Re[2]: rlm_detail bug when locking = yes
Nicolas wrote: we need close outfd right before return RLM_MODULE_FAIL; at line 236. or get the fixes from CVS head which solve many other problems in rlm_detail. (for example file renamed or unlinked by another program) Everyone will save a considerable amount of time if you could backport the changes from CVS to 1.1.2, run tests to check the new code, and send unified diff to the list. http://freeradius.org/radiusd/doc/DIFFS i try to examine snapshot-20060616 btw, there are old bug in rlm_detail.c. 279:if ((outfd = open(buffer, O_WRONLY | O_APPEND | O_CREAT, 280: inst-detailperm)) 0) { 281:radlog(L_ERR, rlm_detail: Couldn't open file %s: %s, 282: buffer, strerror(errno)); 283:return RLM_MODULE_FAIL; 284:} 286:/* 287: * If we fail to aquire the filelock in 80 tries 288: * (approximately two seconds) we bail out. 289: */ 290:if (inst-locking) { 291:lseek(outfd, 0L, SEEK_SET); 292:if (rad_lockfd_nonblock(outfd, 0) 0) { 293:close(outfd); 294:tv.tv_sec = 0; 295:tv.tv_usec = 25000; 296:select(0, NULL, NULL, NULL, tv); 297:lock_count++; 298:continue; 299:} open() executed once. but while we failed to get lock at first try, close(outfd) executed and all the subsequent attempts to lock file fails i comment line 293 out. After this i havn't got any messages like Error: rlm_detail: Failed to aquire filelock for /var/log/radius/radacct/detail, giving up in log! so now rlm_detail with lock=yes and radrelay all works fine. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
Kenneth Marshall [EMAIL PROTECTED] writes: I am trying to use rlm_perl to append a number to one member of the reply packet using rlm_perl and the %RAD_REPLY hash. I am running freeradius-1.1.1. I don't think you can do that with rlm_perl. The inability to specify operator is limiting. rlm_perl will choose T_OP_ADD if the hash value is an array reference. Otherwise it defaults to T_OP_EQ when creating the lists of vps out of the %RAD_REPLY and %RAD_CHECK hashes. There is no way to specify T_OP_SET, which is the functionality you need. I would really love to improve this, but I can't think of any nice way to do it. If one were to add operators to the perl hashes, how could that be done? Adding an additional set of hashes, mapping attribute names to operators? Adding magic operator strings to either key or value of the current hashes? I'm afraid that noen of these will be backwards compatible with existing perl scripts using rlm_perl. Another possibility would be to let rlm_perl assume T_OP_SET for modified attributes (unless they are array references). This makes sense to me (and to you it seems, since that's what you expected :-). But I dont't know of an effecient way to implement this. You'd probably have to walk through the lists, comparing the values of all attributes. Unless you tie the hashes to some class implementing the necessarry logic in its STORE function? That might be a possibilty... Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: rlm_detail bug when locking = yes
open() executed once. but while we failed to get lock at first try, close(outfd) executed and all the subsequent attempts to lock file fails i comment line 293 out. I don't understand why this helps. We open the file at the beginning of the do..while() loop, so it should be fine. err. sorry. source of snapshot are like to freeradius-1.1.2 (rlm_detail.c,v1.37.2.1.2.1 2006/04/19). i miss that open() was moved inside loop :( BTW if you remove the close() line 293 you're leaking one file descriptor each time the lock fails. i use stable 1.1.2, not snapshot. there open() called before do-while loop in this version. close() executed every iteration. so i have to comment close() in block if (rad_lockfd_nonblock(outfd, 0) 0) { close(outfd); tv.tv_sec = 0; tv.tv_usec = 25000; select(0, NULL, NULL, NULL, tv); lock_count++; } for correct work. sorry again. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RPM build problems on RedHat AS4
Hi Following previous posts on this mailing list I patched my freeradius.spec as shown at the end of this email. I ran rpmbuild -bb and got the lib_eap packaging problems and during the build many messages like this :- (cd /usr/src/redhat/BUILD/freeradius-1.1.2/src/modules/rlm_eap; /bin/sh /usr/src/redhat/BUILD/freeradius-1.1.2/libtool --mode=relink gcc -release 1.1.2 -modul\e -export-dynamic -o rlm_eap.la -rpath /usr/lib rlm_eap.lo eap.lo mem.lo state.lo rlm_eap.c eap.c mem.c state.c /usr/src/redhat/BUILD/freeradius-1.1.2/src/lib\/libradius.la libeap/libeap.la -lltdl -lnsl -lresolv -lpthread) gcc -shared rlm_eap.lo eap.lo mem.lo state.lo -L/usr/src/redhat/BUILD/freeradius-1.1.2/src/lib/.libs -L/usr/lib -lradius -leap -lltdl -lnsl -lresolv -lpthre\ad-Wl,-soname -Wl,rlm_eap-1.1.2.so -o .libs/rlm_eap-1.1.2.so /usr/bin/ld: cannot find -leap collect2: ld returned 1 exit status libtool: install: error: relink `rlm_eap.la' with the above command before installing it libtool: install: warning: remember to run `libtool --finish /usr/lib' gmake[6]: Leaving directory `/usr/src/redhat/BUILD/freeradius-1.1.2/src/modules/rlm_eap' I then ran rpmbuild again and although I don't remember changing anything it worked fine and built me an rpm. However when I came to install, I still have the following dependency problem :- error: Failed dependencies: /usr/local/bin/perl is needed by freeradius-1.1.2-0.i386 The output of whereis perl :- perl: /usr/bin/perl /usr/local/bin/perl /usr/share/man/man1/perl.1.gz # ls -l /usr/local/bin/perl lrwxrwxrwx 1 root root 13 Jun 21 2004 /usr/local/bin/perl - /usr/bin/perl Could anyone suggest why I am gettting the failed dependendcy? Thanks Ben Thompson Here is the patch :- --- freeradius.spec.orig2006-05-21 18:32:53.0 +0100 +++ freeradius.spec 2006-06-20 11:40:59.0 +0100 @@ -38,6 +38,9 @@ --with-rlm-krb5-lib-dir=/usr/kerberos/lib make +sed -i [EMAIL PROTECTED]/[EMAIL PROTECTED]/freeradius-%{version}@ doc/Makefile doc/examples/Makefile doc/rfc/Makefile + + %install [ $RPM_BUILD_ROOT != / ] rm -rf $RPM_BUILD_ROOT @@ -111,6 +114,18 @@ %attr(0700,radiusd,radiusd) %dir /var/log/radius/radacct %attr(0700,radiusd,radiusd) %dir /var/run/radiusd + +%doc doc/Acct-Type doc/Autz-Type doc/CYGWIN doc/ChangeLog doc/DIFFS doc/MACOSX +%doc doc/OS2 doc/Post-Auth-Type doc/RADIUS-LDAP-eDirectory doc/RADIUS-SQL.schema +%doc doc/README doc/Session-Type doc/Simultaneous-Use doc/aaa.txt doc/ascend +%doc doc/bay doc/bugs doc/cisco doc/coding-methods.txt doc/configurable_failover +%doc doc/duplicate-users doc/ldap_howto.txt doc/load-balance.txt doc/misc-nas +%doc doc/module_interface doc/mssql doc/performance-testing doc/processing_users_file +%doc doc/proxy doc/radrelay doc/release-method.txt doc/rfc/ +%doc doc/rlm* doc/supervise-radiusd.txt +%doc doc/tuning_guide doc/variables.txt todo/ COPYRIGHT INSTALL + + %changelog * Thu Dec 15 2004 Alan DeKok - update for 1.1.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Filter attributes when proxying
On Mon, Jun 19, 2006 at 11:16:17AM -0400, Joe Maimon wrote: try to use rlm_policy I am sure there are other ways. Thank you for your answer. I hadn't seen the policy module. It only seems to be in CVS not in the releases. Is there a reason for that? Is it not of production quality? Sincerely, Martin Zuziak [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap/TLS Problem !!
Dear Freeradius user's, a cuple days i have a problem with my radius server, i can not authenticate clients. Freeradius 1.1.1 with Eap/TLS + MYSQL running in slack 10.1 My radius client is a wl5460-AP and i use a pci wireless to auth in ap linked in my radius. But now, my pci wireless link in AP, but nothing passes trought, ping not work for any local. I try to execute freeradius in debug mode (radiusd -X), it only show this messages in loop. I can not understand this errors. Anyone Can Help-me, i need this Radius Server Working.Thak's to all.. Emerson * rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 75 modcall: leaving group authenticate (returns handled) for request 75 Sending Access-Challenge of id 174 to 10.254.0.254 port 2053 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 EAP-Message = 0x014c00060d20 Message-Authenticator = 0x State = 0xbdef72a1d8e3188e972218ab20f569f1 Finished request 75 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 74 ID 173 with timestamp 4497f091 Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.254.0.254:2053, id=175, length=191 User-Name = usuario1 NAS-IP-Address = 10.254.0.254 NAS-Port = 0 Called-Station-Id = 004f62087474 Calling-Station-Id = 0014a53c478d NAS-Identifier = Realtek Access Point. 8181 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x024c000d017573756172696f31 State = 0xbdef72a1d8e3188e972218ab20f569f1 Message-Authenticator = 0x75c255ea144b5d1a2864236a85e01e83 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 76 modcall[authorize]: module preprocess returns ok for request 76 rlm_eap: EAP packet type response id 76 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 76 radius_xlat: 'usuario1' rlm_sql (sql): sql_set_user escaped user -- 'usuario1' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'usuario1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'usuario1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'usuario1' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'usuario1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 76 modcall: leaving group authorize (returns updated) for request 76 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 76 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 76 modcall: leaving group authenticate (returns handled) for request 76 Sending Access-Challenge of id 175 to 10.254.0.254 port 2053 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 EAP-Message = 0x014d00060d20 Message-Authenticator = 0x State = 0x8576b5091495b6b611506711da5f4530 Finished request 76 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 75 ID 174 with timestamp 4497f096 Waking up in 5 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mpd+freeradius+AD
Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users authenticating from Active Directory, if they are members of specific group. But I still have some questions: How to make a different timeouts for different groups in AD How to appoint special IP for special users How to restrict users to access only to defined IP in my network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap/TLS Problem !!
Emerson ha scritto: Dear Freeradius user's, ... Anyone Can Help-me, i need this Radius Server Working.Thak's to all.. Emerson I see your log. Seem an error similar to my one. In my case, with AP 3Com, was a problem of my certificate on server radius, and also a problem with some extension Microsoft needed for the auth step, missing on my certificate. However Stefan, on this list, suggested me to user SecureW2 supplicant and all my problem is disappeared. See my post at the benginning of month. Alessandro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On Tue, Jun 20, 2006 at 11:23:13AM +0300, Boian Jordanov wrote: On Tuesday 20 June 2006 02:17, Kenneth Marshall wrote: Dear Freeradius Users: I am trying to use rlm_perl to append a number to one member of the reply packet using rlm_perl and the %RAD_REPLY hash. I am running freeradius-1.1.1. Here is the code that I am using, a modified example.pl: Edit rlm_perl.c and change T_OP_EQ to T_OP_SET in function get_hv_content recomplie and install Thank you for that information. I am testing this now. Ken Marshall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On Tue, Jun 20, 2006 at 11:05:04AM +0200, Bj?rn Mork wrote: Kenneth Marshall [EMAIL PROTECTED] writes: I am trying to use rlm_perl to append a number to one member of the reply packet using rlm_perl and the %RAD_REPLY hash. I am running freeradius-1.1.1. I don't think you can do that with rlm_perl. The inability to specify operator is limiting. rlm_perl will choose T_OP_ADD if the hash value is an array reference. Otherwise it defaults to T_OP_EQ when creating the lists of vps out of the %RAD_REPLY and %RAD_CHECK hashes. There is no way to specify T_OP_SET, which is the functionality you need. I would really love to improve this, but I can't think of any nice way to do it. If one were to add operators to the perl hashes, how could that be done? Adding an additional set of hashes, mapping attribute names to operators? Adding magic operator strings to either key or value of the current hashes? I'm afraid that noen of these will be backwards compatible with existing perl scripts using rlm_perl. Another possibility would be to let rlm_perl assume T_OP_SET for modified attributes (unless they are array references). This makes sense to me (and to you it seems, since that's what you expected :-). But I dont't know of an effecient way to implement this. You'd probably have to walk through the lists, comparing the values of all attributes. Unless you tie the hashes to some class implementing the necessarry logic in its STORE function? That might be a possibilty... I agree with you. It makes more sense to modify attributes that are changed instead of appending a new pair which will be discarded in most cases. Is there an easy way to tie a modified flag to each attribute that could be changed to indicate a modification. Or use something like a composite key attribute+operator with a missing operator defaulting to current behavior. This would allow people to use := when needed and old code should still work correctly. Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-mysql rpm
Thank U all helpful souls. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client Freeradius !!!
Hi, i had a problem with auth in my freeradius, i used a pci wireless airlink 802.11 b/g, authing with wpa/tkip/tls, but not work. The error no user/password atribute appear to me. I try to change my pci wireless to Dlink Dwl-Ag530 authing with wpa/tkip/ttls and WORK. But i need to TLS working because this pci Dlink it's too expensive, and airlink not support TTLS. Anyone Can help-me or give-me another solution... Thank's A Lot Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault
Hi, Whenever I try to run radeapclient as the following: radeapclient -x localhost auth testing123 req.txt I get a segmentation fault. Following is req.txt: User-Name = bob EAP-MD5-Password = hello NAS-IP-Address = 192.168.150.33 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = bob Message-Authenticator = 0x00 NAS-Port=0 Can someone let me know the reason and how to fix this? Thanks, Pinakee Biswas Chief Solution Architect XIUS (A Megasoft LTD division) Ph: 9949495958 (M) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap/TLS Problem !!
Hi! However Stefan, on this list, suggested me to user SecureW2 supplicant and all my problem is disappeared. See my post at the benginning of month. While that's the best thing to do, there may be people forced to go with the built-in supplicant and that have to care about the ertificate extensions required by MSFT. For TLS, things are even a little worse than for TTLS, since also the client certificate needs to have an OID extension in place. There's a documentation on server and client OIDs on the FreeRADIUS website, see http://www.freeradius.org/doc/EAPTLS.pdf The OIDs are mentioned in chapter 10 (examples on cert generation earlier in the document); the server OID is the same for TTLS. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpfj6FLnVbKd.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client Freeradius !!!
Hi, i had a problem with auth in my freeradius, i used a pci wireless airlink 802.11 b/g, authing with wpa/tkip/tls, but not work. The error no user/password atribute appear to me. Logs would be nice. I try to change my pci wireless to Dlink Dwl-Ag530 authing with wpa/tkip/ttls and WORK. See my other post, your certs are likely not suited for use with the built-in supplicant. But i need to TLS working because this pci Dlink it's too expensive, and airlink not support TTLS. The EAP methods depend on the supplicant for the card. You can almost always use other supplicants for your card that *do* support TTLS. *hint* SecureW2 *hint* Anyone Can help-me or give-me another solution... Here you are. BTW, adding unnecessary exclamation marks to the subject is not likely to make you friends. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpiridNzm6d1.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html