EAP TLS + Mysql + Accounting
Hi All
I'm using a free radius with EAP TLS and Mysql and i work :)
but the Accounting Query no working when the user authenticates !
My Config :
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
## chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
## mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
## suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
## eap
#
# Read the 'users' file
## files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authent
Re: SQL db failover
"Michel van Dop" <[EMAIL PROTECTED]> wrote: > Okay good, i replace any refrence to "sql" module and fix it. > But how do i replace this? In "group" or "sql1,sql2" or ? You probably want the group. > What's the name of sql1 and sql2 ? sql1 and sql2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Requests don't seem to pass to radius server
Sam <[EMAIL PROTECTED]> wrote: > But when my dialup users try to authenticate, nothing ever gets to the > radius server. /etc/services has the radius ports set to 1812 and 1813. Try hard-coding the ports into radiusd.conf. Other than that, 'netstat', to see which ports are open. If FreeRADIUS doesn't receive packets, then the problem is a network problem. Get the client to send the packets to the correct IP && port, or get FreeRADIUS to listen on the correct IP && port. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xlat sql trouble
Red Cayenne <[EMAIL PROTECTED]> wrote: > I wrote a custom xlat sql function (my setup is with mysql backend), > registered it, and radius_xlat gets the function running. However, > variables in query are not replaced with attribute values... So my > question is: what did I do wrong? :) Read the original sql_xlat function, and see what the differences are between it and your function. Odds are you're not calling radius_xlat. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP and Active directory working
Thank you all for the help on my issue. There was a problem with Samba not conencting correctly to my pdc. I can now authenticate over 802.1x to my AD using my username and password. The final question I have here deals with the ntdomain hack. Radiusd.conf says not to use it, Iand I can strip the realm off of realm\\username, but when doing this, I get the error: Identity does not match username setting from eap identity. I have also seen a patch to correct this, but it was from a couple years ago. Is this fixed in 1.0.1? How can I make this work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait Problem
On Sun, 16 Jan 2005, Emman S. Loloy wrote: > Hi, > > > i have a problem using Exec-Program-Wait Attribute.. any comments or > suggestion how to fix this problem. here's my configuration. > > /tmp/checkras > > #!/bin/sh > if [ $1 == "192.168.0.1" ] ; then > exit -1 ; #fail > elif [ $1 == "192.168.0.2" ]; then > exit -1 ; #fail > fi > exit 0 ; #pass > > > Processing the session section of radiusd.conf > modcall: entering group session for request 1008 > radius_xlat: 'dialup' > rlm_sql (sql): sql_set_user escaped user --> 'dialup' > radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='dialup' AND > AcctStopTime = 0' > rlm_sql (sql): Reserving sql socket id: 1 > rlm_sql (sql): Released sql socket id: 1 > modcall[session]: module "sql" returns ok for request 1008 > modcall: group session returns ok for request 1008 > radius_xlat: '192.168.0.1' > Exec-Program output: Exec-Program: FAILED to execute /tmp/checkras: Bad > address > Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /tmp/checkras: > Bad address > Exec-Program: Abnormal child exit: No child processes > Login incorrect (external check failed): [dilaup/foobar] (from client foobar > port 125) > Delaying request 1008 for 1 seconds > Finished request 1008 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Cleaning up request 1006 ID 62 with timestamp 41e9f160 > Sending Access-Reject of id 84 to 192.168.0.5:38613 > Reply-Message := "Exec-Program: FAILED to execute /tmp/checkras: Bad > address\n" > Waking up in 1 seconds... > --- Walking the entire request list --- > Cleaning up request 1007 ID 182 with timestamp 41e9f161 > Waking up in 3 seconds... > --- Walking the entire request list --- > Cleaning up request 1008 ID 84 with timestamp 41e9f164 > Nothing to do. Sleeping until we see a request. > > > Thanks, > > Emman Can you run that program from the command line? Also, how are you calling it, can you paste your users file entry? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP core dump
Help me please!!
While loading eap module I seg fault.
from radiusd –X
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
Segmentation fault (core dumped)
Here is the debug… (below is the eap.conf)
[EMAIL PROTECTED] sbin]# gdb ./radiusd ./core.23037
GNU gdb 6.2-2mdk (Mandrakelinux)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public
License, and you are
welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show
warranty" for details.
This GDB was configured as
"i586-mandrake-linux-gnu"...Using host libthread_db library
"/lib/tls/libthread_db.so.1".
Core was generated by `./radiusd -X'.
Program terminated with signal 11, Segmentation fault.
warning: current_sos: Can't read pathname for load map:
Input/output error
Reading symbols
from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols
from /usr/local/lib/libradius-1.0.1.so...done.
Loaded symbols for /usr/local/lib/libradius-1.0.1.so
Reading symbols
from /usr/local/lib/libltdl.so.3...done.
Loaded symbols for /usr/local/lib/libltdl.so.3
Reading symbols
from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols
from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols
from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols
from /lib/tls/libpthread.so.0...done.
Loaded symbols for /lib/tls/libpthread.so.0
Reading symbols
from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols
from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols
from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols
from /usr/local/lib/rlm_exec-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_exec-1.0.1.so
Reading symbols
from /usr/local/lib/rlm_expr-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_expr-1.0.1.so
Reading symbols
from /usr/local/lib/rlm_mschap-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_mschap-1.0.1.so
Reading symbols
from /usr/local/lib/rlm_unix-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_unix-1.0.1.so
Reading symbols
from /usr/local/lib/rlm_eap-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_eap-1.0.1.so
Reading symbols
from /usr/local/lib/rlm_eap_md5-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_eap_md5-1.0.1.so
Reading symbols
from /usr/local/lib/rlm_eap_leap-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_eap_leap-1.0.1.so
Reading symbols
from /usr/local/lib/rlm_eap_gtc-1.0.1.so...done.
Loaded symbols for /usr/local/lib/rlm_eap_gtc-1.0.1.so
#0 0x4006015a in lt_dlsym (handle=0x814f968,
symbol=0xbfffe2e0 "rlm_eap_tls") at ltdl.c:3330
3330 lensym = LT_STRLEN (symbol) + LT_STRLEN
(handle->loader->sym_prefix)
(gdb) bt
#0 0x4006015a in lt_dlsym (handle=0x814f968,
symbol=0xbfffe2e0 "rlm_eap_tls") at ltdl.c:3330
#1 0x401d350f in eaptype_load (type=0x0, eap_type=13,
cs=0x0) at eap.c:114
#2 0x401d2b16 in eap_instantiate (cs=0x80a59b8,
instance=0x0) at rlm_eap.c:134
#3 0x080550a0 in find_module_instance (instname=0x80a9990
"eap") at modules.c:358
#4 0x080564eb in do_compile_modsingle (component=0,
ci=0x80a9970,
filename=0x8060395 "radiusd.conf",
grouptype=0, modname=0xbfffe648) at modcall.c:814
#5 0x08055737 in setup_modules () at modules.c:584
#6 0x0804cd57 in main (argc=2, argv=0xb894) at
radiusd.c:965
(gdb)
Eap.conf
[EMAIL PROTECTED] raddb]# more eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file =
${raddbdir}/certs/cert-srv.pem
certificate_file =
${raddbdir}/certs/cert-srv.pem
CA_file =
${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
An Option to set the Session-Timeout
I have rund Freeradius on MySql 4.1, I want to break the access from the User only once a Month I'am searching for an Option to set the Session-Timeout to the First Day next Month on 3:00 clock in the night from now to have a clean bill to the Users for every Month. For Sql there isn't a problem i can make it with SELECT (@firstday := CONCAT( YEAR(DATE_ADD(NOW(), INTERVAL 1 MONTH)), '-', MONTH(DATE_ADD(NOW(), INTERVAL 1 MONTH)), '-01 03:00:00')) AS f1, UNIX_TIMESTAMP(@firstday) - UNIX_TIMESTAMP(NOW()) AS f2; But i don't find the way to say it to the freeradius Best regards from Germany Mit freundlichen Grüßen Drießen Es liegt was in der Luft www.feilbingert.net Uwe Drießen Software & Computer Lembergstraße 33 67824 Feilbingert Tel.: 06708 660045 Fax 06708 661397 www.edv-driessen.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP core dump
"Ryan Lucas" <[EMAIL PROTECTED]> wrote: > While loading eap module I seg fault. ... > #0 0x4006015a in lt_dlsym (handle=0x814f968, symbol=0xbfffe2e0 > "rlm_eap_tls") at ltdl.c:3330 > > 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN > (handle->loader->sym_prefix) http://bugs.freeradius.org/show_bug.cgi?id=98 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radutmp woes
Hello After much hair pulling I have Freeradius 1.0.1 working nearly 100%. But I'm having issues with radutmp (at least I think that's where the trouble lies). When I do a radlast, it says this: [EMAIL PROTECTED] radius]# radlast radwtmp begins Sun Jan 16 17:00:27 2005 This even though hundreds of people have logged in (via dialup). radlast also shows nothing. I'm running the server using "stock" the rc.d/init.d/radiusd script. [EMAIL PROTECTED] 204.96.181.110]# ps -ef |egrep radius root 7659 1 0 16:58 ?00:00:01 /usr/sbin/radiusd -y I'm running Redhat ES 3. tailing the /var/log/radius/radius.log file looks like thist (last few lines) Sun Jan 16 18:07:14 2005 : Auth: Login OK: [cjelder] (from client dunlap-dialup port 13) Sun Jan 16 18:08:01 2005 : Auth: Login OK: [guns4me] (from client logan-dialup port 3) Sun Jan 16 18:08:06 2005 : Auth: Login OK: [rbigred] (from client dunlap-dialup port 14) Sun Jan 16 18:08:16 2005 : Auth: Login OK: [nelsenb] (from client logan-dialup port 45) Sun Jan 16 18:08:48 2005 : Auth: Login OK: [navrude] (from client woodbine-dialup port 27) So it is authenticating people and logging those authentications just fine. It's also writing the detail files in /var/log/radius/radacct/ The radutmp and radwtmp files ARE getting written in /var/log/radius/ I'd be most-grateful if someone could help figure out why this isn't writing ot the radutmp file properly (I assume?) Thanks for any help anyone can offer, Sam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP addres on EAP/TLS session
Hi How Can I allow dynamic IP address for a EAP/TLS session. DHCP server on same machine as Freeradius, seems not to work. Thanks for any answer. jacques VUVANT
Re: radius-1.0.1 die randomly
Am Freitag, den 14.01.2005, 09:57 -0500 schrieb Alan DeKok: > I have some fixes to "threads.c", which will enable the server to > better deal with edge conditions, where it's starved of CPU time. > They should go into 1.0.2 and following versions. But they're not yet in cvs, right? I'd really like to give them a try. Regards Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Just wanna share... I've also configured as below setting (using group) for
mysql failover.. and its working as well!!...
But before that.. I tried to use the simplified one using "redundant" as
below:-
redundant {
sql1
sql2
}
But seems everytime accounting record being sent.. I will store in both of
the mysql server... not the first one that return OK.. why???
Also before that.. I try to do as suggested in doc... to put "handled" after
sql2.. and resulting accounting record being resent a few times from
client.. (testing using NTRadping).. Can somebody help me on the "handled"
portion ??
redundant {
sql1
sql2
handled
}
always handled{
rcode = handled
}
--haizam
- Original Message -
From: "Michel van Dop" <[EMAIL PROTECTED]>
To:
Sent: Sunday, January 16, 2005 08:04
Subject: Re: SQL db failover
It works!! Yes
Thanks Alan !!
I replace on every refrence to "sql" this:
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
- Original Message -
From: "Michel van Dop" <[EMAIL PROTECTED]>
To:
Sent: Saturday, January 15, 2005 8:11 PM
Subject: Re: SQL db failover
Okay good, i replace any refrence to "sql" module and fix it.
But how do i replace this? In "group" or "sql1,sql2" or ?
What's the name of sql1 and sql2 ?
Thank you,
Michel
- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To:
Sent: Saturday, January 15, 2005 5:58 PM
Subject: Re: SQL db failover
"Michel van Dop" <[EMAIL PROTECTED]> wrote:
Okay i understand that ( i hope so):
Now i do this in radiusd.conf:
Yup, that should work.
I get this error cat /var/log/radius/radius.log
Sat Jan 15 13:35:19 2005 : Error: ERROR: Cannot find a configuration
entry
for module "sql".
Some part of radiusd.conf has a reference to an "sql" module. Find
that, fix it, and it should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
