Re: Reply-Message

[Karl Pielorz]

--On 21 November 2002 16:50 +0200 Remus Anca <[EMAIL PROTECTED]> wrote:




  did succeed someone in 'put' messages, send by freeradius with
  Reply-Message attribute, on windows screen?

  i know it's a windows problem, but how can i trick it?

  thx.

  i think this is very useful for all ISP admin's

--
Remus


I don't think any of the actual Windows PPP stacks support this, i.e. it's 
not going to work :(

I can't see any way you can work around it either, if it's not support by 
the client - it's not supported :-(

[And how many ISP's wish it was supported? :)]

-Kp


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: after hours shared secret bug

[Karl Pielorz]

--On 21 November 2002 09:40 +0200 Angelos Karageorgiou <[EMAIL PROTECTED]> 
wrote:

Has anyone noticed freeradius giving errors for accounting packets with
"Invalid shared secrets"?


Yes, we have that problem here... We're running FreeRADIUS 0.8, we have it 
'talking' to three other companies / sites...

Two of them work fine for both Auth, and Accouting. One remote system runs 
RADIATOR, the other two I don't know what they run, and can't find out 
[simply because, in their wisdom, they won't tell us].

For the third - auth works fine, accounting always shows "Invalid 
Signature". The people running the third system are not brilliantly 
helpful. They insist they've thoroughly checked their side, and they are 
signing the packets with the same shared secret as the Auth packets (which 
work fine).

Sometimes , mostly under heavy load, both radiuses nag about "invalid
shared secret" which goes away after a while.


Ours always does this with no regard to load, but to only 1 out of 3 
systems. Interestingly, the people using RADITOR also talk to the 3rd 
problem site, and don't have the same problem with it (and we can talk to 
that RADIATOR site fine).

I have not been able to pinpoint the problem, yet I will try to tcpdump
and grab the raw data, I was just wondering if anyone has seen this
behaviour in the wild.


I've got tcpdump's here - I'm not sure (because of the way the secrets 
work) that you can do anything with them, other than tell whether or not 
the packet was signed with the one you have (i.e. you can't tell what 
secret was used to sign a packet, only that it does or doesn't match 
yours). Be interesting to know if you could run this test outside 
FreeRADIUS (i.e. "Heres a packet, does it have a valid signature?").

Theres another guy on the list at the moment, who also has problems with 
"Invalid Signature" - but he's also battling port number problems as well...

-Kp

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No. of MySQL connectons?

[Karl Pielorz]

--On 25 October 2002 11:40 +0300 Kostas Kalevras <[EMAIL PROTECTED]> wrote:


With that in mind, a limit of 100 connections seems to be a little high?
- I'm just checking 100 isn't an outrageous number for max_servers of
32, and with the loading on the system.


Having more sql connections than threads will not gain you much, each
thread will use just one sql connection at a time. There is a bug which
has been fixed in the current cvs which most probably is the reason of
your server crashes. So try upgrading to the latest cvs.


I didn't think it would - hence the check :) - I'll go checkout the cvs 
version,

Thanks & Regards,

-Karl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

No. of MySQL connectons?

[Karl Pielorz]

Hi All,

I'm running FreeRADIUS 0.7.1 under FreeBSD 4.6. I'm also using MySQL as a 
source for the radius details.

Recently, the server has kept dieing at random points in the day - which we 
tracked down to it running out of mysql socket connections.

So, we doubled the number of connections it could have (from admitadly the 
default 10 to 20). It still ran out, so we doubled it again to 40, it still 
ran out - so, we've now set it to 100.

Does anyone have any recomendations for a value for this? [I can hear the 
cries of 'how busy is the server?' :)] - the server handles about 20-30 
thousand auth requests a day, according to some quick checks, it's peak 
'rate' seem to be about 5 requests a second.

radiusd.conf now sets max_requests to 1024, max_servers = 32, 
min_spare_servers = 3 and max_spare_servers = 10.

With that in mind, a limit of 100 connections seems to be a little high? - 
I'm just checking 100 isn't an outrageous number for max_servers of 32, and 
with the loading on the system.

-Karl Pielorz

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Vendor-Specific reply? - editing the dictionary files - theright thing to do? - solved

[Karl Pielorz]

--On 28 August 2002 08:00 -0500 "McNutt, Justin M." <[EMAIL PROTECTED]> 
wrote:

>> Thinking I was doing the right thing - I edited the
>> dictionary.cisco and
>> commented out the Attribute #26 already in there
>> ("h323-call-origin") -
>> which I renamed as 'tdxtest'.
>
> I'm not sure about your second question, but we certainly have had no
> troubles editing the dictionary files.  You might send your additions to
> Alan and/or the maintainers of the dictionaries (they may list themselves
> in the file header) so you don't have to edit things every time you
> reinstall.

Just a quick note to say this was resolved. It wasn't FreeRADIUS messing 
things up, or failing to perform - it was basically confusing documentation 
from the 3rd party...

> Yes.
>
> There   = indicates direction "over there"
> Their   = indicates possession "their system" (see above)
> They're = contraction of "they are"

As a consolation, I'll try to correct my abuse of there/their/they're in 
the future :)

Regards,

-Karl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Vendor-Specific reply? - editing the dictionary files - the rightthing to do?

[Karl Pielorz]

Hi All,

We're happily using FreeRADIUS under FreeBSD - recently, I've been asked to 
setup a vendor-specific reply for some of our users.

I've been asked to send a Vendor 0x9 (Cisco) Attribute #26 Type 0x1 reply, 
with a specific value which the remote system will use.

Thinking I was doing the right thing - I edited the dictionary.cisco and 
commented out the Attribute #26 already in there ("h323-call-origin") - 
which I renamed as 'tdxtest'.

Is the correct (or one correct?) way to do things? - How do I (or do I 
need) to specify the "Attribute Type" of 0x1 - I have a hunch this is what 
the 'string' bit does.

In the RADIUS reply we send, I now include an attribute called 'tdxtest' - 
with the value they require, and I've told FreeRADIUS that the NAS it's 
talking to is 'cisco' (in the clients.conf by specifying "vendor = cisco" 
for their IP's).

The remote side say they get a Vendor 0x9 (Cisco) attribute #26 - but 
they're system says it's a bad attribute.

Anyone got any pointers / suggestions?

Regards,

-Karl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeBSD 4.6R / freeradius 0.6 - 'Bus Error'? (sorry, flakeydetails)

[Karl Pielorz]

--On 18 July 2002 11:03 -0400 Alan DeKok <[EMAIL PROTECTED]> wrote:

> Karl Pielorz <[EMAIL PROTECTED]> wrote:
>> rlm_sql: Reserving sql socket id: 29
>> rlm_sql: Released sql socket id: 29
>> Bus error
>
>   Hmm... that doesn't sound good.  Maybe the memory on the system is
> dying?

The systems got ECC throughout (It's an HP Netserver) - so I don't think it 
could be the memory (It's set to halt on ECC error AFAIK).

>   Nope.  If it's a software bug, I'd suggest upgrading to the latest
> CVS snapshot.

I'll try the latest CVS and see what happens... Weird thing is it's been 
working fine for a few weeks - though it is getting very busy now (I had to 
up the number of MySQL connections from 5 to 20)

-Karl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeBSD 4.6R / freeradius 0.6 - 'Bus Error'? (sorry, flakeydetails)

[Karl Pielorz]

Hi All,

Sorry to be so flakey on details (As I'm now kicking myself for leaving out 
KTRACE support on the machine :)

I've had a FreeRADIUS 0.6 server running under FreeBSD 4.6R since the day 
0.6 was relased.

All of a sudden this morning, the server keeps quitting after a very short 
amount of time. Running it from the command line with -x shows:

"
Annex-Wan-Number = 2
Annex-Logical-Channel-Number = 28
Called-Station-Id = "314"
Calling-Station-Id = "xx"
X-Ascend-PPP-Async-Map = 0xf31eef846933149b0fded0a8b1954716
rlm_sql: Reserving sql socket id: 29
rlm_sql: Released sql socket id: 29
Bus error
"

This happens after the first one or two queries have been processed. 
Stepping back to the previous 0.5 daemon running on the machine, it seems 
fine.

Whilst I'm waiting for an oppertunity to reboot the machine with KTRACE 
support et'al (and figure out why I'm not getting a coredump) - anyone have 
any pointers - or seen similar?

Regards,

-Karl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

'OR' comparison for Attributes

[Karl Pielorz]

Hi All,

I have a FreeRADIUS (0.6) server, hooked up with MySQL. In the various 
tables, I have a Group Check, which basically says:

"
Called-Station-Id == 0123456789
Auth-Type := Local
Simultaneous-Use  := 1
"

This works fine, but is it possible to do the quivalent of:

"Calling-Station-Id == 0123456789
   -or-
 Calling-Station-Id == 0234567891"

i.e. if The calling station ID is one value OR another value?

Regards,

-Karl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS 0.6 - Escaping '/' for SQL?

[Karl Pielorz]

Hi All,

I just went from FreeRADIUS 0.5 to 0.6, only to find all my users being 
rejected... A quick run in debug mode & looking at the changelog/cvs - I 
found that the '/' character in our usernames was being escaped into a 
'mime encoded' equivalent.

I'll confess to not knowing if '/' is special to SQL servers or not - but 
this change broke our previously working FreeRADIUS 0.5/MySQL 3.23.49 setup.

Simply adding '/' into the strchr() call in rlm_sql.c / sql_escape_func() 
did the trick (the attached patch does this).

I've posted this more as a 'in case it bites you' thing, rather than a 'I 
think this should be comitted/fixed' thing - as our use of '/' in usernames 
could be dodgy in the first place :)

Regards,

-Karl



freeradius-0.6.patch
Description: Binary data

Re: Freeradius 0.5 w/MySQL & MD5 passwords?

[Karl Pielorz]

--On 30 May 2002 15:29 +0300 Kostas Kalevras <[EMAIL PROTECTED]> wrote:

> The op field should be set to ':='

I foolishly thought that the 'op' field defaulted to ':=' :(

Switching them all to ':=' has fixed the problem (As a Pascal programmer I 
shall hang my head in shame :)

Thanks for the help, it now appears to work fine :)

Regards,

-Karl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 0.5 w/MySQL & MD5 passwords?

[Karl Pielorz]

--On 30 May 2002 14:12 +0300 Kostas Kalevras <[EMAIL PROTECTED]> wrote:

> You should put an entry for Auth-Type in the radgroupcheck table, not in
> the radgroupreply. Try seting the Auth-Type to MD5. Use the Password
> attribute with an MD5 encrypted password for value. Then in your
> radiusd.conf in the authenticate section do the following:
>
> authenticate {
>   authtype MD5{
>   pap
>   }
> }
>
> Hope it helps

Hi! - Thanks for the reply, I've tried the above, but still no joy :(

I removed the 'Auth-Type' row from radgroupreply, and put an entry into 
radgroupcheck (as can be seen below).

The debug output now says:

"
rad_recv: Access-Request packet from host 196.168.0.1:58099, id=97, 
length=53
User-Name = "test"
User-Password = "\346\022\211|>}\236\264\323e\356\253\203qC\036"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "suffix" returns ok
radius_xlat:  'test'
sql_escape in:  'test'
sql_escape out:  'test'
sql_set_user:  escaped user --> 'test'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'test' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
eck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE 
usergroup.Username = 'test' AND usergroup.GroupName = 
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'test' ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
ply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE 
usergroup.Username = 'test' AND usergroup.GroupName = 
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: Pairs do not match [test]
rlm_sql: Released sql socket id: 4
  modcall[authorize]: module "sql" returns notfound
modcall: group authorize returns ok
auth: No Auth-Type configuration for the request, rejecting the user
"

The SQL tables so far are populated with:

mysql> select * from radcheck;
++--+---+--+--+
| id | UserName | Attribute | Value| op   |
++--+---+--+--+
|  1 | test | Password  | 098f6bcd4621d373cade4e832627b4f6 | NULL |
++--+---+--+--+

mysql> select * from radgroupcheck;
++---+---+---+--+
| id | GroupName | Attribute | Value | op   |
++---+---+---+--+
|  1 | my_group  | Auth-Type | MD5   | NULL |
++---+---+---+--+

mysql> select * from radgroupreply;
++---+---+-+--+--+
| id | GroupName | Attribute | Value   | op   | prio |
++---+---+-+--+--+
|  1 | my_group  | Framed-Protocol   | PPP | NULL |0 |
|  3 | my_group  | Framed-IP-Address | 255.255.255.254 | NULL |0 |
++---+---+-+--+--+

mysql> select * from usergroup;
++--+---+
| id | UserName | GroupName |
++--+---+
|  1 | test | my_group  |
++--+---+

(all other tables are empty)

Pertinant bits of radius.conf are:

authorize {
  preprocess
  suffix
  sql
}

authenticate {
  authtype MD5{
  pap
  }
}



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 0.5 w/MySQL & MD5 passwords?

[Karl Pielorz]

Hi All,

I've been trying to get FreeRADIUS 0.5-Release to use both MySQL and MD5 
passwords...

I've gotten enough working to let me use plaintext passwords from the MySQL 
database, but I'm struggling to get MD5 passwords working.

In my radius.conf I've got the following set (I won't post the whole thing 
unless someone thinks it's really relevant :)

pap {
  enryption_scheme = md5
}

authorize {
  preprocess
  sql
  suffix
}

authenticate {
  pap
}

I've got an entry in the radgroupreply table that sets Auth-Type to 
"System" for my test account. In the radcheck table, if I use the attribute 
"Password" and give it a plain text password, it works fine. I'm not sure 
if I should keep using this for MD5, or switch to using 'Crypt-Password' 
(which sounds more applicable). The debug output below is when I'd put a 
password in the 'Crypt-Password' field with Crypt-Password set to 
"MD5('test')".

I'm a bit concerned about the "auth: type Crypt" in the output, as being a 
possible problem :(

Thanks for any info / pointers :)

-Karl


---

Debug output from radiusd says:

rad_recv: Access-Request packet from host 192.168.0.1:58060, id=253, 
length=53
User-Name = "test"
User-Password = "\237Q\221\224!\255\tAU\221\354\022t"\277\351"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
radius_xlat:  'test'
sql_escape in:  'test'
sql_escape out:  'test'
sql_set_user:  escaped user --> 'test'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'test' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
eck.Value,radgroupcheck.op  FROM ra
dgroupcheck,usergroup WHERE usergroup.Username = 'test' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'

radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'test' ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
ply.Value,radgroupreply.op  FROM ra
dgroupreply,usergroup WHERE usergroup.Username = 'test' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'

radius_xlat:  'SELECT Value,Attribute FROM radcheck WHERE UserName = 'test' 
AND ( Attribute = 'User-Password' OR Attribute = 'Passwo
rd' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC'
rlm_sql: Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok
  modcall[authorize]: module "suffix" returns ok
modcall: group authorize returns ok
auth: type Crypt
auth: Failed to validate the user.
Login incorrect: [test/test] (from nas UNKNOWN-NAS port 0)
Sending Access-Reject of id 253 to 192.168.0.1:58060


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html