-TTLS support, but I'm running into some serious issues (most likely due to lack of clue on my part) getting it working. The server is a Debian testing install, with openssl compiled from source. The base station is a Linksys WRT-54G, although I haven't gotten to the point were I think there's a problem there. Here's my list of questions: 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been unable to successfully create a cert that freeradius likes. In the radiusd.conf file, there's an certificate_file argument, along with a CA_file argument. My understanding of the reason for this is that with EAP-TLS, authentication is done by certs alone - the user must have the server cert's public key loaded, and the user must present a public key signed by the CA. But with TTLS, the client cert does not appear to be a requirement. Does that mean I can use a self-signed cert and not worry about the CA_file, or do I still need to create both? And if so, does anyone have a working openssl recipe to create these? So far I've been unsuccessful in creating anything other than a self-signed key. 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), allowing anyone with an account on the server running radiusd to connect to the WLAN, but I'm not quite sure how the auth protocol interacts with auth-types. I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, or does it only negotate access and let the base station generate a random key? Is there a knob in the config I need to set up for this? Thank you in advance for your patience. I'm sure I'll have more questions later. Thanks, -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
Chris Woodfield [EMAIL PROTECTED] wrote: 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been unable to successfully create a cert that freeradius likes. In the radiusd.conf file, there's an certificate_file argument, along with a CA_file argument. My understanding of the reason for this is that with EAP-TLS, authentication is done by certs alone - the user must have the server cert's public key loaded, and the user must present a public key signed by the CA. Yes. But TTLS still requires a server certificate. But with TTLS, the client cert does not appear to be a requirement. Does that mean I can use a self-signed cert and not worry about the CA_file, or do I still need to create both? You still need a server certificate. And if so, does anyone have a working openssl recipe to create these? So far I've been unsuccessful in creating anything other than a self-signed key. See scripts/CA.all 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), Huh? Why not just use 'System' authentication? I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? CHAP won't work with passwords from /etc/passwd. See the FAQ. 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, Yes. Is there a knob in the config I need to set up for this? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie alert Freeradius, EAP-TTLS, and OpenSSL questions
See scripts/CA.all Ran this, and it appears that everything worked right up until the end, when I got these errors: Certificate is to be certified until Nov 20 23:34:06 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever -passout pass:whatever 23118:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 23119:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##\n' ## tino:/usr/local/ssl/certs# Any idea what's happening? This is OpenSSL 0.9.7c. -C 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), Huh? Why not just use 'System' authentication? I have DEFAULT Auth-Type := Pam in my users file; do I need to do anything further depending on the auth protocol I use inside the ESP-TTLS tunnel (pap, chap, etc)? CHAP won't work with passwords from /etc/passwd. See the FAQ. 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, Yes. Is there a knob in the config I need to set up for this? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html pgp0.pgp Description: PGP signature
Re: 093 Crashes with unknown tokens
Greg, While you may have misunderstood Alan's terseness as him being nasty to you, please look at the situation. You're saying that if there was a configuration file error, then by all means, stop the server, but if it's just a users file error, then it shouldn't be halted and the server should keep going on with some half-correct information. Personally, I don't see how the users file being in proper shape is any less critical than any other configuration file being correct. You'd be much better off implementing some solution to make sure the users file is correct (perhaps some type checking in whatever system you use to manage your users -- surely you don't have a bunch of type-prone data entry people editing the users file by hand, do you?). The users file has a very specific format, and it's not hard to follow. If you have proper checks in your management system, this is a moot point, and this has been pointed out in reference to the dialup_admin package. However, as has been stated, if you really think it should keep going and skip any users entries that are broken, you do have the source, and you can do whatever you wish with it. This doesn't mean Alan is going to accept it back into the main FR tree, but if you're dead-set on expecting the server to handle your typos rather than dealing with them where they should be corrected elsewhere, it's probably a 5 line change to do so. -Matt MNU Network Administrator --- Original Message Below --- From: Greg G [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Date: Fri, 21 Nov 2003 16:51:54 -0500 No, it's doing just what I want. It's logging the problem with the user entry and getting on with processing. There's no reason that an single authentication item in the users file should halt the server. If it's a problem in the configuration file or something critical like that, absolutely there should be no further action. I understand that you have a different opinion, but that doesn't negate mine, or the fact that this is how I'd like it to work. Pointing me at the readme file isn't much help either, since that boils down to fix it, or don't. Whatever. -Greg G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 093 Crashes with unknown tokens
On Fri, 21 Nov 2003, Matt Sapp wrote: Personally, I don't see how the users file being in proper shape is any less critical than any other configuration file being correct. You'd be much better off implementing some solution to make sure the users file is correct (perhaps some type checking in whatever system you use to manage your users -- surely you don't have a bunch of type-prone data entry people editing the users file by hand, do you?). For what it's worth, it may be better to make this a matter of procedure. For my part, whenever I make any change to Radius configuration files, I follow the following steps: 1) Edit the file and make changes. 2) Run radiusd -X. This will show any fatal errors in the config without you having to stop your good radius. It will quit with a message about radius already running, but up until then, will show you whether or not radius *will* start with the new config. 3) Restart radiusd with the new config if radiusd -X worked out okay. It's probably possible to write a script (and eventually I probably will but am too lazy now) to run this sort of check and only restart radiusd if things are okay, but I think just making sure that people check is a quicker fix than code hacking. Not a better fix, but a quicker fix. :-) I do agree that I don't really want Radius running with a semi-woogly config, although it can be a pain the times where I forget to check it with -X, since those are always the times I've made a mistake. Heh. Kristina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003 at 09:12:31AM -0600, Nick Davis wrote: On Thursday 20 November 2003 20:07, Paul Hampson wrote: As a bonus, the rlm_ippool pod2man call got fixed for perl 5.6, and rlm_eap has been silenced in the case where it is called upon a non-EAP packet. There are pacakges for Debian at http://www.tbble.com/freeradius/ They're numbered 0.9.2-4 since (a) I'm moving and don't have time to muck with the new source archive; and (b) we're this close to getting into Debian/unstable so I don't want to muck with things too much until that's done. Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ are the same as the 0.9.3 tarball above, but with major Debian packaging improvements (bg thanks to Steve Langasek for his guidance here) which will hopefully go into 1.0.0 and 0.9.4's tarballs. Paul, I see that these deb packages have the same dependency issues we discussed in September with libiodbc2 and libltdl3. The Depends says: freeradius: Depends: libiodbc2 (= 3.51.1-3) but 3.51.1-1 is installed Depends: libltdl3 (= 1.5-3) but 1.5-2 is installed freeradius-mysql: Depends: zlib1g (= 1:1.2.1) but 1:1.1.4-16 is installed To be honest, I don't remember discussing this in September, but my mail archives are currently in transit, so I can't check what I said. According to my local Debian mirror, (mirror.aarnet.edu.au), the current libiodbc2 in sid (/unstable) is 3.51.1-3, the current libltdl3 is 1.5-7, and the current zlib1g is 1:1.2.1-1 I am running Sarge, and I tried to search through unstable. Where do those versions of those libraries come from? Several of the debian web servers have been compromised and are down for inspection, so I am not able to search for the necessary versions of these libraries. Ah, that's the problem, testing's not up to date on these libraries. Since we're going for Debian archive acceptance, they have to be built against unstable. I may have previously built against testing, but I don't think I put those binaries anywhere, as they were built on a powerpc machine. On Fri, Nov 21, 2003 at 11:00:19AM -0600, Nick Davis wrote: All, I posted new versions of my slimed down debian packages: http://mrtizmo.com/freeradius/index.html The big thing I did was to remove the need for iodbc, since it has a lot of nasty dependencies. Apart from libc6, what other dependancies are you seeing from libiodbc2? (My unstable build machine is currently also in transit, so I can't check that myself. Last time I tried to get iodbc broken out into its own package, the lack of interesting dependancies was the deciding factor. I do intend to readdress this issue once we're in the Debian archive) -- Paul TBBle Hampson, from an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
