Re: Radius, Radsec, Diameter [was: Silly question - secure Radius?]
hi alan sorry for the delay. you might be right. yet i think that we might ignore some opportunities which would be possible/supported by diameter. Like... what? well, from my perspective the main arguments would be: - reliability (especially for accounting) in every related implementation we always had to tweak around the timeouts etc. just because you can't be sure that the accounting-stop arrives correctly when the user is disconnected. especially in an environment with a lot of connects and disconnects, this results in stalled sessions which have to be explicitly treated and where the relation to the real network usage is principally lost. this is boring. udp is generally not very handy when you want more control over the NAS, even if i understand the initial motivation to base radius on it. however, today you run in all those problems with NAT, session initiation in firewalled environments, reliability, security and so on. - server-initiated messaging the strict client-server design of radius (imho amplified by the use of the conn-less UDP) does not allow for server-initiated commands such as disconnect or force re-authorization on profile changes (very important with PBM) - NAS management radius-typical fqdn/shared secret based security simply does not scale. it is too complicated to manage NAS in this manner and often results in network-wide radius passwords. - security with proxying in Radius proxies can modify packets. this is often not a good thing to do. diameter has a far better and more extensive support for TLS, especially for roaming scenarios. security might not be an issue in the way radius is typically used, but its security definitions are completely obsolete (strange md5-based hashing is not exactly the state of the art, and right now ipsec support is as improbable with NAS as diameter-support itself :-)). that's what bothers me personally, in this order. i think there are much more of those in the diameter RFC. i really believe that current usage produces demand in the same manner as demand influences the usage. using additional web-based touches to trigger server solicitations by the client is indeed quite ridiculous. I'm not sure what you're referring to here. well, we have seen a lot of implementations (especially in the hotspot management area) where people use HTTP from server to NAS to trigger radius-requests to be sent towards the server (!). it's nonsense. It shouldn't be too hard to write a radsec implementation. Ideally, it could leverage the TLS code in rlm_eap. that wouldn't be enough for roaming cases. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting to db - duplicate entrys missing stop time?
Hi, First of all, I'm not very familiar with freeradius, so bear with me. If more specific information is needed, please ask. We have set up freeradius to do accounting to a postgresql database, and I was expecting to see one record pr. session, and mostly we do. But there are also a lot of records that: 1) Do not have a stop time 2) Doesn't even have an Acct-Session-Time 3) Are duplicates I have attached a textfile containing a couple of examples. I am guessing that in case nr. 1 an explicit Stop message has not been received, but when it comes to the two others, I have no clue. Is there anything that can be done to avoid the duplicates? Can I get freeradius to log every Alive message to the database, so that I at least know when the last Alive was received? As I am trying to write an application to more easily extract useful information from the data in the database, I need to know when the session started and when it ended. Having duplicates and missing stop times makes this a bit difficult. If someone could take the time to explain why the stuff I mention here occur, or have tips on other ways to extract the time the session ends, I'd really appreciate it. Regards, Roger Kristiansen manage= SELECT radacctid, acctuniqueid, username, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctterminatecause FROM radacct WHERE username LIKE 'xxx000%'; radacctid | acctuniqueid | username| nasipaddress | nasportid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctterminatecause ---+--+---++---+-+---+---+-+ 49 | f5c3662a11cb9c96 | [EMAIL PROTECTED]| xxx.xxx.xxx.xx | 50027 | Ethernet| 2005-07-13 16:37:56.991037+02 | | | 86 | ba7c66fe30d2e933 | [EMAIL PROTECTED]| xxx.xxx.xxx.xx | 50027 | Ethernet| 2005-07-13 16:52:57.142572+02 | | 27011 | 432 | 328b5aa3cb9c9783 | [EMAIL PROTECTED]| xxx.xxx.xxx.xx | 50027 | Ethernet| 2005-07-14 00:38:08.639255+02 | 2005-07-14 00:58:12.651435+02 | 47121 | Port-Error 608 | f4cde8a7ab4087f4 | [EMAIL PROTECTED]| xxx.xxx.xxx.xx | 50027 | Ethernet| 2005-07-14 09:16:23.006713+02 | | 1 | 627 | f6166e0e52ee5625 | [EMAIL PROTECTED]| xxx.xxx.xxx.xx | 50027 | Ethernet| 2005-07-14 09:31:23.935167+02 | | | manage= SELECT radacctid, acctuniqueid, username, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctterminatecause FROM radacct WHERE username LIKE 'yyy022%'; radacctid | acctuniqueid |username | nasipaddress | nasportid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctterminatecause ---+--+-+-+---+-+---+---+-+ 248 | 4b137cbd9d0edc37 | [EMAIL PROTECTED] | yyy.yyy.yyy.yy | 50002 | Ethernet| 2005-07-13 20:35:45.720945+02 | 2005-07-13 20:47:16.888227+02 | 691 | Port-Error 247 | 4b137cbd9d0edc37 | [EMAIL PROTECTED] | yyy.yyy.yyy.yy | 50002 | Ethernet| 2005-07-13 20:35:45.7404+02 | 2005-07-13 20:47:16.888227+02 | 691 | Port-Error - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
Thanks Dusty. I just implemented your suggestions and it's working very well. Once again I am pleasantly surprised by the flexibility of FreeRADIUS. Great job! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Doris Sent: Wednesday, July 13, 2005 4:53 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS v1.0.4, rlm_ldap module, and redundancy You're using the LDAP-Group attribute, which is set to use svr1, which is down. There's currently no fail-over for the LDAP-Group attribute. I dig, that's kind of what I thought (even if I didn't word it correctly). Thanks for your help! You can simulate redundancy for the Ldap-Group attribute, by doing this. Instantiate your ldap modules in radiusd.conf. instantiate { srv1 srv2 srv3 } In users file, add multiple lines of the same ldap-group lookup, for each srv. For example, say you must have ldap-group of dial if coming from a dial huntgroup. DEFAULT Huntgroup-Name == dial, srv1-Ldap-Group == dial DEFAULT Huntgroup-Name == dial, srv2-Ldap-Group == dial DEFAULT Huntgroup-Name == dial, srv3-Ldap-Group == dial What will happen is if the huntgroup matches, then the server will lookup on the srv1 instance if ldap-group = dial. If so, it matches and the users file ends. If not, it continues down the file, where it will then try srv2. If that fails, it continues to srv3. So, if one and two are down, then this will require 3 different lookups to finally get to srv3, but it will provide you with some type of redundancy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. So I am not sure if this can be done or not? But would like hear if anybody who has done something similar to what I am doing. Thanks, -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 13, 2005 2:58 PM To: FreeRadius users mailing list Subject: Re: Active Directory and FreeRadius Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to auth against AD by setting up KRB5 on RHEL. Now I would like to setup freeradius where I will have bunch of UNIX workstation that will point to the freeradius server using pam_radius_auth module and will auth against radius server using their AD credentials. Why not just use pam_krb5? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and PIX 520 accounting
You're right, sorry Here's what I get in my radius.log Error: WARNING: Malformed RADIUS packet from host 172.17.: Vendor specific attributes do not exactly fill Vendor-Specific That's the only error I get. Alan DeKok [EMAIL PROTECTED] Enviado por: [EMAIL PROTECTED] 13/07/2005 10:34 p.m. Por favor, responda a FreeRadius users mailing list Para:FreeRadius users mailing list freeradius-users@lists.freeradius.org cc: Asunto:Re: FreeRadius and PIX 520 accounting [EMAIL PROTECTED] wrote: Last I checked, there was some kind of incompatibility between the packets the firewall is sending and what FreeRadius is expecting to recieve. some kind? Can you say what, exactly? If you can't say what the incompatibility is, there's no way of knowing if the problem is fixed, or even can be fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and PIX 520 accounting
On Thu, 14 Jul 2005 [EMAIL PROTECTED] wrote: You're right, sorry Here's what I get in my radius.log Error: WARNING: Malformed RADIUS packet from host 172.17.: Vendor specific attributes do not exactly fill Vendor-Specific That's the only error I get. Please run radius under debug mode (radiusd -X) and copy/paste the output from when the packet comes in (so we can see all the attributes that are sent) to where the error messages occurs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql Accounting not working
Hello, I use Debian Linux Sarge, kernel 2.6.8-2(368), freeradius 1.0.2, and I'm trying to configure freeradius + mysql Accounting. I created database from script db_mysql.sql, and created a user to access database with full privileges. I tested to access database from another host and it's fine. I can get authentication from localhost and another host. BUT freeradius is not insert accounting information in database. I used freeradius -X to get some debug information and I can't see it doing INSERT. But I know that freeradius connect into database when I start the daemon, I could see that in mysql.log. I looked into mysql.log and freeradius is not doing INSERT. Database name, database username, password and host are set in sql.conf. And accounting tag from radiusd.conf is: --- accounting { sql } Someone can tell me if I forgot some configuration? I just wanna do Mysql Accounting... Thanks in advance - Dize-me tuas comunidades e te direi quem és... Leonardo Valente MSN: [EMAIL PROTECTED] __ Converse com seus amigos em tempo real com o Yahoo! Messenger http://br.download.yahoo.com/messenger/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and PIX 520 accounting
OK, Last time I tried accounting was 2 years ago so I kinda forgot how to do it or what I did to get that error.Today I enabled accounting in my PIX for all udp traffic (that would be ipsec) and in /usr/local/var/log/radius/radacct/mypixIP/ I got a file named detail-20050714 which has, for example these lines:Thu Jul 14 10:38:25 2005 Acct-Status-Type = Start NAS-Port = 0 NAS-IP-Address = 172.17.0.50 Login-IP-Host = 172.17.0.32 Login-TCP-Port = 1433 Acct-Session-Id = "0x01778531" User-Name = "sicslaag1" Cisco-AVPair = "ip:source-ip=192.168.128.3" Cisco-AVPair = "ip:source-port=1567" Cisco-AVPair = "ip:destination-ip=172.17.0.32" Cisco-AVPair = "ip:destination-port=1433" Client-IP-Address = 172.17.0.50 Acct-Unique-Session-Id = "2a8ae9a2feb3e9e9" Timestamp = 1121348305Thu Jul 14 10:38:26 2005 Acct-Status-Type = Stop NAS-Port = 0 NAS-IP-Address = 172.17.0.50 Login-IP-Host = 172.17.0.32 Login-TCP-Port = 1433 Acct-Session-Id = "0x01778531" User-Name = "sicslaag1" Acct-Session-Time = 0 Acct-Input-Octets = 710 Acct-Output-Octets = 676 Cisco-AVPair = "ip:source-ip=192.168.128.3" Cisco-AVPair = "ip:source-port=1567" Cisco-AVPair = "ip:destination-ip=172.17.0.32" Cisco-AVPair = "ip:destination-port=1433" Client-IP-Address = 172.17.0.50 Acct-Unique-Session-Id = "2a8ae9a2feb3e9e9" Timestamp = 1121348306Running radiusd -X would give me this (for another username):rad_recv: Accounting-Request packet from host 172.17.0.50:1646, id=17, length=217 Acct-Status-Type = Stop NAS-Port = 0 NAS-IP-Address = 172.17.0.50 Login-IP-Host = 172.17.0.17 Login-TCP-Port = 53 Acct-Session-Id = "0x01788b59" User-Name = "sicrgaag" Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 138 Cisco-AVPair = "ip:source-ip=192.168.128.12" Cisco-AVPair = "ip:source-port=53" Cisco-AVPair = "ip:destination-ip=172.17.0.17" Cisco-AVPair = "ip:destination-port=53"modcall: entering group preacct for request 1 modcall[preacct]: module "preprocess" returns noop for request 1 rlm_realm: No '@' in User-Name = "sicrgaag", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 1 modcall[preacct]: module "files" returns noop for request 1modcall: group preacct returns noop for request 1modcall: entering group accounting for request 1rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, uniqueID MAY be inconsistentrlm_acct_unique: Hashing ',Client-IP-Address = 172.17.0.50,NAS-IP-Address = 172.17.0.50,Acct-Session-Id = "0x01788b59",User-Name = "sicrgaag"'rlm_acct_unique: Acct-Unique-Session-ID = "b9222392a2ba67aa". modcall[accounting]: module "acct_unique" returns ok for request 1radius_xlat: '/usr/local/var/log/radius/radacct/172.17.0.50/detail-20050714'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%dexpands to /usr/local/var/log/radius/radacct/172.17.0.50/detail-20050714 modcall[accounting]: module "detail" returns ok for request 1rlm_counter: Packet Unique ID = 'b9222392a2ba67aa'rlm_counter: Could not find Service-Type attribute in the request. Returning NOOP. modcall[accounting]: module "counter" returns noop for request 1modcall: group accounting returns ok for request 1Sending Accounting-Response of id 17 to 172.17.0.50:1646Finished request 1Going to the next requestSorry for the LONG mail, but I don't really know if this means it's working now or it still isn't, but that what I get.Thanks, and again sorry for the long mail.Lior[EMAIL PROTECTED] wrote: -To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgFrom: Dusty Doris [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 07/14/2005 10:03AMSubject: Re: FreeRadius and PIX 520 accountingOn Thu, 14 Jul 2005 [EMAIL PROTECTED] wrote: You're right, sorry Here's what I get in my radius.log "Error: WARNING: Malformed RADIUS packet from host 172.17.: Vendor specific attributes do not exactly fill Vendor-Specific" That's the only error I get.Please run radius under debug mode (radiusd -X) and copy/paste the outputfrom when the packet comes in (so we can see all the attributes that aresent) to where the error messages occurs.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password == bla%1 (shooting into my foot)
hello, trying to get freeradius working (again) I figured out a strange behaviour: Authentication with CHAP as my testaccount failed until I tried it with PAP first. After one (or more) successful authentifications with PAP CHAP works. It took some time until I figured out that my password contained a % and the daemon tried some variable substitution. don't do this! How do I escape special chars in the users file and what characters are special? Stefan -- Stefan Nehlsen | ParlaNet Administration | [EMAIL PROTECTED] | +49 431 988-1260 pgpVMEZS6FDti.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password == bla%1 (shooting into my foot)
Hi Stefan, I also saw this. The escape character is \. Special characters I would think of are !, #, *, ?, ^, $, , % and (obviously) \. There may well be others. Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Nehlsen Sent: 14 July 2005 15:45 To: freeradius-users@lists.freeradius.org Subject: Password == bla%1 (shooting into my foot) hello, trying to get freeradius working (again) I figured out a strange behaviour: Authentication with CHAP as my testaccount failed until I tried it with PAP first. After one (or more) successful authentifications with PAP CHAP works. It took some time until I figured out that my password contained a % and the daemon tried some variable substitution. don't do this! How do I escape special chars in the users file and what characters are special? Stefan -- Stefan Nehlsen | ParlaNet Administration | [EMAIL PROTECTED] | +49 431 988-1260 This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionnary Permission - How to solve it ?
Hello, I am calling radclient form a cgi perl script as follow : --- code fragment-- $av_string = User-Name = fredf, User-Password = wilma, NAS-IP-Address = 192.168.89.1, NAS-Port = 0; my $response = `echo -E $av_string | radclient -d /etc/freeradius -r $radretries -t $radtimeout $radiusip $radiustype $radiuspw 21`; --- end code fragment-- and I am getting the following error: radclient: dict_init: Couldn't open dictionary /etc/freeradius/dictionary: Permission denied I gave rwxrwxrwx to /etc/freeradius/dictionary but it does not help. Where can i look to solve this ? Using Freeradius 1.0.4 on Debian Sarge Testing --Aimé freeradius-users@lists.freeradius.org __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting to db - duplicate entrys missing stop time?
Roger Kristiansen [EMAIL PROTECTED] wrote: We have set up freeradius to do accounting to a postgresql database, and I was expecting to see one record pr. session, and mostly we do. But there are also a lot of records that: ... Are screwed up. Can you say NAS implementations are often bad? I am guessing that in case nr. 1 an explicit Stop message has not been received, but when it comes to the two others, I have no clue. NAS implementations are bad. FreeRADIUS just logs what it's sent. You can post-process the data to clean it up, but I'm strongly opposed to always processing it before doing the logging. There's just too much of a chance to lose information. As I am trying to write an application to more easily extract useful information from the data in the database, I need to know when the session started and when it ended. Having duplicates and missing stop times makes this a bit difficult. Welcome to RADIUS accounting. I'd suggesting looking at radiusreport, which deals with some of these issues. It may give you ideas as to how to deal with the problems in your application. Can I get freeradius to log every Alive message to the database, so that I at least know when the last Alive was received? See accounting_update_query, which is run for Alive (i.e. Interim-Update) packets. If someone could take the time to explain why the stuff I mention here occur, or have tips on other ways to extract the time the session ends, I'd really appreciate it. If you don't get a stop record, the session ends: a) some time after the last Start or Alive packet was received b) some time before the next Start packet is received for that port. That's pretty much it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. You said that already. What you may not know is that AD implements Kerberos. You can use pam_krb5 on the Linux boxes to do *exactly* the same thing, but without using RADIUS at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password == bla%1 (shooting into my foot)
Stefan Nehlsen [EMAIL PROTECTED] wrote: It took some time until I figured out that my password contained a % and the daemon tried some variable substitution. don't do this! How do I escape special chars in the users file and what characters are special? Use '\'. And for variable substitution, the only real magic character is %. If you put quotes into a password, you'll have to escape it, too. But the rest of the characters that are usually magic shell characters should be OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Suggestion
We're going to be setting up a freeRADIUS server to service around 400 simultaneous connections. (500 AP's, 4000 users, about 400 online at once) Accounting info would be on another different server.(Not part of FreeRADIUS) What's a good server for this? What's more important? Memory or CPU? I was thinking a dell poweredge 750, 2.8Ghz, 1Gig of RAM, 73G drive. Thoughts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
I'd recommend skipping PAM and using MIT's kerberized telnet. I don't believe PAM supports single signon, whereas you can have single sign-on with kerberized telnet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 14, 2005 11:39 AM To: FreeRadius users mailing list Subject: Re: Active Directory and FreeRadius Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. You said that already. What you may not know is that AD implements Kerberos. You can use pam_krb5 on the Linux boxes to do *exactly* the same thing, but without using RADIUS at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql Accounting not working
on the sql.conf add sqltrace = yes start up with radiusd -X and see what happen. You test the mysql conneciotn from the SAME host that freeradius? On 7/14/05, Leonardo Valente [EMAIL PROTECTED] wrote: Hello, I use Debian Linux Sarge, kernel 2.6.8-2(368), freeradius 1.0.2, and I'm trying to configure freeradius + mysql Accounting. I created database from script db_mysql.sql, and created a user to access database with full privileges. I tested to access database from another host and it's fine. I can get authentication from localhost and another host. BUT freeradius is not insert accounting information in database. I used freeradius -X to get some debug information and I can't see it doing INSERT. But I know that freeradius connect into database when I start the daemon, I could see that in mysql.log. I looked into mysql.log and freeradius is not doing INSERT. Database name, database username, password and host are set in sql.conf. And accounting tag from radiusd.conf is: --- accounting { sql } Someone can tell me if I forgot some configuration? I just wanna do Mysql Accounting... Thanks in advance - Dize-me tuas comunidades e te direi quem és... Leonardo Valente MSN: [EMAIL PROTECTED] __ Converse com seus amigos em tempo real com o Yahoo! Messenger http://br.download.yahoo.com/messenger/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Radius is not realy apropriate personaly id take a look at http://www.wlug.org.nz/ActiveDirectorySamba and http://mirrors.techiesabode.com/linuxgazette/101/levkovich.html Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. So I am not sure if this can be done or not? But would like hear if anybody who has done something similar to what I am doing. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Suggestion
King, Michael [EMAIL PROTECTED] wrote: We're going to be setting up a freeRADIUS server to service around 400 simultaneous connections. (500 AP's, 4000 users, about 400 online at once) Accounting info would be on another different server.(Not part of FreeRADIUS) That's a pretty small system. What's a good server for this? What's more important? Memory or CPU? Cost. If the AP's are wireless, then CPU is more important, as EAP uses SSL, which has a large CPU impact. I was thinking a dell poweredge 750, 2.8Ghz, 1Gig of RAM, 73G drive. 64M of RAM a 4G drive would be more than sufficient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius, Radsec, Diameter [was: Silly question - secure Radius?]
Artur Hecker [EMAIL PROTECTED] wrote: well, from my perspective the main arguments would be: ... Those are all nice arguments for diameter, and good reasons why the protocol was designed. But I keep coming back to: Where are the client implementations? There are few to none client implementations. - reliability (especially for accounting) radsec from the NAS to the RADIUS server would solve this. udp is generally not very handy when you want more control over the NAS, even if i understand the initial motivation to base radius on it. however, today you run in all those problems with NAT, session initiation in firewalled environments, reliability, security and so on. radsec solves this, too. - server-initiated messaging the strict client-server design of radius (imho amplified by the use of the conn-less UDP) does not allow for server-initiated commands such as disconnect or force re-authorization on profile changes (very important with PBM) Huh? See the disconnect request packets. Radclient even supports this! - NAS management radius-typical fqdn/shared secret based security simply does not scale. it is too complicated to manage NAS in this manner and often results in network-wide radius passwords. radsec with per-NAS certificates solves this. - security with proxying in Radius proxies can modify packets. this is often not a good thing to do. diameter has a far better and more extensive support for TLS, especially for roaming scenarios. security might not be an issue in the way radius is typically used, but its security definitions are completely obsolete (strange md5-based hashing is not exactly the state of the art, and right now ipsec support is as improbable with NAS as diameter-support itself :-)). radsec doesn't support this, but there was a radius + kerberos draft which did. Recent opinions in the radius working group indicate that dropping this might have been a mistake. well, we have seen a lot of implementations (especially in the hotspot management area) where people use HTTP from server to NAS to trigger radius-requests to be sent towards the server (!). it's nonsense. Yup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth w/ plain test passwords to Windows 2003 domain
Ken George [EMAIL PROTECTED] wrote: Still unable to get this to work via freeradius, but works with ntlm_auth from the command line. [EMAIL PROTECTED] raddb]# ntlm_auth --username=test ops --password=m1sg0ps --domain=usmisgnet --request-NT-key ... Exec-Program: /usr/bin/ntlm_auth --username=test ops --password=xx --domain=usmisgnet Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Is the password the same as before? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and PIX 520 accounting
[EMAIL PROTECTED] wrote: Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: base64 PEZPTlQgZmFjZT0iRGVmYXVsdCBTYW5zIFNlcmlmLCBWZXJkYW5hLCBBcmlhbCwgSGVsdmV0aWNh Base64-encoding text is wrong. Sending HTML to the list is wrong. Please fix your mailer to send text, not broken nonsense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius, Radsec, Diameter [was: Silly question - secure Radius?]
On Thu, 14 Jul 2005, Alan DeKok wrote: Artur Hecker [EMAIL PROTECTED] wrote: - server-initiated messaging the strict client-server design of radius (imho amplified by the use of the conn-less UDP) does not allow for server-initiated commands such as disconnect or force re-authorization on profile changes (very important with PBM) Huh? See the disconnect request packets. Radclient even supports this! I think the point the original poster was making was that Diameter allows arbitrary conversations between NASes and servers that are initiated by either party, via applications, in an extensible manner. Sure, the original RADIUS spec has been hacked around retrospectively to provide some server-initiated functionality, but it's never been very elegant. josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql Accounting not working
in my sql.conf: - sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql - freeradius user has privileges to write in ${logdir}, but this file not even is created when I do freeradius -X or freeradius -x. Yes, I tested mysql connection from SAME host that free radius. Like I said, I can see in mysql.log freeradius connected 5 times, when I start up daemon, but I can't see INSERT TO... Can debian freeradius package not be compiled with mysql account support? I don't have ideas anymore... I think I'll try compile from source code... and test... Thanks --- Mario Alberto Cruz Gartner [EMAIL PROTECTED] escreveu: on the sql.conf add sqltrace = yes start up with radiusd -X and see what happen. You test the mysql conneciotn from the SAME host that freeradius? On 7/14/05, Leonardo Valente [EMAIL PROTECTED] wrote: Hello, I use Debian Linux Sarge, kernel 2.6.8-2(368), freeradius 1.0.2, and I'm trying to configure freeradius + mysql Accounting. I created database from script db_mysql.sql, and created a user to access database with full privileges. I tested to access database from another host and it's fine. I can get authentication from localhost and another host. BUT freeradius is not insert accounting information in database. I used freeradius -X to get some debug information and I can't see it doing INSERT. But I know that freeradius connect into database when I start the daemon, I could see that in mysql.log. I looked into mysql.log and freeradius is not doing INSERT. Database name, database username, password and host are set in sql.conf. And accounting tag from radiusd.conf is: --- accounting { sql } Someone can tell me if I forgot some configuration? I just wanna do Mysql Accounting... Thanks in advance - Dize-me tuas comunidades e te direi quem és... Leonardo Valente MSN: [EMAIL PROTECTED] __ Converse com seus amigos em tempo real com o Yahoo! Messenger http://br.download.yahoo.com/messenger/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Dize-me tuas comunidades e te direi quem és... Leonardo Valente MSN: [EMAIL PROTECTED] ___ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius, Radsec, Diameter [was: Silly question - secure Radius?]
Josh Howlett [EMAIL PROTECTED] wrote: I think the point the original poster was making was that Diameter allows arbitrary conversations between NASes and servers that are initiated by either party, via applications, in an extensible manner. Yup. Which clients support diameter? I can't think of any. Until Cisco starts shipping diameter clients in their boxes, all of this discussion is wishful thinking. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius, Radsec, Diameter [was: Silly question - secure Radius?]
hi just a small preamble: i perfectly understand your position and i do not expect you to start a diameter implementation tomorrow :-) for me it's merely a strategic discussion. Alan DeKok wrote: Artur Hecker [EMAIL PROTECTED] wrote: well, from my perspective the main arguments would be: ... Those are all nice arguments for diameter, and good reasons why the protocol was designed. But I keep coming back to: Where are the client implementations? There are few to none client implementations. perfect, apparently we've just closed the circle: i started this conversation by the statement what are the manufacturers waiting for? adding that we might be missing interesting opportunities (as a cause of manufacturers not integrating diameter). you asked which features i was talking about :-) and now you ask about devices. circle completed. according to this funny newsgroups discussion study, that's probably the point where we start talking about god (since we have reached the convergence). - reliability (especially for accounting) radsec from the NAS to the RADIUS server would solve this. only partly, i think, since the reliability of accounting depends on more than just on the reliability of transmissions. there are things to specify in the implementations, especially when we start talking about multi-party-accounting. you have to think about accountability, integrity and non-repudiation. the fact that accounting support is not obligatory in radius does not exactly help here. udp is generally not very handy when you want more control over the NAS, even if i understand the initial motivation to base radius on it. however, today you run in all those problems with NAT, session initiation in firewalled environments, reliability, security and so on. radsec solves this, too. that's probably true. but, citing you: where are the client implementations? do you know of any radsec-cacable 802.11 access point? that would interest me personally. and what is radsec anyway? it is not an RFC standard track and why would i implement proprietary solutions when the sense is to enable a multi-domain operation? - server-initiated messaging the strict client-server design of radius (imho amplified by the use of the conn-less UDP) does not allow for server-initiated commands such as disconnect or force re-authorization on profile changes (very important with PBM) Huh? See the disconnect request packets. Radclient even supports this! hmmm?? well... PoD is probably the ugliest hack ever. imho, PoD is not a solution but a proof that things have been badly overseen during the Radius-design and especially re-design phases. and anyway it only partially answers my question. disconnect is just ONE possible application. what about a complete PBM solution? - NAS management radius-typical fqdn/shared secret based security simply does not scale. it is too complicated to manage NAS in this manner and often results in network-wide radius passwords. radsec with per-NAS certificates solves this. true and same as above: not a standard, no NAS. - security with proxying in Radius proxies can modify packets. this is often not a good thing to do. diameter has a far better and more extensive support for TLS, especially for roaming scenarios. security might not be an issue in the way radius is typically used, but its security definitions are completely obsolete (strange md5-based hashing is not exactly the state of the art, and right now ipsec support is as improbable with NAS as diameter-support itself :-)). radsec doesn't support this, but there was a radius + kerberos draft which did. Recent opinions in the radius working group indicate that dropping this might have been a mistake. *provoke* why talking about drafts when we have a standard track protocol which supports this? :-) radius+kerberos: if it used used radius as a trusted third party, then it does not surprise me that it has been abandoned... ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius, Radsec, Diameter [was: Silly question - secure Radius?]
apparently we do agree. thanks to Josh for his comment. just one thing: Alan DeKok wrote: Josh Howlett [EMAIL PROTECTED] wrote: I think the point the original poster was making was that Diameter allows arbitrary conversations between NASes and servers that are initiated by either party, via applications, in an extensible manner. Yup. Which clients support diameter? I can't think of any. Until Cisco starts shipping diameter clients in their boxes, all of this discussion is wishful thinking. see? as i said: now you _started_ talking about God :-) ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS AD, LDAP works - how to check for group membership?
I would like to check group membership before authenticating user login requests. I currently have radiusd.conf setup such that all users can login. However after spending several days reading man pages, and searching these archives I haven't found the key that unlocks my problem. radiusd.conf # snip ldap { server = xx.xx.xx.xx # ad server address identity = cn=some_user,cn=users,dc=domain,dc=com # bind account password = xxx # bind account password basedn = cn=users,dc=domain,dc=com # base dn filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) # uid start_tls = no # nope dictionary_mapping = ${raddbdir}/ldap.attrmap # default ldap_connections_number = 5 # why not password_attribute = userPassword # no need to explain # ok this is where things get real fuzzy - I've read rlm_ldap several times... timeout = 4 timelimit = 3 net_timeout = 1 } Users file remains untouched. Specifically what else do I need to if a user is a member of XYZ_group and if so authenticate them. Any help would be greatly appreciated. TYIA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge
Hi Alan, Thanks for reply. Thanks to all members of this group for great support to other members. What are the different authentication methods requiring Access-Challenge supported by freeRadius? Can anyone give atleast one real time example where Access-Challenge is seen? Alan DeKok wrote: Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: When will Radius Server will challenge with Access-Challenge packet during authentication? Is it depends on any configuration? It depends on the authentication method used. Some require Access-Challenge, so FreeRADIUS implements it. Some don't require Access-Challenge, so FreeRADIUS doesn't implement it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thanks Regards Srinivasa Rao Chigurupati - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html