Using pam_radius_auth.o, why call pam_sm_chauthtok twice??
Using pam_radius_auth.o module. pam_radius_auth library -- radius demon call pam_chauthtok() | |_ call pam_sm_chauthtok() |_ call pam_sm_chauthtok() I don't know reason. Why? ☞ 카트라이더가 지겹다면? 이제는 인라인 레이싱게임 Xplay! ☜ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'-' Character in Group
When I use '-' character as Group name, the authentication fails. For example1.Group Name: -AResult : Aunthentication Fails2. Group Name: A-Result : Authentication SuccessfulWhat are the valid character and what is the explanation regarding this?Thank you very much. Try the new Yahoo! Philippines Front Page!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
repeat until success?
Hi, is it possible to configure freeradius to do something like repeat until success. Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way? Thanks for any advice Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: How to deny user with changed username when using EAP-TLS
=?ISO-8859-1?Q?Marcos_Gonz=E1lez?= [EMAIL PROTECTED] wrote: Is there any way to allow known users (those whose UserName appears in radcheck) access, but deny unknown (all other) users? Huh? If the user password aren't known to the server, the default *is* to reject them. If that isn't happening, then something in your config is allowing them in. As always, run the server in debugging mode to see what's going on. Alan DeKok. I think as I'm using digital certificates (EAP-TLS) to authenticate users, and the user has a valid one, if there aren't any aditional checks in radcheck, the user has already been authenticated due to the certificate, and is allowed to enter the network. Is that right? If that's the case, I think about using the exec module to call a external shell script which checks if 'UserName' is included in my database, and if it's not, modify 'UserName' to something like 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'. Do you think there's an easier way? Thank you for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay - Duplicate records...
Hello List, I would like to know if it is possible to setup FreeRAIUS not to log accounting info from a specific server to the detail file and still log the accounting info into the local mysql database. Some background on the subject: I have recently taken over the maintenance of a couple of FreeRADIUS servers. I'll be frank, I am not an experienced FreeRADIUS admin, so my first priority was to get the accounting information synced at all times between our servers. After some searching I found a couple of documents and posts about radrelay and I have proceeded to set it up on the servers hoping to achieve a two-way accounting replication service. +---+ +---+ | Primary| = | Secondary | | RADIUS | = | RADIUS | +---+ +---+ As the documentation is quite brief - I assume everything is working fine. I kept my eye on the logs and started to see the following appearing. Wed Sep 27 17:37:45 2006 : Info: rlm_radutmp: Login entry for NAS 1 port 1090715896 duplicate Wed Sep 27 17:37:46 2006 : Info: rlm_radutmp: Login entry for NAS 1 port 1090716313 duplicate (Also please note that I am aware of record duplication coming from my upstream provider's RADIUS proxy) When I killed radrelay on the Secondary then everything was OK except I now only have a one-way replication happening. Looking at the sql tables showed that there are about double the amount of records on the primary then on the secondary for that time period. As I have little experience on configuring FreeRadius (We all have to start somewhere), I would greatly appreciate the any help or comments about the subject at hand. Thank you. Etienne Pretorius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: repeat until success?
Yes, I'm also interested in this feature. It's something like CISCO ACS does with the 'unknown user policy', where you can define other radius servers to ask if a user is not in the local radius. We are mantaining 2 ACSs because this feature, and we'd like to shut these servers down. Regards 2006/9/28, Proft, Michael [EMAIL PROTECTED]: Hi, is it possible to configure freeradius to do something like repeat until success. Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way? Thanks for any advice Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend 16 Bit VSAs
Thanks for your help in the end the Attributes were actually Lucent 16-bit VSA's not Ascend. I added: ATTRIBUTE Ascend-LCP-Keepalive-Period 321 integer Lucent ATTRIBUTE Ascend-LCP-Keepalive-Missed-Limit 322 integer Lucent to my /etc/raddb/dictionary and then also had to tell the DSLAM to accept 16-bit VSA's. Thanks Adam Alan DeKok wrote: Alan DeKok [EMAIL PROTECTED] wrote: Please put a tcpdump or ethereal capture of the Ascend box sending or receiving 16-bit VSA's on a web site. Email the link here. Odds are it can be done with just dictionary updates. You know, if the ascend 16-bit VSA's are really the Lucent ones, just add the attributes to the lucent dictionary, and it will work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adam Ring, GCIA, GCIH, RHCE Systems Engineer Green Mountain Access http://www.gmavt.net/ Phone: (802) 496-8579 Fax: (802) 329-8579 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay - Duplicate records...
Etienne Pretorius wrote:
Hello List,
I would like to know if it is possible to setup FreeRAIUS not to log
accounting info from a specific server to the detail file and still
log the accounting info into the local mysql database.
Some background on the subject:
I have recently taken over the maintenance of a couple of FreeRADIUS
servers. I'll be frank, I am not an experienced FreeRADIUS admin, so
my first priority was to get the accounting information synced at all
times between our servers. After some searching I found a couple of
documents and posts about radrelay and I have proceeded to set it up
on the servers hoping to achieve a two-way accounting replication
service.
+---+
+---+
| Primary| = | Secondary |
| RADIUS | = | RADIUS |
+---+
+---+
As the documentation is quite brief - I assume everything is working
fine. I kept my eye on the logs and started to see the following
appearing.
Wed Sep 27 17:37:45 2006 : Info: rlm_radutmp: Login entry for NAS 1
port 1090715896 duplicate
Wed Sep 27 17:37:46 2006 : Info: rlm_radutmp: Login entry for NAS 1
port 1090716313 duplicate
(Also please note that I am aware of record duplication coming from my
upstream provider's RADIUS proxy)
When I killed radrelay on the Secondary then everything was OK except
I now only have a one-way replication happening. Looking at the sql
tables showed that there are about double the amount of records on the
primary then on the secondary for that time period.
As I have little experience on configuring FreeRadius (We all have to
start somewhere), I would greatly appreciate the any help or comments
about the subject at hand.
Thank you.
Etienne Pretorius
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Just for those that might be interested,
After you get radrelay to sync one-way in both directions then you do
the following...
You configure in acct_users the following:
# This Configuration prevents Accounting loops of a two-way radrelay sync
# [o] Radrelay must be sending accounting info from IP(s) below
# on the other Radius server(s)
DEFAULT Client-IP-Address != SECONDARY RADIUS IP, Acct-type :=
RADRELAY
and then in radiusd.conf under 'preacct' you uncomment files like so:
#
# Read the 'acct_users' file
files
and then under 'accounting' you configure the following:
# If Acct-Type is RADRELAY then log to sql module AND to detail file
# for radrelay - accounting sync daemon
Acct-Type RADRELAY {
radrelay
sql
}
This basically means that all accounting packets NOT from the SECONDARY
RADIUS server will have the
sql module and the detail module applied to it, while all other packets
from the other clients will be processed
normally.
more info on the technique can be found under doc/Acct-Type.
Etienne Pretorius.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: '-' Character in Group
William A. Peroche [EMAIL PROTECTED] wrote: What are the valid character and what is the explanation regarding this? Does debugging mode say anything useful about this? What groups are you using? Unix groups? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deny user with changed username when using EAP-TLS
I think as I'm using digital certificates (EAP-TLS) to authenticate users, and the user has a valid one, if there aren't any aditional checks in radcheck, the user has already been authenticated due to the certificate, and is allowed to enter the network. Is that right? Yes. But you can still reject them before the certificate is validated. Or, you can have a Certificate Revocation List that marks their certificate as invalid. If that's the case, I think about using the exec module to call a external shell script which checks if 'UserName' is included in my database, and if it's not, modify 'UserName' to something like 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'. Do you think there's an easier way? See rlm_exec. Run the script, and have the script print Auth-Type := Reject to stdout if the user isn't found. That should cause them to be rejected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: repeat until success?
Proft, Michael [EMAIL PROTECTED] wrote: is it possible to configure freeradius to do something like repeat until success. Im trying to authenticate local users at the same system freeradius is running on and I proxy requests to another radius server. I want to do this _without_ using realms. So if asking for local user and no success I want to continue proxying requests to another radius server. Is this possible in some way? That sounds more like look up in /etc/passwd, and if not found, proxy to X. That should be easy. Configure the passwd module to read /etc/passwd. Read doc/configurable_failover to see how to run the files module only if the passwd module returns notfound. Then in the users file, do: DEFAULT Proxy-To-Realm := realm Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deny user with changed username when using EAP-TLS
I think as I'm using digital certificates (EAP-TLS) to authenticate users, and the user has a valid one, if there aren't any aditional checks in radcheck, the user has already been authenticated due to the certificate, and is allowed to enter the network. Is that right? Yes. But you can still reject them before the certificate is validated. Or, you can have a Certificate Revocation List that marks their certificate as invalid. Yes, I'm using them to reject users that, although having a valid certificate, I want to be out of the network, and works OK. Only wanted to aditionally prevent users that bypass my access control system changing their 'UserName' to an unused one, accessing the network. The revocation list is something I'll give a look, thanks! If that's the case, I think about using the exec module to call a external shell script which checks if 'UserName' is included in my database, and if it's not, modify 'UserName' to something like 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'. Do you think there's an easier way? See rlm_exec. Run the script, and have the script print Auth-Type := Reject to stdout if the user isn't found. That should cause them to be rejected. Yes, It seems a good solution. Thank you very much! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
Thank you very much for your kindness. I'm sorry, again, for posting too much questions about this. It's correct that I'm trying to put this in production as this is the only module that does not worked for me. I'm happy with dialup_admin, AAA and everything else in Oracle! The only missing thing is sqlippool :( I know that it is an experimental module and I also have limited time to work on this module as it's not for me, it's for another company. In the mean time, I'm using regular ippool db in a NFS with just 1 radius active per time (to prevent lockups). That was the only way I've managed to do ippools with 2 servers (is there any alternatives?). As you see I can't abandon oracle, nor install postgre as it would break up some dependencies with other oracle databases that we have. I'm being such a pain for you guys because the sqlippool module is almost working! If I saw that it wouldn't work at all, I would never took the time to work in it as I'm taking now :) I appreciate your concerns and as I'm out of time to deliver the solution to the client, I think I can't try sqlippool anymore. That's a shame because I'm almost there! Now that I've managed to change somethings it's doing all the selects without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can it be null if the select was successful? ). It's the only [EMAIL PROTECTED] thing that is preventing the user to get an IP!! That kind of things just take time to debug... Besides that, if I don't set pool_name = name_of_the_pool in sqlippool.conf, allocate-find tries to select from ippool (wich does not exists) instead of the one I've set in radippool table. Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). So, to close this out, I would REALLY LIKE to make this work and help you guys as well, but because of lack of time, the only way would do this as an enhancement to the already deployed solution for the client, thanks. Thank you again! On 9/28/06, Peter Nixon [EMAIL PROTECTED] wrote: On Wed 27 Sep 2006 16:41, Guilherme Franco wrote: Hi, I know you guys must be angry with all the questions I'm posting here. In Devel-List, I found this: Is it usefull to community? (SQLIPPOOL and NASCATS) by Roman M. Bibikov on Thu, 16 Oct 2003 17:36:26 +1100. He says that created a sucessfull ip pool in Oracle (exactly what I'm trying to do) and also that developed stored functions and procedures handling in rlm_oracle (sql_runfunction() and sql_runprocedure()) I didn't found out those functions and I'm wondering if it's because of this that I can't make sqlippool work in oracle... Hi Guilherme We are not angry. We are however busy, and have limited time. Any posts you see about sqlippool prior to August 2006 do not directly relate to the sqlippool module that is in FreeRADIUS 1.1.3 (Although it may share some code.. There have been several different modules available on the net called sqlippool prior to the one that is now available as part of FreeRADIUS) The code in CVS head has been modified even futher (as you know). sqlippool is an EXPERIMENTAL module which is why it is not enabled by default. It is currently tested ONLY on Postgresql. There are currently no _known_ production deployments of (our) sqlippool on Oracle although we are happy that you are testing it and appreciate your feedback. Currently you are writing many emails to the list with CRITICAL/URGENT etc in the subject in relation to sqlippool and you are clearly trying to deploy it for production use. I have very clearly told you previously these issues and you KNOW that it is an experimental module!! We are trying to help you as much as we can, but we expect you to also be prepared to do testing and possibly some development yourself, otherwise please dont use EXPERIMENTAL modules, especially not in production! If you wish to have my company (Suntel Communications) develop, test and support this module for/on an Oracle version of your choice then we would be happy to do so for a fee (which we can discuss offlist without bothering everyone else) otherwise you will have to make do with the (free) support we are providing to you and everyone else via this mailing list in our spare time. Alternatively there is a list of other companies/people who would also be happy to provide you support at http://www.freeradius.org/business/ Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See
v1.1.3 - Logging Levels / Syslog / logging passwords
Hello All,I've been working to configure logging as an aide to supporting our Freeradius installation.I'm familiar with logging level flags -x and -xx, as well as the big debug -X flag.My first observation is that ALL of these flags output to console by default. Is there any way to make the -xx or -x log to the logfile? I have toyed with setting logdir to 'syslog' in the radiusd.conf file.Alan said in a note to the list on Sept 6 that this feature didn't work in 1.1.3, but would in 2.0I find it actually works pretty well IF you use the -x -xx or -X flag. The output that usually goes to the screen (most of it anyway) gets dumped to the syslog on my Solaris box just fine. It must be because either stderr or stdout get redirected to syslog, but not both. The actual requests still scroll on the console. I figure I can use /dev/null 21 or some variant to kill the output still going to console and background the process... All of this is good, because I WANT a very verbose log file... my only problem is that user passwords are logged in clear text as part of the output - specifically from the pap module. This presents a security problem. (Never mind why I'm using clear text pap if I'm concerned with security.) Is there any way to squish the user password in the -xx output? Are there any hidden/undocumented setting for radiusd.conf that do that?suggestions from those who know?I seem to recall seeing a related thread a few weeks back, but cannot find it... my apologies in advance if this is repetitive. Regards,Lin Richardson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rpl_perl and housekeeping
Hi, We are building a proxy system using rlm_perl. Proxy is reposible for IP allocation, attributes rewriting and keeping the session database. The system works fine if all the NASes (and other proxies) behave properly (ie they send all the packets they supposed to send etc). Obviously real situation is a bit worse and sometimes we get stuck with a non-existent session in our session db (because the 'Stop' record never arrived). This situation can be easily detected as we timestamp all db opeartions, so in theory we could expire all outdated sessions or allocated IPs, but so far I can see only one option to do that - use an external program. We're not very keen to do it in the packet-handling functions as some of the opeartions can be very time consuming, and as a result that would live the packet without any answer. Ideally we would like to see an ability to run some functions on defined time intervals (not only when a packet comes) so the housekeeping is done then. I'm not sure if I'm not streetching the applications of rlm_perl a bit too far, if such functionality existed - that would be great. Or perhaps is there a different method of doing this? kind regards pshemko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: v1.1.3 - Logging Levels / Syslog / logging passwords
Lin Richardson [EMAIL PROTECTED] wrote: Is there any way to squish the user password in the -xx output? Are there any hidden/undocumented setting for radiusd.conf that do that? Run a shell script to root through the output nuke the passwords. Or, hack the code locally. You'll see that there's a major problem with how do you suppress passwords in debugging output, but not anywhere else? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rpl_perl and housekeeping
Pshem Kowalczyk [EMAIL PROTECTED] wrote: The system works fine if all the NASes (and other proxies) behave properly (ie they send all the packets they supposed to send etc). Obviously real situation is a bit worse and sometimes we get stuck with a non-existent session in our session db (because the 'Stop' record never arrived). radzap? Ideally we would like to see an ability to run some functions on defined time intervals (not only when a packet comes) so the housekeeping is done then. If the data is in an external DB, you can use a cron job to do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: v1.1.3 - Logging Levels / Syslog / logging passwords
Is there any way to squish the user password in the -xx output? Are there any hidden/undocumented setting for radiusd.conf that do that? radiusd -Xx | sed -e s/\([pP]\)assword.*/\1assword masked/ This is a tweak from something Alan suggested to me It gets rid of most of the passwords (it leaves the password rlm_ldap uses to bind and it removed some other info. but I think its pretty close to what you want).. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rpl_perl and housekeeping
On 9/29/06, Alan DeKok [EMAIL PROTECTED] wrote:
{cut}
Ideally we would like to see an ability to run some functions on
defined time intervals (not only when a packet comes) so the
housekeeping is done then.
If the data is in an external DB, you can use a cron job to do
that.
Hmm, definately we would prefere to keep everyting in a single place,
but the option with using radzap (or radclient) to sort out the
problems is also pretty interesting (it saves us a lot of code
duplication).
Thx for the idea.
kind regards
pshemko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius is not restarting properly (fails to quit and becomes a zombie process)
Over the last few days I've been having a recurring problem. Whenever I
start Freeradius either with radiusd in a terminal or as a service in
Debian, I can not restart/kill radiusd properly if it's authenticated
any clients. Restarting the service says it's successful but the radius
log states that port 1812 is already in use. top shows 100% cpu usage
after I attempt to restart radiusd. In addition, kill will not work. I
need to use kill -9. No errors are thrown when I try to kill it in debug
mode either. It just says exiting and sits there but doesn't die.
The only change I have made to radiusd.conf was to set the user and
group to nobody and nogroup respectively. I've copied the contents of my
eap.conf configuration file below.
# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
#$Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = tls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module challenges the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = Password:
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say Local instead of PAP, then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# To generate ctest certificates, run the script
#
#../scripts/certs.sh
#
# The documents on http://www.freeradius.org/doc
# are old, but may be
Re: Freeradius is not restarting properly (fails to quit and becomes a zombie process)
Jason Wittlin-Cohen wrote: Over the last few days I've been having a recurring problem. Whenever I start Freeradius either with radiusd in a terminal or as a service in Debian, I can not restart/kill radiusd properly if it's authenticated any clients. Restarting the service says it's successful but the radius log states that port 1812 is already in use. top shows 100% cpu usage after I attempt to restart radiusd. In addition, kill will not work. I need to use kill -9. No errors are thrown when I try to kill it in debug mode either. It just says exiting and sits there but doesn't die. Howdy Jason, Might you get any useful info by running radiusd with strace? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is not restarting properly (fails to quit and becomes a zombie process)
select(5, [3 4], NULL, NULL, {6, 0})= 1 (in [3], left {5, 992000})
time(NULL) = 1159497421
recvfrom(3, \1\1\0\227\247\326\245\\\207\222(\352H\305\311\213\300...,
4096, 0, {sa_family=AF_INET, sin_port=htons(2054),
sin_addr=inet_addr(192.168.0.1)}, [16]) = 151
write(1, rad_recv: Access-Request packet ..., 77rad_recv:
Access-Request packet from host 192.168.0.1:2054, id=1, length=151
) = 77
time(NULL) = 1159497421
write(1, \tUser-Name = \Jason Wittlin-Cohe..., 35User-Name =
Jason Wittlin-Cohen
) = 35
write(1, \tNAS-IP-Address = 192.168.0.1\n, 30 NAS-IP-Address = 192.168.0.1
) = 30
write(1, \tCalled-Station-Id = \00160112eb..., 36
Called-Station-Id = 00160112ebda
) = 36
write(1, \tCalling-Station-Id = \00095b934..., 37
Calling-Station-Id = 00095b93459e
) = 37
write(1, \tNAS-Identifier = \00160112ebda\..., 33 NAS-Identifier =
00160112ebda
) = 33
write(1, \tNAS-Port = 8\n, 14 NAS-Port = 8
)= 14
write(1, \tFramed-MTU = 1400\n, 19Framed-MTU = 1400
) = 19
write(1, \tState = 0x8570d74429dcf8507949a..., 44 State =
0x8570d74429dcf8507949ae638bd52940
) = 44
write(1, \tNAS-Port-Type = Wireless-802.11..., 33 NAS-Port-Type =
Wireless-802.11
) = 33
write(1, \tEAP-Message = 0x020800060d00\n, 30 EAP-Message = 0x020800060d00
) = 30
write(1, \tMessage-Authenticator = 0xb781d..., 60
Message-Authenticator = 0xb781dd8563450fa51bff3ce9be35dac3
) = 60
time(NULL) = 1159497421
write(1, Processing the authorize secti..., 51 Processing the
authorize section of radiusd.conf
) = 51
time(NULL) = 1159497421
write(1, modcall: entering group authoriz..., 48modcall: entering
group authorize for request 8
) = 48
time(NULL) = 1159497421
write(1, modcall[authorize]: module \pr..., 67 modcall[authorize]:
module preprocess returns ok for request 8
) = 67
time(NULL) = 1159497421
write(1, modcall[authorize]: module \ch..., 63 modcall[authorize]:
module chap returns noop for request 8
) = 63
time(NULL) = 1159497421
write(1, modcall[authorize]: module \ms..., 65 modcall[authorize]:
module mschap returns noop for request 8
) = 65
time(NULL) = 1159497421
write(1, rlm_realm: No \'@\' in User-Na..., 82rlm_realm: No
'@' in User-Name = Jason Wittlin-Cohen, looking up realm NULL
) = 82
time(NULL) = 1159497421
time(NULL) = 1159497421
write(1, rlm_realm: No such realm \NU..., 36rlm_realm: No
such realm NULL
) = 36
time(NULL) = 1159497421
write(1, modcall[authorize]: module \su..., 65 modcall[authorize]:
module suffix returns noop for request 8
) = 65
time(NULL) = 1159497421
write(1, rlm_eap: EAP packet type respo..., 50 rlm_eap: EAP packet
type response id 8 length 6
) = 50
time(NULL) = 1159497421
write(1, rlm_eap: No EAP Start, assumin..., 68 rlm_eap: No EAP
Start, assuming it's an on-going EAP conversation
) = 68
time(NULL) = 1159497421
write(1, modcall[authorize]: module \ea..., 65 modcall[authorize]:
module eap returns updated for request 8
) = 65
time(NULL) = 1159497421
write(1, users: Matched entry Jason W..., 56users: Matched
entry Jason Wittlin-Cohen at line 96
) = 56
time(NULL) = 1159497421
write(1, modcall[authorize]: module \fi..., 62 modcall[authorize]:
module files returns ok for request 8
) = 62
time(NULL) = 1159497421
write(1, modcall: leaving group authorize..., 65modcall: leaving group
authorize (returns updated) for request 8
) = 65
time(NULL) = 1159497421
write(1, rad_check_password: Found Aut..., 43 rad_check_password:
Found Auth-Type EAP
) = 43
time(NULL) = 1159497421
write(1, auth: type \EAP\\n, 17auth: type EAP
)= 17
time(NULL) = 1159497421
write(1, Processing the authenticate se..., 54 Processing the
authenticate section of radiusd.conf
) = 54
time(NULL) = 1159497421
write(1, modcall: entering group authenti..., 51modcall: entering
group authenticate for request 8
) = 51
time(NULL) = 1159497421
write(1, rlm_eap: Request found, releas..., 49 rlm_eap: Request
found, released from the list
) = 49
time(NULL) = 1159497421
write(1, rlm_eap: EAP/tls\n, 19 rlm_eap: EAP/tls
)= 19
time(NULL) = 1159497421
write(1, rlm_eap: processing type tls\n, 31 rlm_eap: processing
type tls
) = 31
time(NULL) = 1159497421
write(1, rlm_eap_tls: Authenticate\n, 28 rlm_eap_tls: Authenticate
) = 28
time(NULL)
Why is the default DH keysize only 512 bits?
I noticed that the default DH keysize in FreeRadius 1.1.3 is 512 bits. As DH keys have approximately the same strength as RSA keys, and 512 bit RSA keys have already been broken, wouldn't it be adviseable to use at least 1024 bit DH keys as the minimum size. 1024 bits is currently the minimum recommended size for a DSA/RSA certificate. It might also be a good idea to include the option commented out in eap.conf so users know that it's something they can change. I originally thought that the DH keysize would be determined by the DH parameter file and only realized that it was still using 512 bit keys when I ran freeradius in debug mode. As fas as performance goes, I've tested with 2048 bit and 3072 bit DH keys with no performance degredation. Authentication occurs in 1-2 seconds using the Funk Odyssey client on Windows XP SP2 with 3072 bit RSA certificates and 3072 bit DH key exchange. Also, it might be a good idea to put a comment in the TLS cipher suite comment section that the Microsoft Windows supplicant in Windows XP SP2 uses RC4-MD5 by default (TLS_RSA_WITH_RC4_128_MD5). First, MD5 is deprecated and weak. SHA-1 should be used in its place. Secondly, DH is preferable to RSA for key exchange because it provides perfect forward secrecy. If RSA is used for encryption, a compromise of the client private key would allow an attacker to gain access to the master keys used to encrypt all prior wireless sessions whereas fresh DH keys are produced on each authentication and deleted after use. OpenSSL's 'HIGH' setting is probably the best for a Windows XP user as it uses EDH-RSA-DES-CBC3-SHA (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA), so SHA1 is used for integrity, and DH is used for key exchange. Windows XP SP2 and earlier versions of Windows do not support AES for use in any of the EAP modes. Apparently, if you want to use AES you need to upgrade to Vista (See Security in Vista) or use a 3rd party supplicant like the Funk Odyssey Client which I use (uses TLS_DH_RSA_WITH_AES_256_CBC_SHA with default Freeradius setup). Jason Wittlin-Cohen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
