could not start TLS Success
I can't get Freeradius working with TLS on a Debian Woody box. - Debian Woody - Freeradius-0.9.3 tarball The radius server queries an openldap server. With start_tls = no everything works perfectly well. With start_tls = yes I get (radiusd -X): [..] ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mail3.cam.nl:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Success rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 [..] On a RedHat box (rh73) that queries the same openldap server everything is ok, so I presume that the openldap server is working. Everything seems to compile normally: ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var http://www.lucassen.org/freeradius/configure http://www.lucassen.org/freeradius/make Anybody a hint? Richard. -- ___ Recursion: see recursion +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ -- ___ Recursion: see recursion +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ 0001.mimetmp Description: PGP signature
Re: Log problems
Anyone have any idea why authentication info would not be going into the radius.log file? put ../raddb/radiusd.conf parameters log_auth=yes, log_auth_badpass=yes, log_auth_goodpass=yes if you need them. This three parameters are no by default. This logs are in ../var/log/radius/radact/auth-detail-[date].log Each time the server starts it logs each server starting but after that no authentication info gets logged and it was working prior to a restart of the system now it does not. I have double checked the logs to make sure it was set to write authentication info to the radius log file and even restored a valid backup of the radius.conf file that was working. I have run check-radius-config to check the radius.conf file stops saying there is another server running on port 3726... but there is no other server running that i can find using ps. Don't forget to clean ../var/run/radiusd/radiusd.pid Any other ways of checking whats running on a specific port? This is a linux system. look in /etc/services.. maybe it can help you ... Would be glad to post any other info needed. Thanks. P.S. I am not asking anyone to do any of the work for me just point me in a direction that I have not already checked. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accept Simultaneous-use from specific router
Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Really if there I can do it will help me very much. Thank for the help.
accept Simultaneous-use from specific router
Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Really if there I can do it will help me very much. Thank for the help. Issa K. Rabba Web Developer, Web Designer and system Admin. Palestine OnlineCo. Ramallah, Cairo Amman Bank Building email: [EMAIL PROTECTED] [EMAIL PROTECTED] web page: www.pol.ps Tel.# 02-2981103 Fax. # 02-2984167 ** The contents of this email and any attachments are confidential. It is intended for the named (recipient's) only. If you have received this email in error please notify the sender immediately by reply this e-mail.
Re: accept Simultaneous-use from specific router
Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Really if there I can do it will help me very much. Thank for the help. Yes, that is possible. How you do it depends on what you're using to store check and reply attributes. If you're using the users file it could be done like this: DEFAULT Nas-Ip-Address != aaa.bbb.ccc.ddd, Simultaneous-Use := 1 Fall-Through = 1 Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting up accounting in mysql
Hello milver, i already test what you said. example for user X has a session time of 10 hrs (43200 secs). After 1 month he/she update his/her account then what i did add another 10 hrs, which will 43200 + 43200 = session timeout. but as i said we have a client with constant username, adding 10 hrs in session timeout everytime the user updating his/her account is too difficult to maintain. Im concern in noresetcounter sql_query which compute the total sum of user accounting. How to construct sql_query which only compute the total sum of user accounting from this date until this date. thanks you very much for your response. - Original Message - From: Milver S. Nisay [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 26, 2004 9:08 PM Subject: Re: setting up accounting in mysql Hello milver, what i mean is in noresetcounter configuration in rlm_sqlcounter. Where resetcounter add all accounting of the user and compare to session timeout. My problem is i have a client with constant username. example: user X have a connection of 10 hrs starting from date, April 26 which should expire on May 27. After May 26, 2004, user X update his/here account. Add another 10 hrs, take note user X has contant username. What im doing is delete user X accounting, so that when he/she login again he/she have new accounting record which will be compared against his/her session timeout. A new start of his/her 10 hrs. Any comment or suggestion? I want to keep this accounting of all users i have. one solution is edit your attributes from your database. if the old attributes is 10 hours, add another 10 hours. in this case, the accounting session are still intact with your database. there is no need to delete and re create his account, you just need to prolong his limit in hours. you can do it directly with your database, or using perl script or using PHP script to manipulate your database. prolong session-timout or max-all-session timeout attributes (if you are using database). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Open ports over firewall
Hi everybody, I'm running Freeradius on my RedHat server. Which OUTPUT ports sholud I leave open for freeradius? For accounting i leave udp 1812-13 open in INPUT and OUTPUT, I receive authentication requests but then my auth replies are blocked by firewall. Any help on this? thx Gabriele - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log problems
Original Message From: Navid Sheik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 26, 2004 10:42 PM Subject: Re: Log problems What arguments are you passing to radiusd? Are you using daemontools to supervise the process? I've seen some funny behaviour of logging especially after sending a HUP signal under this circumstance. Yes I am using daemon tools and I am passing -fyz -lstderr. wierd thing is, this has been working fine for almost 2 years. I have rebooted the server that is running the radius software many times and it doesn't help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log problems
Original Message From: Frédéric EVRARD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 3:55 AM Subject: Re: Log problems Anyone have any idea why authentication info would not be going into the radius.log file? put ../raddb/radiusd.conf parameters log_auth=yes, log_auth_badpass=yes, log_auth_goodpass=yes if you need them. This three parameters are no by default. This logs are in ../var/log/radius/radact/auth-detail-[date].log Yes I have all those entries and always have along with -fyz -lstderr for the command line of radiusd. It has been working for almost 2 years now it just stopped logging auth info, not detail info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
Hi everybody, I'm running Freeradius on my RedHat server. Which OUTPUT ports sholud I leave open for freeradius? For accounting i leave udp 1812-13 open in INPUT and OUTPUT, I receive authentication requests but then my auth replies are blocked by firewall. Any help on this? so unblock it, it will be a BIG help for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accept Simultaneous-use from specific router
Thank you for your replay, but I'm sorry to till you that I'm using mysql for Simultaneous-use check not users file, can you help me with that? Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Yoder Sent: Tuesday, April 27, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: Re: accept Simultaneous-use from specific router Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Really if there I can do it will help me very much. Thank for the help. Yes, that is possible. How you do it depends on what you're using to store check and reply attributes. If you're using the users file it could be done like this: DEFAULT Nas-Ip-Address != aaa.bbb.ccc.ddd, Simultaneous-Use := 1 Fall-Through = 1 Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
Hi everybody, I'm running Freeradius on my RedHat server. Which OUTPUT ports sholud I leave open for freeradius? For accounting i leave udp 1812-13 open in INPUT and OUTPUT, I receive authentication requests but then my auth replies are blocked by firewall. Any help on this? thx Gabriele Hello, Maybe your nas listen on old 1645 port, but if radius receive request from it, radius has to know on what destination port to send answer packets...?? Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting up accounting in mysql
Actually im using dialup admin for user account management, thanks very much for reply, i really appreciate it. I have another idea what else if i have 2 database which update user accounting realtime, it is possible? i would create 2 sql.conf in radius.conf. but i dont know what will be the config of another sql.conf which only use to update start and stop of accounting. - Original Message - From: Milver S. Nisay [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 9:05 PM Subject: Re: setting up accounting in mysql Hello milver, i already test what you said. example for user X has a session time of 10 hrs (43200 secs). After 1 month he/she update his/her account then what i did add another 10 hrs, which will 43200 + 43200 = session timeout. but as i said we have a client with constant username, adding 10 hrs in session timeout everytime the user updating his/her account is too difficult to maintain. if you are doing it manually with your database, it will be a tedious job if you have to do it on a hundred accounts. have you heard of manipulating your database using PHP or perl script to lessen you tiring typing jobs, nice web interface will make it easy for you i guess. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
My nas is listening on 1812 /13 udp, in fact authentication requests are received, but the replies are blocked by firewall, though these ports are opened. When firewall is disabled everything works fine. Thanks for every kind help - Original Message - From: Frédéric EVRARD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 3:11 PM Subject: Re: Open ports over firewall Hi everybody, I'm running Freeradius on my RedHat server. Which OUTPUT ports sholud I leave open for freeradius? For accounting i leave udp 1812-13 open in INPUT and OUTPUT, I receive authentication requests but then my auth replies are blocked by firewall. Any help on this? thx Gabriele Hello, Maybe your nas listen on old 1645 port, but if radius receive request from it, radius has to know on what destination port to send answer packets...?? Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does FreeRADIUS manage errors ?
1) When the client doesn't respond, the AP will dissassociate it 30 seconds after and end the authentication procedure. During this time, FreeRADIUS is sleeping So, I would like to know if there is a sort of garbage collector which frees unfinished authentications ? Yes. Well, I would like to have further details: The AP doesn't signal to the FreeRADIUS server that an authentication has failed. Is there a timer which is armed when a session is created ? And more generally, how this garbage collector works ? 2) My EAP module must return 0 or 1 to FreeRADIUS. If it is 1, it siginifies that there is an EAP Request to send. I tried to send an EAP Message with the code equal to 5: FreeRADIUS detected correctly that the EAP Code was invalid : it sent an Access-Reject but the included EAP message was corrupted : 0x05050004 ! Why not sending an EAP Failure in this case ? It looks like a bug. About this bug, would you like more precisions in order to solve it ? Is it planned to fix this bug ? 3) It seems that it's impossible to silently discard a packet under FreeRADIUS ? The RFC's say you're not allowed to silently discard Access-Request packets. In case of a client bad EAP Response, my EAP method has to choose between two solutions : discard it silently or re send the previous EAP Request. Which EAP method are you implementing? Why is this necessary? Note that you also have access to the previous EAP request. We're implementing a Pre-Shared Key (PSK) method whose name is EAP-PSK. EAP-PSK is a new EAP method which performs mutual authentication and session key derivation. Using a pre-shared key, EAP-PSK is intended to be easy to deploy and well-suited for authentication over insecure networks such as 802.11. Another goal is to motivate work on replacing EAP-MD5 which is deprecated due to security reasons in wireless context. For more detail: http://perso.rd.francetelecom.fr/bersani/EAP_PSK/EAP-PSK.htm We intend to publish the first EAP-PSK implementation in the next weeks. Silently discard the bad EAP Response isn't the best solution. As you wrote, the EAP method could easily re send the previous packet: it's well suited ! But how is managed the EAP identifier in this case ? The RFC 2284bis specifies that the EAP identifier MUST be the same in case of retransmissions. 4) I succeeded to modify the EAP Identifier on the client side, but I didn't arrive in my EAP module. It seems that FreeRADIUS choses the EAP Identifier by incrementing by one the previous sent EAP Identifier. Is it really that ? Yes. Why do you need it different? After reading the Packet modification attacks paragraph in the RFC 2284bis (It is RECOMMENDED that methods providing integrity protection of EAP packets include coverage of all the EAP header fields, including the Code, Identifier, Length, Type and Type-Data fields.), we would like to protect the EAP header. Doing that implies the EAP method will have to guess the value of the EAP Identifier field of the next EAP Request packet ? Aurelien Magniez Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting up accounting in mysql
Actually im using dialup admin for user account management, thanks very much for reply, i really appreciate it. I have another idea what else if i have 2 database which update user accounting realtime, it is possible? i would create 2 sql.conf in radius.conf. but i dont know what will be the config of another sql.conf which only use to update start and stop of accounting. doing it on dialup admin,takes longer that a customized PHP and perl script. updating in real time is possible, depends on your NAS config.it can be every 30 seconds or every 1 hour. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
My nas is listening on 1812 /13 udp, in fact authentication requests are received, but the replies are blocked by firewall, though these ports are opened. When firewall is disabled everything works fine. you need to read firewall configuration to solve your problem. reading the logs would make it easy for you to UNBLOCK ports and IPs. view log file, make use of tcpdump commands if you have it. but i you don't know firewall configuration, commenting out one line at a time would give you a hint. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Special Characters in username
Hi I have a requirement to use special characters in the username field. When the user tries to log in with a * in the username it gets converted to =2A before going off to the mysql database to check the username and then obviously gets rejected as no such user. If I add another user with =2A instead of the * the user is accepted. gnuradius has a feature where you can specify what the chars the username will accept but I much prefer the functionality of freeradius. What could I do to accept the * in the username? -- Regards, Brent /\ \ / Linux RegisteredX ASCII Ribbon Campaign User #309941 / \ Against HTML Mail PGP Key http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x01445B63 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Open ports over firewall
Hi everybody, I'm running Freeradius on my RedHat server. Which OUTPUT ports sholud I leave open for freeradius? Your _NAS_ picks the *source* port number for the request from the NAS to the RADIUS server. There is no requirement that NAS's use 1812 as the *source* port for RADIUS requests. But, it should be easy to check your firewall logs to find out what port the NAS is using for a source port. Or talk to your NAS vendor. For accounting i leave udp 1812-13 open in INPUT and OUTPUT, I receive authentication requests but then my auth replies are blocked by firewall. Exactly. The FW lets the request through because the destination port matches your 1812 rule, but the firewall blocks the response because the RADIUS server sends the response back to whatever port the NAS picked for the session, which is not 1812 or 1813. Again, since the NAS picks the source port for the request, you'll have to work that angle. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Open ports over firewall
My nas is listening on 1812 /13 udp, in fact authentication requests are received, Careful here. You are mixing up the NAS and the RADIUS server. The NAS is not listening on 1812/1813, it is *sending* packets to UDP 1812/1813. The RADIUS server *listens* on those ports for authentication/accounting. The RADIUS server *sends* reply packets back to whatever UDP port the NAS picked as the source port for the request. but the replies are blocked by firewall, though these ports are opened. When firewall is disabled everything works fine. Yep. Thanks for every kind help You're welcome. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special Characters in username
On Tue, Apr 27, 2004 at 02:43:35PM +0100, Brent Geach wrote: Hi I have a requirement to use special characters in the username field. When the user tries to log in with a * in the username it gets converted to =2A before going off to the mysql database to check the username and then obviously gets rejected as no such user. If I add another user with =2A instead of the * the user is accepted. gnuradius has a feature where you can specify what the chars the username will accept but I much prefer the functionality of freeradius. What could I do to accept the * in the username? The best answer is prolly store the * in your database as =2A as =2A is an encoding of '*' which is database safe. If you require the character '*' itself to appear in the database, you will need to change src/modules/rlm_sql/rlm_sql.c around line 262 to include '*' in the list of safe characters... And recompile. Hmm. Now I think about it, we could solve this problem finally by adding a 'safe-chars' configuration variable to rlm_sql, and trust the local admin to only have characters in the list that are locally safe... Maybe presume alpha-numerics, and a collection of other characters (based on the current list: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/ ) are safe, and anything else can be made safe by the local admin? It'd certainly remove my last local patch. :-) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
Hi, What firewall are you using? I know with a linux firewall you could tell it to allow incomming traffic on ports 1812 1813 and related or established connections. This way replies to requests from your NAS are let through whatever port they come from.Julius IguguSouthWork Co. Ltd.234 (802) 320-7540 Do you Yahoo!?Win a $20,000 Career Makeover at Yahoo! HotJobs
Re: Log problems
Nick Marino [EMAIL PROTECTED] wrote: Yes I have all those entries and always have along with -fyz -lstderr for the command line of radiusd. Don't pass command-line options to the server. The interaction of command-line options with configuration file options is awkward. Almost all command-line options will be removed in a future release. As to why it stopped logging, I'm not sure. Try running it without command-line options seeing what happens then. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault with ldap bind in CVS branch
Hi I'm using CVS branch of freeradius for 802.1X(TTLS and PEAP) authentification.
I've successfully tested the 20040303 version (got somme troubles with
Ms-windows native client), bu I have segmentation fault with 20040426
and 20040427 version while binding my ldap server. the logs attached was
a test with
here is the logs in attached file.
Regards,
Maxime
--
Baudin MaximeDirection des Systèmes d'Informations
01 58 80 87 42 CNAM, Paris
The last time somebody said, I find I can write much better with a word
processor., I replied, They used to say the same thing about drugs.
-- Roy Blount, Jr.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap.cnam.fr
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = ou=xx,o=Exx,dc=cnam,dc=fr
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId
Re: How does FreeRADIUS manage errors ?
[EMAIL PROTECTED] wrote: Well, I would like to have further details: See the source code. The AP doesn't signal to the FreeRADIUS server that an authentication has failed. Is there a timer which is armed when a session is created ? Yes. And more generally, how this garbage collector works ? See the source code in rlm_eap/ included EAP message was corrupted : 0x05050004 ! Why not sending an EAP Failure in this case ? It looks like a bug. About this bug, would you like more precisions in order to solve it ? Is it planned to fix this bug ? I've fixed it in the latest CVS snapshot. Silently discard the bad EAP Response isn't the best solution. As you wrote, the EAP method could easily re send the previous packet: it's well suited ! But how is managed the EAP identifier in this case ? The RFC 2284bis specifies that the EAP identifier MUST be the same in case of retransmissions. See the data structures in rlm_eap. You have access to the previous EAP packet, so you can re-send it. As for updating the ID, you have access to the source. Update the EAP_PACKET structure with information as to whether or not the main eap code should set the identifier, and then modify that code to check for the new flag. After reading the Packet modification attacks paragraph in the RFC 2284bis (It is RECOMMENDED that methods providing integrity protection of EAP packets include coverage of all the EAP header fields, including the Code, Identifier, Length, Type and Type-Data fields.), we would like to protect the EAP header. Doing that implies the EAP method will have to guess the value of the EAP Identifier field of the next EAP Request packet ? Not if you set it to something using the above method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
Well, maybe tou are wrong. I just tried the new stateful configuration and seems to work fine :) - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 4:44 PM Subject: Re: Open ports over firewall Julius Igugu [EMAIL PROTECTED] wrote: I know with a linux firewall you could tell it to allow incomming traffic on ports 1812 1813 and related or established connections. This way replies to requests from your NAS are let through whatever port they come from. No. RADIUS uses UDP. Established connections are for TCP. Most application-layer firewalls do a terrible job of handling RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with WinXP client
Hi guys. Could anyone send me a working config for FreeRADIUS servrer authenticating WinXP clients with EAP-PEAP/EAP-MSCHAPv2. Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does FreeRADIUS manage errors ?
[EMAIL PROTECTED] wrote: http://perso.rd.francetelecom.fr/bersani/EAP_PSK/EAP-PSK.htm We intend to publish the first EAP-PSK implementation in the next weeks. PLEASE fix the protocol. PLEASE PLEASE fix the protocol. -- 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_IDRES|Length | Actual Identity Length| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : Identity : : . : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... The identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the identity with zero bytes when necessary. The actual identity length field is NOT needed. DELETE IT. Having two lengths is a recipe for disaster. In fact, inventing a new attribute format is a waste of time. See the EAP-TTLS draft for examples of a better attribute design. It uses one length, padded fields, and there are NO problems. The extra bytes sent in the packets by using EAP-TTLS attributes instead of your attribute design are *irrelevant*. The code savings, development time, maintenance, decreased bugs, and decreased security flaws caused by re-using existing code will be HUGE. e.g. You can steal the existing code in rlm_eap_ttls/ttls.c to create/parse the attributes. You can define EAP-PSK-FOO attributes in the dictionary, to re-use the existing VALUE_PAIR data structures. The savings will be *significant*. If you want to convince people to use your system, re-using existing code design is excellent practice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Special Characters in username
Hi Thanks that works a treat by allowing the * as a safe char. I would suggest it as a config option as this almost made me turn to gnu radius as this has it already as an option. Thanks again Brent On Tue, Apr 27, 2004 at 02:43:35PM +0100, Brent Geach wrote: Hi I have a requirement to use special characters in the username field. When the user tries to log in with a * in the username it gets converted to =2A before going off to the mysql database to check the username and then obviously gets rejected as no such user. If I add another user with =2A instead of the * the user is accepted. gnuradius has a feature where you can specify what the chars the username will accept but I much prefer the functionality of freeradius. What could I do to accept the * in the username? The best answer is prolly store the * in your database as =2A as =2A is an encoding of '*' which is database safe. If you require the character '*' itself to appear in the database, you will need to change src/modules/rlm_sql/rlm_sql.c around line 262 to include '*' in the list of safe characters... And recompile. Hmm. Now I think about it, we could solve this problem finally by adding a 'safe-chars' configuration variable to rlm_sql, and trust the local admin to only have characters in the list that are locally safe... Maybe presume alpha-numerics, and a collection of other characters (based on the current list: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/ ) are safe, and anything else can be made safe by the local admin? It'd certainly remove my last local patch. :-) -- Regards, Brent /\ \ / Linux RegisteredX ASCII Ribbon Campaign User #309941 / \ Against HTML Mail PGP Key http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x01445B63 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special Characters in username
[EMAIL PROTECTED] (Paul Hampson) wrote: Hmm. Now I think about it, we could solve this problem finally by adding a 'safe-chars' configuration variable to rlm_sql, and trust the local admin to only have characters in the list that are locally safe... That's the best thing. The 'sql_escape_string' function doesn't take an inst parameter. That can be fixed by making the list of escaped characters a global. It's ugly, but it will work. For that, I'd recommend something like int allowed[256], and then in sql_instantiate, set the allowed entries to one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
Maybe u r right. Sometimes it works, sometimes it doesn't :-( I'll try a static configuration again. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 4:44 PM Subject: Re: Open ports over firewall Julius Igugu [EMAIL PROTECTED] wrote: I know with a linux firewall you could tell it to allow incomming traffic on ports 1812 1813 and related or established connections. This way replies to requests from your NAS are let through whatever port they come from. No. RADIUS uses UDP. Established connections are for TCP. Most application-layer firewalls do a terrible job of handling RADIUS packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realms and L2TP forwarding...
Hi folks, Currently I have a Cisco BAS terminating broadband customers. Most of our customers would have their PPP connection terminate on the BAS, but I would like to forward customers who specify a specific realm onto another BAS for another ISP. My customers are authenitcated using CHAP off an LDAP server. I'm trying to configure Free Radius to supply the correct attributes for tunnels. I currently have the following config in users: DEFAULT REALM == realm, Auth-Type := Accept Service-Type = Outbound-User, Tunnel-Type:1 = L2TP, Tunnel-Medium-Type:1 = IP, Tunnel-Client-Auth-Id:1 = DSLIP, Tunnel-Server-Endpoint:1 = xxx.xxx.xxx.xxx, Tunnel-Password:1 = bookmark, Fall-Through = No If I query [EMAIL PROTECTED], I get the correct attributes back. However, if I query [EMAIL PROTECTED], where user2 has an LDAP entry, I get the following back: [EMAIL PROTECTED] doc]$ radtest [EMAIL PROTECTED] randomstring xxx.xxx.xxx.xxx 0 key Sending Access-Request of id 104 to xxx.xxx.xxx.xxx:1812 User-Name = [EMAIL PROTECTED] User-Password = garbage NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx:1812, id=104, length=101 Tunnel-Type:1 = L2TP Tunnel-Medium-Type:1 = IP Tunnel-Client-Auth-Id:1 = DSLIP Tunnel-Server-Endpoint:1 = xxx.xxx.xxx.xxx Tunnel-Password:1 = bookmark Framed-IP-Netmask = 255.255.255.255 Framed-IP-Address = xxx.xxx.xxx.xxx Framed-Protocol = PPP Service-Type = Framed-User I'm pretty certain the Cisco will not do what I want it to with the Framed-User attribute. In anycase my question - how do I ensure it's just tunnel property configs that are returned for this realm even if the username exists in the NULL realm?Am I looking at Autz-Type, or something else? Thanks, Thomas Bridge - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to do accounting with mysql?
The NAS has the fake response off, so it is sending the packages. How do I check if it is sending them? I want to have another reference. Other thing. I put the sqlcounter stuff but I don't have any sqlcounter.so or something like that on my lib. What do I have to do to download it and put it on my lib? I am doing accounting with MySQL without sqlcounter (since I'm not limiting my user's connection time). Have you been able to get this to work? Do you still need any help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realms and L2TP forwarding...
Thomas Bridge [EMAIL PROTECTED] wrote: Currently I have a Cisco BAS terminating broadband customers. Most of our customers would have their PPP connection terminate on the BAS, but I would like to forward customers who specify a specific realm onto another BAS for another ISP. My customers are authenitcated using CHAP off an LDAP server. Then you want to mark proxied customers as NOT using LDAP. If I query [EMAIL PROTECTED], I get the correct attributes back. However, if I query [EMAIL PROTECTED], where user2 has an LDAP entry, I get the following back: Is that user2 a user in a different realm? If so, you can key off of the realms to tell them apart. I'm pretty certain the Cisco will not do what I want it to with the Framed-User attribute. In anycase my question - how do I ensure it's just tunnel property configs that are returned for this realm even if the username exists in the NULL realm? First, if a user logs in *without* a realm, you should treat that differently than users logging in with a realm. Second, the reason [EMAIL PROTECTED] matches user2 from LDAP is that it's using the Stripped-User-Name in the LDAP query. Change that to something else, and it should be better. Am I looking at Autz-Type, or something else? You can do that too. List ldap in an Autz-Type block, and key in the users file off of the *other* realm names, and set Autz-Type := LDAP. That way you can force certain realms to use LDAP, and other realms to use something else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does FreeRADIUS manage errors ?
Hi Alan, Many thanks for your remark, I have transfered it to the EAP-PSK design team and they should come back to you by tomorrow after having studied the TTLS design you suggest. However, when you say If you want to convince people to use your system, re-using existing code design is excellent practice, you seem quite unfair IMHO as the EAP-PSK attribute design is precisely inspired by the EAP-SIM AT-Identity attribute design (see http://www.ietf.org/internet-drafts/draft-haverinen-pppext-eap-sim-13.txt), namely see please section 7.8 page 55: 7.8 AT_IDENTITY The format of the AT_IDENTITY attribute is shown below. ... The use of the AT_IDENTITY is defined in Section 4.2. The value field of this attribute begins with 2-byte actual identity length, which specifies the length of the identity in bytes. This field is followed by the subscriber identity of the indicated actual length. The identity is the permanent identity, a pseudonym identity or a fast re-authentication identity. The identity format is specified in Section 4.2.1. The same identity format is used in the AT_IDENTITY attribute and the EAP-Response/Identity packet, with the exception that the peer MUST NOT decorate the identity it includes in AT_IDENTITY. The identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the identity with zero bytes when necessary. Anyway, thanks again for the piece of advice, BR, Aurelien --- Alan DeKok [EMAIL PROTECTED] a écrit : [EMAIL PROTECTED] wrote: http://perso.rd.francetelecom.fr/bersani/EAP_PSK/EAP-PSK.htm We intend to publish the first EAP-PSK implementation in the next weeks. PLEASE fix the protocol. PLEASE PLEASE fix the protocol. -- 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_IDRES|Length | Actual Identity Length| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | : Identity : : . : | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... The identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the identity with zero bytes when necessary. The actual identity length field is NOT needed. DELETE IT. Having two lengths is a recipe for disaster. In fact, inventing a new attribute format is a waste of time. See the EAP-TTLS draft for examples of a better attribute design. It uses one length, padded fields, and there are NO problems. The extra bytes sent in the packets by using EAP-TTLS attributes instead of your attribute design are *irrelevant*. The code savings, development time, maintenance, decreased bugs, and decreased security flaws caused by re-using existing code will be HUGE. e.g. You can steal the existing code in rlm_eap_ttls/ttls.c to create/parse the attributes. You can define EAP-PSK-FOO attributes in the dictionary, to re-use the existing VALUE_PAIR data structures. The savings will be *significant*. If you want to convince people to use your system, re-using existing code design is excellent practice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does FreeRADIUS manage errors ?
[EMAIL PROTECTED] wrote: Many thanks for your remark, I have transfered it to the EAP-PSK design team and they should come back to you by tomorrow after having studied the TTLS design you suggest. *Please* use the TTLS format. It's actually the Diameter format, which has been around for ~6 years. It's been peer reviewed, and the attribute design is included in published RFC's. However, when you say If you want to convince people to use your system, re-using existing code design is excellent practice, you seem quite unfair IMHO as the EAP-PSK attribute design is precisely inspired by the EAP-SIM AT-Identity attribute design EAP-SIM has not been peer reviewed. The author has been asked to change the format, and has not done so. The protocol has *not* been accepted by the IETF EAP group as a WG document, and most likely will NEVER be published as an RFC. If you want your protocol to be accepted and published as a standard, using the TTLS/Diameter attribute format will help. Using the EAP-SIM attribute format will not help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 27 Apr 2004 13:15:24 +0200 Gabriele D'Andrea - TNET S.p.A. [EMAIL PROTECTED] wrote: Hi everybody, I'm running Freeradius on my RedHat server. Which OUTPUT ports sholud I leave open for freeradius? For accounting i leave udp 1812-13 open in INPUT and OUTPUT, I receive authentication requests but then my auth replies are blocked by firewall. Any help on this? Why are you running a firewall on your Radius server? It would be better to turn off all unused services so that the only ports open are for Radius. It just doesn't make sense to use a firewall on a host server. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAjppyuLPldPuWZnARAkZOAKCywBNlMqhefGP1LsKQeJWCcR51bACfZw7v uCRkFjd+unonpyKxXdXY1ZU= =FCMS -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log problems
Original Message From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 9:52 AM Subject: Re: Log problems Nick Marino [EMAIL PROTECTED] wrote: Yes I have all those entries and always have along with -fyz -lstderr for the command line of radiusd. Don't pass command-line options to the server. The interaction of command-line options with configuration file options is awkward. Almost all command-line options will be removed in a future release. As to why it stopped logging, I'm not sure. Try running it without command-line options seeing what happens then. Alan DeKok. Ok thanks I will try that and see what the results are. Although I got that info from the FAQ on the freeradius website on setting up daemontools. You may want to update that portion of the faq also. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Had sent TLV failure, rejecting
Hi! I've installed freeradius-snapshot-20040419 and I can't get past this problem: Had sent TLV failure, rejecting Bellow is the 'radiusd -X' log. Thanks -- Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.230:21645, id=135, length=119 User-Name = xpto1 Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.3e30 Calling-Station-Id = 0004.e2aa.b4f2 Message-Authenticator = 0x29004505131667d146c1a251638d9a3f EAP-Message = 0x0202000a017870746f31 NAS-Port-Type = Wireless-802.11 NAS-Port = 421 Service-Type = Framed-User NAS-IP-Address = 192.168.1.230 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/servicos/freeRadius/var/log/radius/radacct/auth-detail' rlm_detail: /servicos/freeRadius/var/log/radius/radacct/auth-detail expands to /servicos/freeRadius/var/log/radius/radacct/auth-detail modcall[authorize]: module auth_log returns ok for request 0 rlm_realm: No '@' in User-Name = xpto1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched xpto1 at 33 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 135 to 192.168.1.230:21645 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x31b3fb4539b4e75af135e9c834f1d2e3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.230:21645, id=136, length=133 User-Name = xpto1 Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.3e30 Calling-Station-Id = 0004.e2aa.b4f2 Message-Authenticator = 0xc090207a0acd1167649a91c74940b03e EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 421 State = 0x31b3fb4539b4e75af135e9c834f1d2e3 Service-Type = Framed-User NAS-IP-Address = 192.168.1.230 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 radius_xlat: '/servicos/freeRadius/var/log/radius/radacct/auth-detail' rlm_detail: /servicos/freeRadius/var/log/radius/radacct/auth-detail expands to /servicos/freeRadius/var/log/radius/radacct/auth-detail modcall[authorize]: module auth_log returns ok for request 1 rlm_realm: No '@' in User-Name = xpto1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched xpto1 at 33 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 136 to 192.168.1.230:21645 EAP-Message = 0x010400061920 Message-Authenticator = 0x State = 0xea7a2e0bfa5346eae55a7a8ac07b84f8 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.230:21645, id=137, length=207 User-Name = xpto1 Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.3e30 Calling-Station-Id = 0004.e2aa.b4f2 Message-Authenticator = 0x3e6dac25a6223dc72073df49d0694e7a EAP-Message = 0x02040050198000461603010041013d0301408ea0010e236d13140e781e74f5123f91fa4c9acae63796c881abf9843188ae1600040005000a000900640062000300060013001200630100 NAS-Port-Type =
Re: FreeRADIUS sending Access-Reject if no response to proxied Access-Request
On Tue, 27 Apr 2004 10:47:58 -0400 , Alan DeKok writes: Doug Hardie [EMAIL PROTECTED] wrote: Why? What's so problematic about the Access-Rejects? Because the NAS will not switch over to the alternate radius server which is probably working properly. Ok... so does the proxying server mark *all* home servers as dead? The problem is that if the NAS is using the same RADIUS server for other purposes, (i.e. packets which are't proxied), then it can fail over to the backup, even though parts of the server still work... Yes, that is a potential problem. It is something we needed to work around for our current RADIUS code. We did it by tweaking the client configuration (not sure how, at the moment, I just do the servers here :-). The problems with access-rejects arise when the load-balancers enter the picture, and each NAS retry is handled by a different server (probably). If the home server is down, then each NAS retry will get its own access-reject. If the home server is up, but some requests time out, the NAS will get a mixture of access-accepts and access-rejects in response to the request. Although I see why an access-reject is better than no answer at all in most cases, if you're load balancing RADIUS servers it's not so obvious. That's why I'm asking to add optional behavior, not change the behavior. I'm willing to add a patch where a module can mark a packet no reply. It's then up to you to have a site-local module to mark some packets. But that knowing *when* to do that is up to you, and is *very* site-specific. Adding patches to the server core to support one site's configuration is problematic. Fair enough. I would just like to have this behavior without maintaining local patches to the core. A module interface to allow this would be good. How would a module get at timed-out proxied requests though? The timed-out aspect is calculated in request_list.c, and leads to an immediate request_reject, which apparently leads to an immediate rad_send, with no intervening module calls. -- Chris Mikkelson | For every complex problem, there is a solution [EMAIL PROTECTED] | that is simple, neat, and wrong. | -- H. L. Mencken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Had sent TLV failure, rejecting
Alan DeKok wrote: You're looking at the end of the debug log. The rest of the information in it is useful, too. The error means a PREVIOUS part of the conversation caused the reject. The section of the log that shows the real error: rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Response is of incorrect length rlm_eap: Handler failed in EAP/mschapv2 rlm_eap: Failed in EAP select -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New MSCHAP winbindd code
Has anyone successfully tested the new mschap ntlm_auth code with EAP yet? Steve
Re: New MSCHAP winbindd code
No, but I will be doing some testing real soon now... maybe tonight if I feel up to it. On Tue, 2004-04-27 at 17:09, Steve OBrien wrote: Has anyone successfully tested the new mschap ntlm_auth code with EAP yet? Steve -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log problems
Original Message From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 9:52 AM Subject: Re: Log problems Nick Marino [EMAIL PROTECTED] wrote: Yes I have all those entries and always have along with -fyz -lstderr for the command line of radiusd. Don't pass command-line options to the server. The interaction of command-line options with configuration file options is awkward. Almost all command-line options will be removed in a future release. As to why it stopped logging, I'm not sure. Try running it without command-line options seeing what happens then. Alan DeKok. Ok I removed everything from the command line for radiusd except -f and lstderr that is supposed to be required for daemontools to work correctly. Still same result there are no authentication log entries in the radius.log. Here is a section of what is showing up when radiusd is started or restarted. Logging had been working fine for almost 2 years then it stops.. Something must have changed but where? File: radius.logCol 0 4109 bytes 100% Mon Apr 26 19:18:16 2004 : Info: rlm_sql: Starting connect to MySQL server for #3 Mon Apr 26 19:18:16 2004 : Info: rlm_sql: Starting connect to MySQL server for #4 Mon Apr 26 19:30:13 2004 : Info: rlm_sql: Driver rlm_sql_mysql loaded and linked Mon Apr 26 19:30:13 2004 : Info: rlm_sql: Attempting to connect to [EMAIL PROTECTED]:3306/defuniak Mon Apr 26 19:30:13 2004 : Info: rlm_sql: Starting connect to MySQL server for #0 Mon Apr 26 19:30:13 2004 : Info: rlm_sql: Starting connect to MySQL server for #1 Mon Apr 26 19:30:13 2004 : Info: rlm_sql: Starting connect to MySQL server for #2 Mon Apr 26 19:30:13 2004 : Info: rlm_sql: Starting connect to MySQL server for #3 Mon Apr 26 19:30:13 2004 : Info: rlm_sql: Starting connect to MySQL server for #4 Mon Apr 26 20:09:21 2004 : Info: rlm_sql: Driver rlm_sql_mysql loaded and linked Mon Apr 26 20:09:21 2004 : Info: rlm_sql: Attempting to connect to [EMAIL PROTECTED]:3306/defuniak Mon Apr 26 20:09:21 2004 : Info: rlm_sql: Starting connect to MySQL server for #0 Mon Apr 26 20:09:21 2004 : Info: rlm_sql: Starting connect to MySQL server for #1 Mon Apr 26 20:09:21 2004 : Info: rlm_sql: Starting connect to MySQL server for #2 Mon Apr 26 20:09:21 2004 : Info: rlm_sql: Starting connect to MySQL server for #3 Mon Apr 26 20:09:21 2004 : Info: rlm_sql: Starting connect to MySQL server for #4 Mon Apr 26 20:11:43 2004 : Info: rlm_sql: Driver rlm_sql_mysql loaded and linked Mon Apr 26 20:11:43 2004 : Info: rlm_sql: Attempting to connect to [EMAIL PROTECTED]:3306/defuniak Mon Apr 26 20:11:43 2004 : Info: rlm_sql: Starting connect to MySQL server for #0 Mon Apr 26 20:11:43 2004 : Info: rlm_sql: Starting connect to MySQL server for #1 Mon Apr 26 20:11:43 2004 : Info: rlm_sql: Starting connect to MySQL server for #2 Mon Apr 26 20:11:43 2004 : Info: rlm_sql: Starting connect to MySQL server for #3 Mon Apr 26 20:11:43 2004 : Info: rlm_sql: Starting connect to MySQL server for #4 Mon Apr 26 21:40:00 2004 : Info: rlm_sql: Driver rlm_sql_mysql loaded and linked Mon Apr 26 21:40:00 2004 : Info: rlm_sql: Attempting to connect to - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accept Simultaneous-use from specific router
Dear all: Has any one try what I'm asking for, untill now I can't make it to work, any one has any idea about this issue? Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of issa rabba' Sent: Tuesday, April 27, 2004 4:10 PM To: [EMAIL PROTECTED] Subject: RE: accept Simultaneous-use from specific router Thank you for your replay, but I'm sorry to till you that I'm using mysql for Simultaneous-use check not users file, can you help me with that? Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Yoder Sent: Tuesday, April 27, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: Re: accept Simultaneous-use from specific router Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Really if there I can do it will help me very much. Thank for the help. Yes, that is possible. How you do it depends on what you're using to store check and reply attributes. If you're using the users file it could be done like this: DEFAULT Nas-Ip-Address != aaa.bbb.ccc.ddd, Simultaneous-Use := 1 Fall-Through = 1 Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
