Redundant failover failure
Hi all, I have been running FreeRadius is a redundant failover with LDAP for about two years now. This weekend, my primary LDAP server hiccuped so my failover config should have picked up the slack. This did not happen. I could swear that I tested this after setup, but maybe not as it did not work. Do I have a config error or is there something that I am missing here? I did shoot an 'ldapsearch' at my secondary LDAP server just to ensure that it is indeed servicing the LDAP queries. Below are the relevant portions of my radiusd.conf: -< snip >- # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap ldap1 { server = "10.0.4.24" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=X" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #filter = "(uid=%u)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_group = "cn=clients,ou=dialup,o=My Org,c=UA" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" timeout = 5 timelimit = 4 net_timeout = 2 # compare_check_items = yes # access_attr_used_for_allow = yes } ldap ldap2 { server = "10.0.4.106" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=X" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #filter = "(uid=%u)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_group = "cn=clients,ou=dialup,o=My Org,c=UA" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames$ timeout = 5 timelimit = 4 net_timeout = 2 # compare_check_items = yes # access_attr_used_for_allow = yes } missing lines. authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds a Client-IP-Address attribute to the request. # preprocess # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set # # chap # counter # attr_filter # eap suffix files # etc_smbpasswd # # Uncomment 'mschap' if the users are logging in with an # MS-CHAP-Challenge attribute for authentication. The mschap # module will find the MS-CHAP-Challenge attribute, and add # 'Auth-Type := MS-CHAP' to the request, which makes it use # the mschap module for authentication. # # mschap # The ldap module will set Auth-Type to LDAP if it has not already been set # ldap redundant
Re: Radius logs and garbled entries
I have seen this before when the client doing the authentication is using a different shared secret than the RADIUS server is expecting. Could this be the case? - Mark On Mon, 2 Jun 2003 09:22:30 -0700 (PDT), you wrote: Hello - We are running FreeRadius 0.8.1 Almost everytime I monitor the Radius logs I notice entries like this and I would like to know if anybody knows what they may be about. They seem to be garbled entries or some kind of brute force attempt. The client that they seem to come from most of the time, has no problems authenticating. Auth: Login incorrect:[I'/=a2[n|nc["RP/\0261GKRl{\003VmnBa] (from client dnv-dts1 port 11) Please advise on what can be done about this. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RV: freeradius-ldap is not running
Have you tried using ldapsearch using these parameters? This is the easiest and fastest way to find out if your LDAP parameters are correct and your server is replying. Typically once you find the correct syntax in ldapsearch, the modification of the radiusd.conf LDAP parameters becomes trivial. Mark Capelle - - - - - - - - - - - - - - - Robert Canary wrote: You have ldap configured in the radius. You have ldap configured to be a default fall-through. I understand your ldap server is working fine.=20 I'm saying the radius server isn't talking to the ldap server, _maybe_ because the basedn is set wrong. Federico Edelman wrote: >=20 > My LDAP server works fine. I'm using the LDAP server for other services. >=20 > > -Mensaje original- > > De: Robert Canary [mailto:[EMAIL PROTECTED] > > Enviado el: lunes, 24 de febrero de 2003 15:35 > > Para: [EMAIL PROTECTED] > > Asunto: Re: RV: freeradius-ldap is not running > > > > I think you should look at your ldap server logs. Your "basedn" dose= n't > > look right to me. I think it should be something like, > > "cn=3Duser-that-can-read-passwords,dc=3Dexample,dc=3Dcom" > > > > Federico Edelman wrote: > > > > > > I can't get a response. > > > Somebody know about this trouble? > > > > > > -Mensaje original- > > > De: Federico Edelman > > > Enviado el: jueves, 20 de febrero de 2003 10:29 > > > Para: [EMAIL PROTECTED] > > > Asunto: RE: freeradius-ldap is not running > > > > > > Robert: > > > This is the complete log file. > > > > > > > -Mensaje original- > > > > De: Robert Canary [mailto:[EMAIL PROTECTED] > > > > Enviado el: mi=E9rcoles, 19 de febrero de 2003 17:54 > > > > Para: [EMAIL PROTECTED] > > > > Asunto: Re: freeradius-ldap is not running > > > > > > > > Why did you snip-it? We need the rest of the lof file. > > > > > > > > Do this radiusd -X >/var/log/radiusd_dbg_con.log > > > > > > > > It is esasier to capture the error messages that way. > > > > > > > > Also what shows up in your freeradius logs during this time? > > > > > > > > Federico Edelman wrote: > > > > > > > > > > Hi guys, > > > > > I'm newbie with freeradius. I'm running freeradius-0.8.= 1 on > > > > > Linux Debian 3.1. The LDAP server/client is openldap-2.1.12. > > > > > > > > > > I've compiled the freeradius with: > > > > > > > > > > # LD_LIBRARY_PATH=3D"/usr/local/openldap/lib:/usr/local/lib" > > > > > # LDFLAGS=3D"-L/usr/local/openldap/lib -L/usr/local/lib" > > > > > # CFLAGS=3D"-O -g -I/usr/local/openldap/include -I/usr/local/in= clude" > > > > > # CC=3D"gcc" > > > > > # export LD_LIBRARY_PATH LDFLAGS CFLAGS CC > > > > > # ./configure --prefix=3D/usr/local/freeradius --with- > > > > > openldap=3D/usr/local/openldap > > > > > # make > > > > > # make install > > > > > > > > > > All's ok. > > > > > > > > > > I've run: > > > > > # /usr/local/freeradius/sbin/radiusd -X > > > > > And... > > > > > # /usr/local/freeradius/bin/radtest > > > > > > > > > > All's ok. The radtest connect with radiusd successfully. > > > > > > > > > > But, When I setting up the radius with LDAP support the radiusd= exit > > and > > > > > not running. > > > > > > > > > > The radius ldap configuration: > > > > > > > > > > My /usr/local/freeradius/etc/raddb/radiusd.conf: > > > > > snip snip > > > > > ldap { > > > > > server =3D "myldapserver" > > > > > basedn =3D "ou=3Dpeople,dc=3Drootldap" > > > > > filter =3D "((posixAccount)(uid=3D%u))" > > > > > start_tls =3D no > > > > > tls_mode =3D no > > > > > dictionary_mapping =3D ${raddbdir}/ldap.attrmap > > > > > ldap_connections_number =3D 5 > > > > > timeout =3D 4 > > > > > timelimit =3D 3 > > > > > net_timeout =3D 1 > > > > > } > > > > > authenticate { > > > > > authtype LDAP { > > > > > ldap > > > > > } > > > > > } > > > > > snip snip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth. for Orinoco AP-1000 not working (log attached)
30-Jan-03 at 14:20, Shahid M. Bhatti ([EMAIL PROTECTED]) wrote : > Hi, > I'm trying to authenticate Wireless Access Point of > Orinoco/Lucent/Avaya/Agere/Proxim with Free Radius server. I've made the > user as AP's MAC address in /etc/raddb/users file and conf file, but when > I start the radius server in debig mode I get the following messages which > I have attached below. Please have a look at it and help me in figuring > out what should I do? Thanks a bunch. If I am reading this right, you said that you put the MAC addresses of the AP's in the conf file. Which conf file? The only place that the MAC addresses should be is in the /etc/raddb/users file. In your clients.conf you should have the IP addresses and passwords for your APs. Your MAC addresses and such should also be at the end of your users file. Other than that, there really isn't much more to it. Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Netware LDAP & free Radius
Lyle: I have been using FreeRadius against Novell LDAP(Netware 5.1) for over a year now. It works like a dream... there were a few small tweaks I needed to get it working, but nothing major. I would have to go back and look at my notes, but I believe the main things were to create a "CN" LDAP attribute, allow anonymous BINDs to NDS LDAP, and make the CN attribute readable to "Public". I would recommend setting up server and do some ldapsearches against it to get the correct DN attributes and see what is available via your current LDAP setup. Regards, Mark Capelle (CNE5, CNE4, A+) Senior Network Administrator Message: 5 From: "Lyle Giese" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Netware LDAP & free Radius Date: Sat, 4 Jan 2003 09:29:40 -0600 Reply-To: [EMAIL PROTECTED] I am playing with freeRadius a bit and had a question. Has anyone built freeRadius to connect to a Netware 5(or higher) via LDAP for authenication? This seems interesting as one of my clients wants a VPN solution and we want to keep user administration tasks to a minum by utilizing the existing user database in Netware. I worked with Novell's VPN solution and it has some severe drawbacks deep down inside. I am looking at Wolverine now as the VPN server and could use a way to intregrate the user database via LDAP or another method. Thanks, Lyle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and expire date
The password expiry is the responsibility of the LDAP server, not the RADIUS server. Look into the options on your LDAP server. Mark Capelle Date: Thu, 21 Nov 2002 16:21:37 +0200 From: Costas Christonis <[EMAIL PROTECTED]> Organization: Univercity of Crete To: [EMAIL PROTECTED] Subject: Freeradius and expire date Reply-To: [EMAIL PROTECTED] Hi to all We use freeradisu 0.7 with LDAP and i want to ask this: can i configure freeradius so the account of a user has an expiration date? Costas A. Christonis Networking & Communications Centre Gallos Campus - University of Crete tel: +30-8310-77044 email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to make radiusd restart its log files?
Hi, I just wrote a small Perl script... here it is... I am no Perl expert, but it gets the job done... #!/usr/bin/perl -w # This perl script should be put in the monthly cron rotation. # It will move the radius.log file to the archive folder and compress it use strict; my $day; my $month; my $date; my $time; my $timezone; my $year; `mv /usr/local/var/log/radius/radius.log /usr/local/var/log/radius/archive`; chdir "/usr/local/var/log/radius/archive"; `date > date.txt`; @ARGV = qw# /usr/local/var/log/radius/archive/date.txt #; while (<>) { chomp; my ($day, $month, $date, $time, $timezone, $year) = split; `mv /usr/local/var/log/radius/archive/radius.log /usr/local/var/log/radius/archive/$month$year.log`; `gzip $month$year.log`; `rm -r -f date.txt`; } Mark Capelle - CNE5, CNE4, A+ Network Administrator Paper Converting Machine Company >Message: 13 >Date: Thu, 31 Oct 2002 10:41:33 -0500 >From: Daniel Monjar <[EMAIL PROTECTED]> >Subject: how to make radiusd restart its log files? >To: [EMAIL PROTECTED] >Reply-To: [EMAIL PROTECTED] > >I want to rotate my logs at the first of the month. I want to rename= > the=20 >log files and then have radiusd start writing to a new set. I was ho= >ping=20 >'kill -1' would make it write to a new radius.log but apparently not.= >=20 >Starting and stopping radiusd does it but that seems excessive. > >Any other way to do it? > >-- >Daniel Monjar >IS Manager, Technical Services >bioM=E9rieux, Inc. >Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and Active Directory/LDAP
I have done some searching about configuring FreeRadius to authenticate users via Active Directory. I would assume that LDAP would be the way to handle this. I have not seen any configuration examples anywhere, so if someone has some, I would really appreciate it if you could send some my way. If not, any tips/hints/pointers would be greatly appreciated. I am currently using FreeRadius to authenticate users to NDS (Novell) via LDAP and this is working great. Hopefully I can do the same in a Win2k/AD environment. I have read in another post that LDAP cannot be used to authenticate passwords in AD. Is this true? Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple RADIUS instances
I was wondering if there is any documentation available about running multiple instances of FreeRadius on one machine. I realize that it will require different ports and radiusd.conf files. I have searched the web high and low and reread all the freeradius docs. The only thing I have been able to find is a reference by Alan D. in a Cistron radius mailing list saying that FreeRadius can do it via config files. I see the spot in the config files where you can change the raddb folder, but I am left with multiple questions.(how do I start each instance? what about radwtmp? what about log files? etc...) Anyone have any insight on how to accomplish this? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with stripping realm off LOCAL auth?
I am having a problem when sending a realm to LOCAL. It seems that when sent to LOCAL the realm is not being stripped off so my LDAP search for the user fails. When I send the request off to a back-end RADIUS server, the realm is stripped and the auth request succeeds. Anyone have any ideas on what I am doing wrong? I read the documentation and it says that the realm is stripped off by default unless the "nostrip" option is used in the proxy.conf file. Here is a snippet from my proxy.conf file... - proxy.conf - realm x.com { type= radius authhost= LOCAL accthost= LOCAL } realm y.com { type= radius authhost= 10.0.y.yy:1812 accthost= 10.0.y.yy:1813 secret = testing123 } -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius/LDAP/Netware 5.1
Has anyone had any success getting FreeRadius 0.2 to use LDAP against NDS for authentication? Any hints, comments, suggestions, or config examples would be excellent. I have spend about a week messing with this with no success and I am at my wits end. Thanks, Mark Capelle - CNE5, CNE4, A+ Network Administrator [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html