mysql troubles
Versions: FreeRADIUS Version 1.0.4, for host , built on Aug 19 2005 at 12:44:42 mysql Ver 14.7 Distrib 4.1.12, for pc-linux-gnu (i686) using readline 4.3 mysql server version: 4.1.12-max Trouble: Per FAQ, started with the simple plain users file auth, which works. Moved to mysql which does not. radiusd -X shows the mysql connection being made and all appears well on startup as noted. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "before" main: nospace_pass = "before" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "10.10.0.51" sql: port = "" sql: login = "login" sql: password = "passwd" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name
Howto make eap-peap accounting
Hello all How to make freeradius support eap-peap accounting Thanks you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug #256 should go into 1.0.5
"Thor Spruyt" <[EMAIL PROTECTED]> wrote: > http://bugs.freeradius.org/show_bug.cgi?id=256 > > It's a really big mistake and only a 1-line change! The program isn't in 1.0.5. I've added the patch to the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Benedikt Panzer <[EMAIL PROTECTED]> wrote: > Then I started to enable debugging mode again (-x) and noticed, that FR > doesn't crash any longer! It sounds like something in the server is failing to deal with threading issues properly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release date for 1.1.0/CVS?
Alexander Serkin <[EMAIL PROTECTED]> wrote: > will there be a feature of configurable key for rlm_ippool database search? It's already in the CVS head, so yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP OTP
Juan Daniel Moreno <[EMAIL PROTECTED]> wrote: > I am interested in EAP protocols with OTP (one time password). FreeRADIUS doesn't support EAP-OTP. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug #256 should go into 1.0.5
http://bugs.freeradius.org/show_bug.cgi?id=256 It's a really big mistake and only a 1-line change! -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
FreeRadius users mailing list on August 19, 2005 at 10:54 -0800 wrote: >With each of these I still have the problem where the Access-Request >packet doesn't contain a User-Password attribute. I am guessing that >there is something very fundamental that I am not understanding.. >like "there isn't supposed to be a User-Password attribute coming >from the AP" but if that's the case then I really don't understand >how we authenticate against the LDAP directory without a password. Hi there, Do some reasearch on configuring TTLS with FreeRadius -- there's a howto around somewhere. Once you get TTLS/PAP working (with the auth info in the users file), you can easily make LDAP work. An understanding of the tunnelling system used with most 802.1x auth protocols would be helpful for you -- the trouble is that the password is inside the tunnel, and your FreeRadius config isn't understanding your tunnel. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR with MySQL. Proxying and repeated entries
"Paolo Rotela" <[EMAIL PROTECTED]> wrote: > With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) sends > an Accounting-Request to that realm and I proxy it to the home server, it > sends me an Accounting-Response with an (I think) irregular attribute: > Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in the > RFC for accounting packets. The IETF RADIUS extensions working group has a document which proposes fixes to a number of issues like this. > 1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT > permitted in Accounting-* packets? I don't think it's specifically permitted, but it shouldn't be a problem. > 2) Each time the NAS re-sends packets, FR handles it as it were a new > packet, for a new call/connection. The RFC's say that's what the NAS is supposed to do. So for FreeRADIUS, it looks like a new connection. > 3) Is there any known bug or propietary feature from Cisco wich causes this > incompatibility thing? I've searched about it and didn't find anything. No. It's a bug in FreeRADIUS. I'll put a patch into 1.0.5 that should fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Tim P <[EMAIL PROTECTED]> wrote: > I understand you have said that repeatedly what I am asking is where > is that chap coming from? As I've also said repeatedly, the client sends the authentication request to the server, and the server does not, and can not control what authenticate type the client uses. > I am not sure if it is coming from pppd or l2tpd or my windows > client as I have radius properly configured correct? It probably comes from pppd or l2tpd. I recall that the configuration you posted earlier disabled chap, so I don't know why the client would still be using it. > The client is windows xp sp2 with a vpn tunnel going to the box, ipsec > works fine, l2tp recieves the auth request and hands it to pppd which > then passes it to radius. On the windows side I have set it to only > use mschap-v2 (also tried it with only ms chap) so it would seem the > windows client is configured properly. If the RADIUS server is receiving a CHAP-Password in the request, then something else in the system is using CHAP. You *think* you've configured it to use MSCHAP, but that is obviously not happening. > So does my radius config look correct and another peice of the chain > is broken and for some reason passing auth as chap? Yes. > I'm sorry I'm not that knowledgable when it comes to radius, this is > my first time using it, please be patient, I am just trying to figure > out how it works (and yes I have read the conf file but still am not > 100% sure of it). The problem isn't understanding how it works. The problem is believing things that are explained on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR with MySQL. Proxying and repeated entries
Hi. Sorry if this is a dumb thing, but I've searched a lot and din't find any solution to this problem. I'm using freeradius (versions 0.9.3, 1.0.0 and 1.0.4) with MySQL 3.23 and 4.1.7 (different mappings between FR and My) I have some clients to wich I'm proxying requests to some realms. All works OK but there is one client wich is using Cisco Secure ACS, wich is giving me some headaches. With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) sends an Accounting-Request to that realm and I proxy it to the home server, it sends me an Accounting-Response with an (I think) irregular attribute: Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in the RFC for accounting packets. So, my FR, discards it as supposed thus leading my NAS to re-send accounting request a lot of times until it gives up. This leads me to three main questions: 1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT permitted in Accounting-* packets? 2) Each time the NAS re-sends packets, FR handles it as it were a new packet, for a new call/connection. This way, I have each call for this specific realm n times, with n being the times I configure the NAS to re-send the packet. Every time the NAS re-sends an Accounting-start, the SQL query in sql.conf says "INSERT blah blah blah", wich leads to a new record be inserted into the database, and every time the NAS re-sends an Accounting-stop, the SQL query says "UPDATE blah blah blah", so it leads to calls being recorded many times. The question is ¿is there any way to solve this through configuration, and I didn't find it because I'm a dumb? ¿Or I have to "touch" the code for the radius to verify if the packet is a repeated one or not? 3) Is there any known bug or propietary feature from Cisco wich causes this incompatibility thing? I've searched about it and didn't find anything. I know that "3" is not at all about freeradius, but perhaps some of you came accross this at any time. Any help will be very appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Cian Phillips <[EMAIL PROTECTED]> wrote: > With each of these I still have the problem where the Access-Request > packet doesn't contain a User-Password attribute. I am guessing that > there is something very fundamental that I am not understanding.. > like "there isn't supposed to be a User-Password attribute coming > from the AP" but if that's the case then I really don't understand > how we authenticate against the LDAP directory without a password. You don't. LDAP is a database, not an authentication server. FreeRADIUS is an authentication server. It pulls the password from LDAP, and uses that to authenticate the user. > I have tried a bunch of different "how-to's" and haven't had any > success.. if someone could say they were certain that one of them > worked that in itself would be a great deal of help. If you're looking for details of how the authentication protocols work, the HOWTO's won't help you. They tell you how to get it to work, and they assume that you don't care about the internal design details of the system. If you DO really care about the design details of the authentication protocols, read the RFC's. They're in doc/rfc/*. Otherwise, configure the system as per the HOWTO's, and it *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
I understand you have said that repeatedly what I am asking is where is that chap coming from? I am not sure if it is coming from pppd or l2tpd or my windows client as I have radius properly configured correct? The client is windows xp sp2 with a vpn tunnel going to the box, ipsec works fine, l2tp recieves the auth request and hands it to pppd which then passes it to radius. On the windows side I have set it to only use mschap-v2 (also tried it with only ms chap) so it would seem the windows client is configured properly. So does my radius config look correct and another peice of the chain is broken and for some reason passing auth as chap? I'm sorry I'm not that knowledgable when it comes to radius, this is my first time using it, please be patient, I am just trying to figure out how it works (and yes I have read the conf file but still am not 100% sure of it). Thanks, Tim On 8/19/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > I have reconfigured radiusd.conf again to see it I can authenticate > > and am still having trouble > > > > Can you look at these configs and tell me where you see issues? > > The client is doing CHAP. You have configured the MSCHAP module to > use ntlm_auth. > > CHAP is not MSCHAP. CHAP will not work with AD. I've said this repeatedly. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Sorry, I should have mentioned the pages I have already tried to follow. http://www.bughost.org/ipw/docs/freeRadius_configuration_HOWTO.TXT http://www.kevan.net/cisco_freeradius_tls_peap_auth.php http://mattzz.dyndns.org/twiki/bin/view/Projects/ FreeRadiusAuthentication http://www.missl.cs.umd.edu/wireless/eaptls/ http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-June/ 033143.html http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_OpenLDAP http://www.sas.upenn.edu/~omar/wireless/work_freeradius.html#freeradius http://tldp.org/HOWTO/html_single/8021X-HOWTO/ With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like "there isn't supposed to be a User-Password attribute coming from the AP" but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. I have tried a bunch of different "how-to's" and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help. I guess I should also mention that I have searched the list for "rlm_ldap: Attribute "User-Password" is required for authentication." and some other permutations of that string but didn't find anything that seemed especially conclusive or applicable.. The problem is that I'm not sure I would know if I saw it. Again my apologies for trying to get up to speed in a couple of hours.. and many thanks for attempting to help me find a solution. Cian Phillips Director Network & Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] On Aug 19, 2005, at 10:30 AM, Thor Spruyt wrote: Cian Phillips wrote: Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nl&q=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.4 and Cisco WLSE
Hello, I am having an issue getting Cisco's WLSE 2.11 to successfully authenticate with FreeRadius 1.0.4. I read where Alan DeKok stated that the "supplicant" is broken, and was wondering if this is something Cisco has to fix with the WLSE? or is there a way for me to fix the supplicant? Finally, I read where there were some freeradius patches that would remedy this problem. Can someone provide me with a copy of those patches ? The ones posted on this site have errors in them and the LEAP patch fails consistently at line 147 of rlm_eap/types/rlm_leap/rlm_eap_leap.c Any help would be greatly appreciated. Best Regards, Mike McNeil Sr. Network Engineer University of California Berkeley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Cian Phillips wrote: > Many of the settings are the default. The settings I have changed > have been from several online tutorials none of which talked about > both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nl&q=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Nicolas Baradakis wrote: > Benedikt Panzer wrote: > >> Also I tested the switch -s and just the same, the error doesn't >> occur then. Back in normal mode (without -x or -s) FR crashes again, >> with one of both switches it doesn't. Strange to me. Is this normal >> for you experts? > > I have no idea what's causing the problem. You might try with the > option '-f' too, like in bug #100. > > http://bugs.freeradius.org/show_bug.cgi?id=100 I had the same issue with 1.0.1 I have 2 radius servers which each use 2 postgresql database backends. When I stopped one server for maintenance, the radiusd process on the other server suddenly went to constantly using 100% CPU. When starting radiusd while 1 database is already down, this doesn't happen. Looks to me that it's not LDAP or Postgresql related :) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and LDAP
Greetings. I am extremely green to both 802.1x and radius and am trying to set this system up quickly as students arrive on campus in a couple of weeks so please forgive me if I ask questions that have been answered or exist in the documentation. I need to authenticate windows and osx wireless users using Cisco AP's to the freeradius server using our OSX ldap directory as the backend. I can use radtest from another host and authenticate an LDAP user via the freeradius server and get an Access-Accept packet from the server. When I attempt to connect via a windows or osx client to the AP I get error messages about User-Password being required and the Access- Request packet does not have the User-Password attribute. Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. I'm embarrassed not to have read all the documentation but I'm really in a time pinch here. Again I beg your indulgence. Cian Phillips Director Network & Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] OUTPUT of freeradius -X radius:/etc# freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap-sf.cca.edu" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "cn=users,dc=cca,dc=edu" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "uidNumber" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member= %{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=% {Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap
Re: freeradius 1.0.4 and Cisco WLSE
[EMAIL PROTECTED] wrote: > I am stuck using WLSE. Are there plans on an "official" fix in Freeradius, > to work with whatever is broken in WLSE? As I said: > > it's changing the EAP ID in a broken way, which means that the AP > > doesn't add the State attribute from the previous challenge. Fixing FreeRADIUS won't help. The AP just isn't sending the information FreeRADIUS needs. And the ONLY way to make the AP send the correct information is to fix the supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 and Cisco WLSE
On Thu, Aug 11, 2005 at 07:02:19PM -0400, Alan DeKok wrote: > [EMAIL PROTECTED] wrote: > > I am trying to speak between my Freeradius server and a Cisco WLSE. > > I am seeing EAP timeouts while WLSE is trying to authenticate > > through Freeradius. > > Short summary: the supplicant is broken. > > > Sending Access-Challenge of id 3 to 192.168.254.10:32815 > > EAP-Message = > > 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374 > > Message-Authenticator = 0x > > State = 0x8c90735921dd51b22bc8ef97379845b8 > ... > > rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, > > length=125 > > User-Name = "wlseacct" > > NAS-IP-Address = 192.168.254.10 > > Called-Station-Id = "ABBAABBAABBA" > > Calling-Station-Id = "ABBAABBAABBA" > > NAS-Identifier = "Cisco Secure II" > > NAS-Port = 29 > > Framed-MTU = 1400 > > NAS-Port-Type = Wireless-802.11 > > EAP-Message = 0x020300060311 > > Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48 > > The client is sending a NACK, and asking for another EAP type. But > it's changing the EAP ID in a broken way, which means that the AP > doesn't add the State attribute from the previous challenge. > > In the last packet, FreeRADIUS is seeing the middle of a > conversation, without any way to know what the conversation was about. > > The supplicant is broken. Use another one. I am stuck using WLSE. Are there plans on an "official" fix in Freeradius, to work with whatever is broken in WLSE? Cisco APs are only good if you have decent management. --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Tim P <[EMAIL PROTECTED]> wrote: > I have reconfigured radiusd.conf again to see it I can authenticate > and am still having trouble > > Can you look at these configs and tell me where you see issues? The client is doing CHAP. You have configured the MSCHAP module to use ntlm_auth. CHAP is not MSCHAP. CHAP will not work with AD. I've said this repeatedly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius cache?
Tariq Rashid <[EMAIL PROTECTED]> wrote: > i wonder what people's thoughts are on a radius cache that sits in frotn of > a set of real radius servers and responds quickly with a set of cached reply > attributes from a previous query? In the CVS head, see "rlm_caching". It does exactly this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Hello, I have no idea what's causing the problem. You might try with the option '-f' too, like in bug #100. you're right, that really sounds similar. Unfortunately, the switch -f doesn't help me. That's no as bad, since I can use -s or -x. Nevertheless thanks a lot for the hint! best regards, Benedikt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
I have read the docs, maybe I am just missing where there example was, I see the entries commented but not for what I need I guess (or I missed). I have reconfigured radiusd.conf again to see it I can authenticate and am still having trouble Can you look at these configs and tell me where you see issues? radiusd.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes #with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } authorize { preprocess # auth_log # attr_filter # chap mschap # digest # IPASS suffix # ntdomain # eap # files # sql # etc_smbpasswd # ldap # daily # checkval } authenticate { Auth-Type MS-CHAP { mschap } } preacct { preprocess suffix proxy.conf realm gtdsolutions.org { type= radius authhost= LOCAL accthost= LOCAL } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } users DEFAULT Auth-Type = mschap Fall-Through = 1 attempted login from a windows host via l2tp output of radiusd -X -A Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=169, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x44ac3d380292ea549c27ecce30ec2afe9c NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "gtdsolutions.org" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gtdsolutions.org" rlm_realm: Adding Stripped-User-Name = "tporritt" rlm_realm: Proxying request from user tporritt to realm gtdsolutions.org rlm_realm: Adding Realm = "gtdsolutions.org" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius cache?
hi - i wonder what people's thoughts are on a radius cache that sits in frotn of a set of real radius servers and responds quickly with a set of cached reply attributes from a previous query? this may even be worthwhile even if the caching only applies to rejected queries - so that bad requests don't waste the backend resources. tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Benedikt Panzer <[EMAIL PROTECTED]> wrote: > Fri Aug 19 09:22:02 2005 : Error: rlm_ldap: All ldap connections are in use > Fri Aug 19 09:22:03 2005 : Error: rlm_ldap: ldap_search() failed: Timed > out while waiting for server to respond. Please increase the timeout. It looks like your LDAP server is down, and that FreeRADIUS needs it to authenticate users. > Fri Aug 19 09:24:32 2005 : Info: The maximum number of threads (32) are > active,cannot spawn new thread to handle request Yup. The server can't process any more requests. > They probably mean that I have a problem with my LDAP-Server, right? Has > someone experience, what parameter could be critical for the eDirectory? It looks like eDirectory is down, or too slow to be useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
"Ayres G.J." <[EMAIL PROTECTED]> wrote: > Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 > hash of the users information. So, is it possible to get the information > from the cookie? No. The username/password IS in the header. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Benedikt Panzer wrote: > Also I tested the switch -s and just the same, the error doesn't > occur then. Back in normal mode (without -x or -s) FR crashes again, > with one of both switches it doesn't. Strange to me. Is this normal > for you experts? I have no idea what's causing the problem. You might try with the option '-f' too, like in bug #100. http://bugs.freeradius.org/show_bug.cgi?id=100 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Hi, I really enjoy answering to myself ;-) I found the problem is not on the ldap server side but really in FR (configuration?). And it's a matter of the number of RADIUS requests: two clients quering FR at the same time don't cause problems for me, but when three clients query it FreeRADIUS hangs within 2 minutes. Every time. But those error messages in the log file (like "All ldap connections are in use", see my last posting) were not shown again. Precicely, most of the time no error was shown at all. FR handles one request normal and then just hangs. So I tried different combinations of the options max_requests, max_servers, max_request_per_server, ldap_connection_number, ldap timeouts and so on (see below). Nothing changed. FR _always_ crashed after about 2 minutes when queried by 3 clients. Then I started to enable debugging mode again (-x) and noticed, that FR doesn't crash any longer! I set all other options back to their default values and still - FR doesn't crash! (it neither shows any error message) Also I tested the switch -s and just the same, the error doesn't occur then. Back in normal mode (without -x or -s) FR crashes again, with one of both switches it doesn't. Strange to me. Is this normal for you experts? Have a nice weekend! regards, Benedikt The combination of options I tested (all combinations failed, that means FR crashed): max_request_time = 30 delete_blocked_requests = no max_requests = 1024 start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = 0 ldap { ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 4 } max_request_time = 5 delete_blocked_requests = no max_requests = 1024 start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = *100* ldap { ldap_connections_number = *10* timeout = 4 timelimit = 3 net_timeout = 4 } max_request_time = 5 delete_blocked_requests = no max_requests = *4096* start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = *100* ldap { ldap_connections_number = *10* timeout = 4 timelimit = 3 net_timeout = 4 } max_request_time = 5 delete_blocked_requests = *yes* max_requests = *4096* start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = *100* ldap { ldap_connections_number = *10* timeout = 4 timelimit = 3 net_timeout = 4 } max_request_time = 5 delete_blocked_requests = no max_requests = 1024 start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = 0 ldap { ldap_connections_number = *10* timeout = *2* timelimit = *1* net_timeout = *2* } Fri Aug 19 09:22:02 2005 : Error: rlm_ldap: All ldap connections are in use Fri Aug 19 09:22:03 2005 : Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Fri Aug 19 09:22:37 2005 : Error: rlm_ldap: uid=ilebraun,ou=accounts,dc=SIAM bind to lanldap1.rus.uni-stuttgart.de:389 failed: timeout Fri Aug 19 09:24:32 2005 : Info: The maximum number of threads (32) are active,cannot spawn new thread to handle request Fri Aug 19 09:24:41 2005 : Error: WARNING: Unresponsive child (id 1123056560) for request 47 I've configured here a FreeRADIUS 1.0.4 and I'm running it now to handle test requests. First, everything looked ok. FR responded all requests correctly. But suddenly it didn't respond any more to RADIUS requests and I saw it used 1 of my 2 cpus completly. Before it took between 1-2 percent of the cpu. FreeRADIUS even could not be killed by a normal kill, I needed kill -9 to terminate it. It's very strange to me that happend after half an hour normal behavior. Then I started FreeRADIUS in debugging mode (-X) but then the error didn't occur until I stopped it 1 day later. Just now I ran it again in not-debugging mode and again after about half an hour the same strange error: processor load about 99% and no responses to any requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[solution] Received unexpected tunneled data after successful handshake
Hello, I was stuck for a bit on this error message before finding the solution, so I thought I'd share and get it into the list archives for future reference. Context: Trying to get WindowsXP 802.1X supplicants to be authenticated on a FreeRADIUS server. After a successful TLS handshake, the rlm_eap_tls: Received unexpected tunneled data after successful handshake message would appear and abort the process. The solution is in http://www.freeradius.org/doc/EAPTLS.pdf - the client and server certificates must contain an Enhanced Key Usage. Look for "-extensions" in the generation script, and for the "OpenSSL extensions file" section. Taking this into account and regenerating the client & server certificates worked for me. I hope it helps, -Waba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Required Clarification
Hello, I'm not really experienced with FR, but maybe this is enough to help you. > 3) How does it maintains database does it uses SQL, if so ? whether it provides any > alternative to maintain database of username and password ? for example like by using files….. etc. FR is able to store users and their attributes in a couple of backends including sql database and a users text file. See the modules section of radiusd.conf for more information. 1) What is the maximum length of username and password allowed in freeRADIUS ? That probably depends on the backend you're using, or look in http://www.freeradius.org/rfc/rfc2865.html if there's a limit. 2) What is the maximum number of users allowed to authenticate? I mean, how many users does it maintains in its database? I guess that's a question of performance first. Propably all backends can store _enough_ users and FR can also handle them. 4) Is there any necessity or possibility to use secondary RADIUS server ? Technically it's not necessary. But if you use it for something important it's obvious better to have one... ;-) It's possible of course to set up 2 RADIUS servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius values
Hi, I have written a php script that lists the request and response headers, the result of which is below: Request Headers Accept: */* Accept-Language: en-gb Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: xx Connection: Keep-Alive Authorization: Basic bHNreVJlZ2o6ZnSpZGF5Mw== Cookie: foo=bar Response Headers Set-Cookie: RADIUS=51f673efff8c5h235410d95289666de85305b928; path=/; X-Powered-By: PHP/4.4.0 After the cookie is set the 'Set-Cookie' header appears in the Request Header as 'Cookie: foo=bar; RADIUS=51f673efff8c5h235410d95289666de85305b928;'. (I have modified the values above slightly incase I am inadvertently sending a username/password to the list ;) Ive read through mod_auth_radius-2.0.c and it appears the cookie is a MD5 hash of the users information. So, is it possible to get the information from the cookie? Gareth. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 18 August 2005 16:25 To: FreeRadius users mailing list Subject: Re: mod_auth_radius values "Ayres G.J." <[EMAIL PROTECTED]> wrote: > I am developing a web system that authenticates users to a web site > through free radius using the mod_auth_radius module for apache. It all > works fine, but I would like to get the username of the user that has > authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username & password are sent in every request. > I am not sure how to go about this. I guess that the values are set in a > cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I > could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Required Clarification
Hi All, As I am using freeRADIUS I would like to know few of the following things. 1) What is the maximum length of username and password allowed in freeRADIUS ? 2) What is the maximum number of users allowed to authenticate? I mean, how many users does it maintains in its database? 3) How does it maintains database does it uses SQL, if so ? whether it provides any alternative to maintain database of username and password ? for example like by using files….. etc. 4) Is there any necessity or possibility to use secondary RADIUS server ? Thanx in advance. Regards, Raghu Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Hello again, this time the error (you know, no response and full cpu load) occured and at least I found something in the normal logfile: Fri Aug 19 09:22:02 2005 : Error: rlm_ldap: All ldap connections are in use Fri Aug 19 09:22:03 2005 : Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Fri Aug 19 09:22:37 2005 : Error: rlm_ldap: uid=ilebraun,ou=accounts,dc=SIAM bind to lanldap1.rus.uni-stuttgart.de:389 failed: timeout Fri Aug 19 09:24:32 2005 : Info: The maximum number of threads (32) are active,cannot spawn new thread to handle request Fri Aug 19 09:24:41 2005 : Error: WARNING: Unresponsive child (id 1123056560) for request 47 These are reapeated many times, especially the first one. They probably mean that I have a problem with my LDAP-Server, right? Has someone experience, what parameter could be critical for the eDirectory? Thanks in advance, Benedikt I've configured here a FreeRADIUS 1.0.4 and I'm running it now to handle test requests. First, everything looked ok. FR responded all requests correctly. But suddenly it didn't respond any more to RADIUS requests and I saw it used 1 of my 2 cpus completly. Before it took between 1-2 percent of the cpu. FreeRADIUS even could not be killed by a normal kill, I needed kill -9 to terminate it. It's very strange to me that happend after half an hour normal behavior. Then I started FreeRADIUS in debugging mode (-X) but then the error didn't occur until I stopped it 1 day later. Just now I ran it again in not-debugging mode and again after about half an hour the same strange error: processor load about 99% and no responses to any requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP OTP
Hello everyone, I am interested in EAP protocols with OTP (one time password). I would like to configure my freeradius 1.0.4 to be able to authenticate passwords which has been created with Shawan's method and an external key. Can anybody help me? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release date for 1.1.0/CVS?
Alan DeKok wrote: Wesley Spadola <[EMAIL PROTECTED]> wrote: Is there any news of a approximate release date for the 1.1.0 line of FreeRADIUS? When it's ready. Hopefully in the next month or so. will there be a feature of configurable key for rlm_ippool database search? Which bugs are currently showstoppers for this line to be released as "stable"? The EAP linking issues. Other than that, the rest of the work is cleanups. I think it will be released as 2.0, because there are just so many things fixed, and so many new features added. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html