date:20061026


[EMAIL PROTECTED] wrote:


Can't use that as an argument, mickeysoft strongly recommends to leave 
it disabled, and i'm not the windows admin.


Don't send HTML to the list.

As Alan has tried to explain, the Reversible Encryption flag in AD is 
not needed. So you don't need to change anything.


Just setup Samba on your machine, join the domain, and configure 
FreeRadius to use the ntlm_auth helper in the mschap module.


This is documented lots of places. Use google.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Double-free in src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c causes crash on HUP


Phil Mayers wrote:
At least on RHEL4 with glibc 2.3.4-2.13, a double-free in the above file 
causes a crash on HUP in some circumstances. I've confirmed that 
removing this fixes the issue.


459
460 free(conf-check_cert_cn);
461 free(conf-check_cert_cn);
462 free(conf-cipher_list);


Submitted to bugs.freeradius.org as bug 404

The bug tracker is insanely slow...
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius server can not see any request from clients.

2006-10-26 Thread richard Bai


Hi, everyone,

I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP.

I can start the radius in debug mode properly. I get following lines:
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

Then I did test by using  radtest username password localhost 0 sharedsecret
And the radius server replied with Access-Accept message. So, I think the serve works just fine.

But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I can not get anything back.
I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything.
However, I sniffered the interface via Ethereal and used  tcpdump -v port 1812  in the server, I do see the Access-Request packet received by the interface on the server, 
I confirmed that the 1812 port is open. 

Please give me some idea. Any advices or solution is welcome.

Thank you very much!



Best Regards
Richard
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius server can not see any request from clients.

2006-10-26 Thread Vasea Marii

I guess you didn't type " radtest username password localhost 0 sharedsecret" but " radtest username password localhost 1812 sharedsecret" why send it to the port 0?richard Bai [EMAIL PROTECTED] wrote: Hi, everyone, I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP. I can start the radius in debug mode properly. I get following lines: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Then I did test by using "
radtest username password localhost 0 sharedsecret" And the radius server replied with Access-Accept message. So, I think the serve works just fine. But when I tested by using "radtest username password IP of server 0 sharedsecret" from a client conneted to the server through a hub, I can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything. However, I sniffered the interface via Ethereal and used " tcpdump -v port 1812 " in the server, I do see the Access-Request packet received by the interface on the server, I confirmed that the 1812 port is open. Please give me some idea. Any advices or solution is welcome. Thank you very much!Best
Regards Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Attributes

2006-10-26 Thread Manuel Sánchez Cuenca


Hello all,

How must I configure my freeradius server to include in the 
Access-Accept response to the AP several radius attributes such as 
Session-Timeout or Framed-IP-Address?


Thanks in advance.

--
-
Manuel Sanchez Cuenca
Departamento de Ingenieria de la Informacion y las Comunicaciones
Facultad de Informatica. Universidad de Murcia
Campus de Espinardo - 30080 Murcia (SPAIN)
Tel.: +34-968-364644Fax: +34-968-364151
email: [EMAIL PROTECTED]  |  [EMAIL PROTECTED]
url: http://libra.inf.um.es/~lolo

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius server can not see any request from clients.

2006-10-26 Thread richard Bai

Hi,

Actually, the 0 in the radtest command means NAS-Port. Since 1812 is the default port for radiusdefined in/etc/service, the Access-Request isalways sent to port 1812.
I can see the samemessege as follow when I type both 0 or 1812:
Sending Access-Request of id 40 to IP of server port 1812
User-Name = username
User-Password = password
NAS-IP-Address = 255.255.255.255
NAS-Port = 0/1812 (According to the number typed in radtest command)

Now, I am not sure wether the RADIUS server receives the Access-Request from the client or not. As I said, I can see the packet arrives at the interface and port of the server, but no information printed out in RADIUS debug mode.

And the local test just works fine.

Thanks!

BR
Richard

On 10/26/06, Vasea Marii [EMAIL PROTECTED] wrote:
I guess you didn't type radtest username password localhost
0 sharedsecret but radtest username password localhost 1812 sharedsecret why send it to the port 0?
richard Bai [EMAIL PROTECTED] wrote:

Hi, everyone,

I face a very strange problem right now when I configure a freeradius server with PEAP + LDAP.

I can start the radius in debug mode properly. I get following lines:
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

Then I did test by using radtest username password localhost 0 sharedsecret
And the radius server replied with Access-Accept message. So, I think the serve works just fine.

But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I can not get anything back.
I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything.
However, I sniffered the interface via Ethereal and used tcpdump -v port 1812 in the server, I do see the Access-Request packet received by the interface on the server,
I confirmed that the 1812 port is open.

Please give me some idea. Any advices or solution is welcome.

Thank you very much!

Best Regards
Richard- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business
.
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius server can not see any request from clients.

2006-10-26 Thread Owen DeLong


Sounds like you may be running iptables or other similar filter software
on your server which is blocking the packet from reaching RADIUS.

Owen

On Oct 26, 2006, at 4:38 AM, richard Bai wrote:




Hi, everyone,

I face a very strange problem right now when I configure a  
freeradius server with PEAP + LDAP.


I can start the radius in debug mode properly. I get following lines:
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

Then I did test by using  radtest username password localhost 0  
sharedsecret
And the radius server replied with Access-Accept message. So, I  
think the serve works just fine.


But when I tested by using radtest username password IP of server  
0 sharedsecret from a client conneted to the server through a hub,  
I can not get anything back.
I even did not see any Access-Request information in debug mode on  
the radius server. It looks like the radius doesn't receive anything.
However, I sniffered the interface via Ethereal and used  tcpdump - 
v port 1812  in the server, I do see the Access-Request packet  
received by the interface on the server,

I confirmed that the 1812 port is open.

Please give me some idea. Any advices or solution is welcome.

Thank you very much!



Best Regards
Richard
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius server can not see any request from clients.

2006-10-26 Thread Hernan Antolini


Richard, to be sure about the packet
arriving at the radius machine and see the content of the packet you can
use netcat.
@radius-server : nc -l -u -p 1812 -vv
-o /tmp/dump_hex_packet (will use UDP and dump hex info)
@client_machine : radtest as usual

hope it helps

[EMAIL PROTECTED]
wrote on 10/26/2006 09:29:27 AM:

 Hi, 
 
 Actually, the 0 in the radtest command means
NAS-Port. Since 1812 is
 the default port for radius defined in /etc/service, the Access-
 Request is always sent to port 1812.
 I can see the same messege as follow when I type
both 0 or 1812:
   Sending
Access-Request of id 40 to IP of server port 1812
   
  User-Name = username
   
  User-Password = password
   
  NAS-IP-Address = 255.255.255.255
   
  NAS-Port = 0/1812 (According
to the number
 typed in radtest command)
 
 Now, I am not sure wether the RADIUS server receives
the Access-
 Request from the client or not. As I said, I can see the packet 
 arrives at the interface and port of the server, but no information

 printed out in RADIUS debug mode. 
 And the local test just works fine.
 
 Thanks!
 
 BR
 Richard
 
 
 
 
 On 10/26/06, Vasea Marii [EMAIL PROTECTED]
wrote: 
 I guess you didn't type  radtest username
password localhost 0 
 sharedsecret but  radtest username password localhost
1812 
 sharedsecret why send it to the port 0? 
 
 
 richard Bai [EMAIL PROTECTED] wrote: 
 

 Hi, everyone,
 
 I face a very strange problem right now when
I configure a 
 freeradius server with PEAP + LDAP.
 
 I can start the radius in debug mode properly.
I get following lines:
 Listening on authentication *:1812
 Listening on accounting *:1813
 Ready to process requests.
 
 Then I did test by using  radtest username
password localhost 0 sharedsecret
 And the radius server replied with Access-Accept
message. So, I 
 think the serve works just fine.
 
 But when I tested by using radtest username
password IP of server 0
 sharedsecret from a client conneted to the server through a
hub, I 
 can not get anything back.
 I even did not see any Access-Request information
in debug mode on 
 the radius server. It looks like the radius doesn't receive anything.
 However, I sniffered the interface via Ethereal
and used  tcpdump -
 v port 1812  in the server, I do see the Access-Request packet

 received by the interface on the server, 
 I confirmed that the 1812 port is open. 
 
 Please give me some idea. Any advices or solution
is welcome.
 
 Thank you very much!
 
 
 
 Best Regards
 Richard
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.
 org/list/users.html 
 
 Get your own web address for just $1.99/1st yr. We'll help. Yahoo!

 Small Business . 
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.
 org/list/users.html 

 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]

2006-10-26 Thread B Thompson

On Thu, Oct 26, 2006 at 12:22:48AM +0100, Phil Mayers wrote:
 B Thompson wrote:
 On Wed, Oct 25, 2006 at 10:57:55AM +0100, Phil Mayers wrote:
 B Thompson wrote:
 I cannot continue to use 1.1.3 as we are regularly using HUP to re-read
 the configs and there appears to be a problem with this in versions  
 1.0.1.
 
 
 Yes, there does.
 
 I haven't had time to gather the relevant debugging info (we just 
 restart instead of HUP the server as a workaround) but we have several 
 processes running on the same box. Some crash on hup, some don't. Those 
 that do are the ones with the eap/peap modules enabled, so I am thinking 
 it might be SSL related.
 
 What platform are you running on? We're on RHEL4, OpenSSL 0.9.7a, 
 FreeRadius 1.1.3
 
 Yes, Same here.
 
 
 Found it. Double-free at line 460 of 
 src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c - see the email I 
 just sent.

There must be two separate issues with HUP as this has not fixed the
problems we are seeing. Here is my original email about it :-

http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-March/051856.html

-- 

Ben Thompson
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius server can not see any request from clients.

2006-10-26 Thread richard Bai

Hi, Everyone,

Thanks for helping. I think I find out the problem. The damn Firewall is running automatically with the system.
After I disable it, RADIUS starts responding.

So, although I can see the request packet arrived at the interface and port from tcpdum command, it doesn't mean the RADIUS server see the packet.

Thanks again!
BR
Richard
On 10/26/06, Hernan Antolini [EMAIL PROTECTED] wrote:
Richard, to be sure about the packet arriving at the radius machine and see the content of the packet you can use netcat.
@radius-server : nc -l -u -p 1812 -vv -o /tmp/dump_hex_packet (will use UDP and dump hex info) @client_machine : radtest as usual
hope it helps freeradius-users-bounces+antolini=
[EMAIL PROTECTED] wrote on 10/26/2006 09:29:27 AM: Hi,
Actually, the 0 in the radtest command means NAS-Port. Since 1812 is the default port for radius defined in /etc/service, the Access-
Request is always sent to port 1812. I can see the same messege as follow when I type both 0 or 1812:Sending Access-Request of id 40 to IP of server port 1812
User-Name = username User-Password = password
NAS-IP-Address = 255.255.255.255
NAS-Port = 0/1812 (According to the number typed in radtest command)Now, I am not sure wether the RADIUS server receives the Access-
Request from the client or not. As I said, I can see the packet arrives at the interface and port of the server, but no information printed out in RADIUS debug mode.
And the local test just works fine.Thanks!BR
RichardOn 10/26/06, Vasea Marii
[EMAIL PROTECTED] wrote: I guess you didn't type radtest username password localhost 0 sharedsecret but radtest username password localhost 1812
sharedsecret why send it to the port 0?richard Bai
[EMAIL PROTECTED] wrote: Hi, everyone,I face a very strange problem right now when I configure a
freeradius server with PEAP + LDAP.I can start the radius in debug mode properly. I get following lines:
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.
Then I did test by using radtest username password localhost 0 sharedsecret And the radius server replied with Access-Accept message. So, I
think the serve works just fine.But when I tested by using radtest username password IP of server 0 sharedsecret from a client conneted to the server through a hub, I
can not get anything back. I even did not see any Access-Request information in debug mode on the radius server. It looks like the radius doesn't receive anything.
However, I sniffered the interface via Ethereal and used tcpdump - v port 1812 in the server, I do see the Access-Request packet received by the interface on the server,
I confirmed that the 1812 port is open.Please give me some idea. Any advices or solution is welcome.
Thank you very much!
Best Regards Richard - List info/subscribe/unsubscribe? See
http://www.freeradius. org/list/users.html Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business .
- List info/subscribe/unsubscribe? See http://www.freeradius. org/list/users.html

- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius and ntlm_auth howto

2006-10-26 Thread Stieven . Struyf


All,
I am trying to authenticate my wifi
users via our AD. I'm finding bits and pieces on the internet to configure
things, but no completely usable howto.
Can someone of the users look at the
ouput below and point me to the correct solution/howto?

I setup smb.conf,krb5.conf and freeradius.
I joined the server to the domain and tested the connection with ntlm_auth:
[EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth
--request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET
password:
NT_STATUS_OK: Success (0x0)
[EMAIL PROTECTED] ~]#

rights of the winbind pipe: 
ls -l /var/cache/samba/winbindd_privileged
total 0
srwxrwxrwx 1 root root 0 Oct 25
14:46 pipe

below is the debug output of freeradius

 Processing the authenticate section
of radiusd.conf
modcall: entering group authenticate
for request 7
 rlm_eap: Request found, released
from the list
 rlm_eap: EAP/peap
 rlm_eap: processing type peap
 rlm_eap_peap: Authenticate
 rlm_eap_tls: processing TLS
 eaptls_verify returned 7
 rlm_eap_tls: Done initial handshake
 eaptls_process returned 7
 rlm_eap_peap: EAPTLS_OK
 rlm_eap_peap: Session established.
Decoding tunneled attributes.
 rlm_eap_peap: EAP type mschapv2
 rlm_eap_peap: Tunneled data is
valid.
 PEAP: Got tunneled EAP-Message
EAP-Message
= 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3  
  
 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf
 PEAP: Adding old state with a4
c3
 PEAP: Sending tunneled request
EAP-Message
= 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3  
  
 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
FreeRADIUS-Proxied-To
= 127.0.0.1
User-Name
= KMT-EU.KMTG.NET\\sstruyf
State =
0xa4c337a92357e8d90a5f8c64b37d2df1
 Processing the authorize section
of radiusd.conf
modcall: entering group authorize for
request 7
 modcall[authorize]: module preprocess
returns ok for request 7
 modcall[authorize]: module mschap
returns noop for request 7
  rlm_realm: No '@' in User-Name
= KMT-EU.KMTG.NET\sstruyf, looking up realm  NULL
  rlm_realm: No such realm
NULL
 modcall[authorize]: module kmt-eu.kmtg.net
returns noop for request 7
  rlm_realm: Looking up
realm KMT-EU.KMTG.NET for User-Name = KMT-EU.KMTG.NET\sstruyf
  rlm_realm: Found realm
KMT-EU.KMTG.NET
  rlm_realm: Adding Stripped-User-Name
= sstruyf
  rlm_realm: Proxying request
from user sstruyf to realm KMT-EU.KMTG.NET
  rlm_realm: Adding Realm
= KMT-EU.KMTG.NET
  rlm_realm: Authentication
realm is LOCAL.
 modcall[authorize]: module ntdomain
returns noop for request 7
 rlm_eap: EAP packet type response
id 9 length 82
 rlm_eap: No EAP Start, assuming
it's an on-going EAP conversation
 modcall[authorize]: module eap
returns updated for request 7
  users: Matched sstruyf
at 98
 modcall[authorize]: module files
returns ok for request 7
modcall: group authorize returns updated
for request 7
 rad_check_password: Found
Auth-Type EAP
auth: type EAP
 Processing the authenticate section
of radiusd.conf
modcall: entering group authenticate
for request 7
 rlm_eap: Request found, released
from the list
 rlm_eap: EAP/mschapv2
 rlm_eap: processing type mschapv2
 Processing the authenticate section
of radiusd.conf
modcall: entering group Auth-Type for
request 7
 rlm_mschap: No User-Password
configured. Cannot create LM-Password.
 rlm_mschap: No User-Password
configured. Cannot create NT-Password.
 rlm_mschap: NT Domain delimeter
found, should we have enabled with_ntdomain_hack?
 rlm_mschap: Told to do MS-CHAPv2
for KMT-EU.KMTG.NET\sstruyf with NT-Password
radius_xlat: Running registered xlat
function of module mschap for string 'Challenge'
mschap2: 95
 rlm_mschap: NT Domain delimeter
found, should we have enabled with_ntdomain_hack?
radius_xlat: Running registered xlat
function of module mschap for string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth
--request-nt-key --username=sstruyf --challeng e=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=sstruyf --challenge=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972
Exec-Program output: winbind client
not authorized to use winbindd_pam_auth_crap. Ensure permissions
on /var/cache/samba/winbindd_privileged are set correctly.  
  
 (0xc022)
Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions
on /var/cache/samba/winbindd_privileged are set correctly. (0xc022)
Exec-Program: returned: 1
 rlm_mschap: External script failed.
 rlm_mschap: FAILED: MS-CHAP2-Response
is incorrect
 modcall[authenticate]: module
mschap returns reject for request 7
modcall: group Auth-Type returns reject
for request 7
 rlm_eap: Freeing handler
 modcall[authenticate]: module
eap returns reject for request

RE: freeradius and ntlm_auth howto

2006-10-26 Thread Jonathan De Graeve

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The debugging output is exactly saying whats wrong

Exec-Program output: winbind client not authorized to use 
winbindd_pam_auth_crap.  Ensure permissions on 
/var/cache/samba/winbindd_privileged are set correctly. 
 (0xc022)

This dir should be readable by freeradius AND winbind. I thought 750 would work

J.

- --
Jonathan De Graeve
IMELDA vzw
Informatica Dienst
Network System Engineer
[EMAIL PROTECTED]
+32(0)15/50.52.98

 -Oorspronkelijk bericht-
 Van: freeradius-users-
 [EMAIL PROTECTED]
 [mailto:freeradius-users-
 [EMAIL PROTECTED] Namens
 [EMAIL PROTECTED]
 Verzonden: donderdag 26 oktober 2006 16:24
 Aan: freeradius-users@lists.freeradius.org
 Onderwerp: freeradius and ntlm_auth howto
 
 
 All,
 I am trying to authenticate my wifi users via our AD. I'm finding bits and
 pieces on the internet to configure things, but no completely usable
 howto.
 Can someone of the users look at the ouput below and point me to the
 correct solution/howto?
 
 I setup smb.conf,krb5.conf and freeradius. I joined the server to the
 domain and tested the connection with ntlm_auth:
 [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf
 --domain=KMT-EU.KMTG.NET
 password:
 NT_STATUS_OK: Success (0x0)
 [EMAIL PROTECTED] ~]#
 
 rights of the winbind pipe:
 ls -l /var/cache/samba/winbindd_privileged
 total 0
 srwxrwxrwx  1 root root 0 Oct 25 14:46 pipe
 
 below is the debug output of freeradius
 
   Processing the authenticate section of radiusd.conf
 modcall: entering group authenticate for request 7
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
   eaptls_verify returned 7
   rlm_eap_tls: Done initial handshake
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: EAP type mschapv2
   rlm_eap_peap: Tunneled data is valid.
   PEAP: Got tunneled EAP-Message
 EAP-Message =
 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3
 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555
 2e4b4d54472e4e45545c73737472757966
   PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf
   PEAP: Adding old state with a4 c3
   PEAP: Sending tunneled request
 EAP-Message =
 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c3
 8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555
 2e4b4d54472e4e45545c73737472757966
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = KMT-EU.KMTG.NET\\sstruyf
 State = 0xa4c337a92357e8d90a5f8c64b37d2df1
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 7
   modcall[authorize]: module preprocess returns ok for request 7
   modcall[authorize]: module mschap returns noop for request 7
 rlm_realm: No '@' in User-Name = KMT-EU.KMTG.NET\sstruyf, looking up
 realm   NULL
 rlm_realm: No such realm NULL
   modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 7
 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT-
 EU.KMTG.NET\sstruyf
 rlm_realm: Found realm KMT-EU.KMTG.NET
 rlm_realm: Adding Stripped-User-Name = sstruyf
 rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET
 rlm_realm: Adding Realm = KMT-EU.KMTG.NET
 rlm_realm: Authentication realm is LOCAL.
   modcall[authorize]: module ntdomain returns noop for request 7
   rlm_eap: EAP packet type response id 9 length 82
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module eap returns updated for request 7
 users: Matched sstruyf at 98
   modcall[authorize]: module files returns ok for request 7
 modcall: group authorize returns updated for request 7
   rad_check_password:  Found Auth-Type EAP
 auth: type EAP
   Processing the authenticate section of radiusd.conf
 modcall: entering group authenticate for request 7
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/mschapv2
   rlm_eap: processing type mschapv2
   Processing the authenticate section of radiusd.conf
 modcall: entering group Auth-Type for request 7
   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
   rlm_mschap: NT Domain delimeter found, should we have enabled
 with_ntdomain_hack?
   rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-
 Password
 radius_xlat: Running registered xlat function of module mschap for string
 'Challenge'
  mschap2: 95
   rlm_mschap: NT Domain delimeter found, should we have enabled
 with_ntdomain_hack?
 radius_xlat: Running registered xlat function of module mschap for string
 'NT-Response'
 radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --

Re: Accountig-Response

Vasea Marii [EMAIL PROTECTED] wrote:
 I need to configure freeradius to send specific attributes in
 accounting-response packet!

  Why? (Or should I say Why!)

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Double-free in src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c causes crash on HUP

Phil Mayers [EMAIL PROTECTED] wrote:
 Submitted to bugs.freeradius.org as bug 404

  I'll commit a fix in a few hours.  This means we should release
another 1.1.x...

 The bug tracker is insanely slow...

  As is www.freeradius.org occasionally.  I'm in the process of moving
them, in between family, job, and trips out of the country, I'm nearly
maxed out.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]

B Thompson [EMAIL PROTECTED] wrote:
 http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-March/051856.html

  A short work-around (i.e. hack) may be to not reload everything on HUP.

  Why are you HUPing it so often?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and ntlm_auth howto

[EMAIL PROTECTED] wrote:
 I am trying to authenticate my wifi users via our AD. I'm finding bits and 
 pieces on the internet to configure things, but no completely usable 
 howto.

  What's missing from any of the HOWTO's?  There's some on the Wiki,
and one on my site.

 Exec-Program-Wait: plaintext: winbind client not authorized to use 
 winbindd_pam_auth_crap.  Ensure permissions on 
 /var/cache/samba/winbindd_privileged are set correctly. (0xc022)

  You're running the server as non-root, and the programs it executes
don't run as root, so they don't have permissions to read that
directory.  Make the server run as root, or fix the permissions.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accountig-Response

2006-10-26 Thread Vasea Marii

I'm sory..i didn' understand the tone of the answer but hopping for best i say that i try to make routing on Radius, i mean that a conversation between NAS and Radius(where the routes are stored in MySQL) and using a VSA i could sendto the NAS the needed route !  Thanks in advance!Alan DeKok [EMAIL PROTECTED] wrote:  Vasea Marii <[EMAIL PROTECTED]>wrote: I need to configure freeradius to send specific attributes in accounting-response packet!Why? (Or should I say Why!)Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
		Get your email and more, right on the  new Yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]


Alan DeKok wrote:

B Thompson [EMAIL PROTECTED] wrote:

http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-March/051856.html


  A short work-around (i.e. hack) may be to not reload everything on HUP.

  Why are you HUPing it so often?


I realise this question wasn't directed to me, but the reason we HUP it 
so often is to reload a *large* rlm_passwd map in response to users 
registering and de-registering for things, and users being blocked and 
unblocked.


I realise in theory an SQL lookup might make more sense, but frankly 
we've found SQL in FreeRadius to be less-than reliable in the past, and 
it's certainly never going to be anything like as fast as rlm_passwd. 
Largely these issues were to do with peak load scaling and MVCC issues 
in Postgres (MySQL not being an option).


It's my intention to write and contribute an rlm_tdb module at some 
point when I have the free time (ha!) which would allow update processes 
to write to the binary map file whilst FR is running e.g.


modules
  tdb mac2zone {
file = %{confdir}/mac2zone.tdb
key = Calling-Station-Id
result = ~MyZone ~MyHostId
  }
  tdb nas2vlanset {
file = %{confdir}/nas2vlanset.tdb
key = NAS-IP-Address
result = ~MyVlanset ~MyNasId
  }
  tdb zonevlan2vlan {
file = %{confdir}/zonevlan2vlan
key = MyZone MyVlanset
result = Tunnel-Private-Group-Id
  }
}

authorize {
  preprocess
  files
  Autz-Type MACBASEVLANS {
mac2zone
nas2vlanset
zonevlan2vlan
  }
}

...and one could update the .tdb live
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]


B Thompson wrote:

On Thu, Oct 26, 2006 at 12:22:48AM +0100, Phil Mayers wrote:

B Thompson wrote:

On Wed, Oct 25, 2006 at 10:57:55AM +0100, Phil Mayers wrote:

B Thompson wrote:

I cannot continue to use 1.1.3 as we are regularly using HUP to re-read
the configs and there appears to be a problem with this in versions  
1.0.1.




Yes, there does.

I haven't had time to gather the relevant debugging info (we just 
restart instead of HUP the server as a workaround) but we have several 
processes running on the same box. Some crash on hup, some don't. Those 
that do are the ones with the eap/peap modules enabled, so I am thinking 
it might be SSL related.


What platform are you running on? We're on RHEL4, OpenSSL 0.9.7a, 
FreeRadius 1.1.3

Yes, Same here.

Found it. Double-free at line 460 of 
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c - see the email I 
just sent.


There must be two separate issues with HUP as this has not fixed the
problems we are seeing. Here is my original email about it :-


Could you run FR like this to trace it maybe?

./configure --enable-developer
make
make install
gdb /usr/local/sbin/radiusd
set logging file radiusd.log
set logging on
handle SIGHUP nostop
break modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c:323
run -f
# wait for it to crash
thread apply all bt full
print conf
print conf-certificate_file
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Q:ABOUTE:GET AN ATTRIBUET FROM NAS TO CHANGE QUERY IN RADIUS

2006-10-26 Thread Alejandro Sanchez

Hi evreybody.


I need to get the attribute Caller-Station-ID and then
include in the where section of the query that
access the table radreply. This is because i have only
1 user to access the IP net from PSTN but i need send
back different values to the device dependeing what
station is calling.

How can i get this behavor?


Thank's in Advanced







___ 
Do You Yahoo!? 
La mejor conexión a Internet y b 2GB/b extra a tu correo por $100 al mes. 
http://net.yahoo.com.mx 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius + NIS

2006-10-26 Thread Dagoberto Carvalio Junior


Expensive friends,

I am with authentication problem, being that I opted to using the 
FreeRadius. I ask for the gentility you to answer if the FreeRadius has 
support to catch the base of users of a server NIS. It forgives for my 
English, therefore I am Brazilian.


Until more, and thanks.

Dagoberto Carvalio Junior
Analyst Systems - Universidade de São Paulo.

--


Dagoberto Carvalio Junior - CCNA/CCAI/FCPF/FCPM/SCS
Analista de Sistemas

Instituto de Ciencias Matematicas e de Computacao
UNIVERSIDADE DE SAO PAULO

USER LINUX #417157

EMail : [EMAIL PROTECTED]
Tel  : 55 16 3373-9652





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd service hang

Am running freeradius on a RHELv3 box, to authenticate802.11 usersagainstAD.All of sudden the802.11 users cant get authenticated against AD, unless i reboot the radius service on linux box.It looks like radius serviceget hangs atleast weekly once for no reason, i couldnt findanything in the log file /var/log/messages.


Is anyone facing this issue? everytime when the user complain that wireless i notworking, have to restart the service manually. any help would be appreciated.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]

Phil Mayers [EMAIL PROTECTED] wrote:
 I realise this question wasn't directed to me, but the reason we HUP it 
 so often is to reload a *large* rlm_passwd map in response to users 
 registering and de-registering for things, and users being blocked and 
 unblocked.

  Ok.  I think in the CVS head, we should fix HUP so that all modules
have a reload method.  HUP will cause module config to be reloaded,
but will NOT change anything else.

 It's my intention to write and contribute an rlm_tdb module at some 
 point when I have the free time (ha!) which would allow update processes 
 to write to the binary map file whilst FR is running e.g.

  Sounds good to me.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accountig-Response

Vasea Marii [EMAIL PROTECTED] wrote:

 I'm sory..i didn' understand the tone of the answer 

  sigh All of your sentences end with exclamation marks!  You seem
very excited!  Always!

 but hopping for best i say that i try to make routing on Radius, i
 mean that a conversation between NAS and Radius(where the routes are
 stored in MySQL) and using a VSA i could send to the NAS the needed
 route !

  Uh, no.  Routes are assigned in Access-Accept, not in
Accounting-Response.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Number of concurrencies requests

2006-10-26 Thread Italo Morellato




Hi,

my freeradius 1.1.1 with CentOS 4.4 have a big problem 
with more than 6 concurrencies requests...
Is possible this?
How to increase or caching input requests?

Italo Morellato...
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd service hang

2006-10-26 Thread David Roze





Hi Karthik,

I used to have the same problem in 2 different 
cases:
- WhenFreeradius was installed on Redhat 9, 
it used to hang every 3 or 4 days as well but you're on Redhat Ent3 so you 
should be fine
- When the connectionto the MySQL server was 
dropping
Are you sure your connection to AD is 
reliable?

David

-http://www.netexpertise.eu

  - Original Message - 
  From: 
  Karthik R 
  
  To: freeradius-users@lists.freeradius.org 
  
  Sent: Thursday, October 26, 2006 6:03 
  PM
  Subject: radiusd service hang
  
  Am running freeradius on a RHELv3 box, to authenticate802.11 
  usersagainstAD.All of sudden the802.11 users cant get 
  authenticated against AD, unless i reboot the radius service on linux 
  box.It looks like radius serviceget hangs atleast weekly once for 
  no reason, i couldnt findanything in the log file /var/log/messages. 
  
  
  Is anyone facing this issue? everytime when the user complain that 
  wireless i notworking, have to restart the service manually. any help 
  would be appreciated.
  
  
  
  

  - List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd service hang

2006-10-26 Thread B Thompson

On Thu, Oct 26, 2006 at 12:03:37PM -0500, Karthik R wrote:
 Am running freeradius on a RHEL v3 box, to authenticate 802.11users
 against AD. All of sudden the
 802.11 users cant get authenticated against AD, unless i reboot the radius
 service on linux box. It looks like radius service get hangs atleast weekly
 once for no reason, i couldnt find anything in the log file
 /var/log/messages.
 
 Is anyone facing this issue ? everytime when the user complain that wireless
 i not working, have to restart the service manually. any help would be
 appreciated.


Which version of FreeRADIUS are you running?

-- 

Ben Thompson

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius on OS X with OD, password attribute is not checked

2006-10-26 Thread Stepan Raichl


Hi all,

I'm setting up a wireless network where users use login details provided 
by OpenDirectory + certificate. The goal is that user of the WiFi 
network must provide certificate and username with password. If the user 
is disabled in OD (via WGM - access account thick box), user must not 
access the network.




My setup:

OSX 10.4.8 Server, OpenDirectory, freeRADIUS, ZyWall 35 with WiFi AP 
using WPA Ent.


Clients: 99.9% Mac OSX 10.4.8

I got all setup, freeRADIUS 1.1.3 running, certificates, but I can't get 
the freeRADIUS to check the user password from OD.


Using radtest, I have no problems:
---
Sending Access-Request of id 123 to 127.0.0.1 port 1812
User-Name = 12345
User-Password = 12345
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=123, length=20
---

However, when a client from WiFi logs in, username and certificate are 
the only criteria which are checked to grant access. If you can help, 
please read the debug dump below.



It seems that RADIUS has managed to decrypt the password and adds it to 
checklist:


rlm_ldap: Added password  in check items


... but then the access is granted anyway ... doesn't matter what you 
write in the password :-(



To achieve my goals, am I using the correct method (EAP-TLS)? When using 
unecrypted connection, I can clearly see the password attribute, but 
that defeats the whole purpose of WPA ...


I hope you guys don't mind that I dumped bits of my log  conf into this 
forum, I'm getting very frustrated ...


I have already added userPassword as User-Password ...


RADIUS reply to connection using certificate:
---

rad_recv: Access-Request packet from host 192.168.1.1:1131, id=16, 
length=144

User-Name = 12345
NAS-IP-Address = 192.168.1.1
NAS-Identifier = zywall
Framed-MTU = 1496
Called-Station-Id = 00-11-22-33-44-55-66-77:Test Test
Calling-Station-Id = 00-11-22-33-44-55
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b00060d00
State = 0xa5e4df76eacd676aa056b162e018e148
Message-Authenticator = 0x55082c87332500d61cb52cd8ca640361
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module preprocess returns ok for request 9
rlm_eap: EAP packet type response id 11 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 12345
radius_xlat: '(uid=12345)'
radius_xlat: 'dc=st,dc=ln'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=st,dc=ln, with filter (uid=12345)
rlm_ldap: checking if remote access for 12345 is allowed by uid
rlm_ldap: Added password  in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value   op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 12345 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns ok for request 9
modcall: leaving group authenticate (returns ok) for request 9
Sending Access-Accept of id 16 to 192.168.1.1 port 1131
MS-MPPE-Recv-Key = 
0x1e908975f56513420942c8e6680139f19ebf58ee76c2c13a2315873f5ca1c6cf
MS-MPPE-Send-Key = 
0xedddaafac5513c090db385d154acfe8d19c5b7e542b264e1c6974850faddb2a6

EAP-Message = 0x030b0004
Message-Authenticator = 0x
User-Name = 12345
Finished request 9
-

From radiusd.conf:

-

ldap {
server = 192.168.1.2
basedn = dc=st,dc=ln
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
access_attr = uid
dictionary_mapping = ${raddbdir}/ldap.attrmap
password_attribute = userPassword
}


authorize {

eap
ldap
}

authenticate {

 Auth-Type PAP {
 pap
 }

 Auth-Type CHAP {
 chap
 }

 Auth-Type MS-CHAP {
 mschap
 }
 Auth-Type LDAP {
 ldap
 }

eap
}
--
I have also added checkItem User-Password userPassword to ldap.attrmap.



Please please help, many thanks in advance

Stepan






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Number of concurrencies requests

Italo Morellato [EMAIL PROTECTED] wrote:
 my freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6
 concurrencies requests...

  What's the problem?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

simple question

2006-10-26 Thread Mike May









How can I determine that version of freeRadius that is
currently running? 










- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: simple question

2006-10-26 Thread Michael Schwartzkopff

Am Donnerstag, 26. Oktober 2006 20:56 schrieb Mike May:
 How can I determine that version of freeRadius that is currently running?

radiusd -v

RTFM 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WAP EAP-TLS

2006-10-26 Thread Pedro Henrique Morsch Mazzoni


Hello everybody,

I'm implementing a environment for secure my wireless lan with radius.
For this I choose WAP with EAP-TLS.
But I have some questions to do.

Is there a way to Authenticate/Authorizate:

- Per machine certificate AND
- Per user certificate AND
- Per user password mapped on a NIS-Server, or a file in radius server.

Note that I need this three modes of authentication.

Thanks,
Pedro Mazzoni
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: radiusd service hangs

Hi Karthik,I used to have the same problem in 2 different cases:- When Freeradius was installed on Redhat 9, it used to hang every 3 or 4 days as well but you're on Redhat Ent3 so you should be fine- When the connection to the MySQL server was dropping
Are you sure your connection to AD is reliable?David-

Am running freeradius ver 1.1.1. My connection to AD is reliable, but today i remembered before this issue araised recently i rebooted the domain controller. Not sure if this is causing the issue.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius on OS X with OD, password attribute is not checked

Stepan Raichl [EMAIL PROTECTED] wrote:
 However, when a client from WiFi logs in, username and certificate are 
 the only criteria which are checked to grant access. If you can help, 
 please read the debug dump below.

  if you're using EAP-TLS, then there is *no* password to check.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authenticating question

2006-10-26 Thread A . L . M . Buxey

Hi,

 authenticate correctly and he'd be given access at this point. But if we
 could get Radius to check and LDAP field which say which vlan he has access
 to, and allow or deny access to the network if the user is not currently in
 that vlan, then I guess that would be the ideal solution.

thats exactly one way to do it - use the LDAP checking for group attribute.
other ways depend on how your directory is configured, do you have other
attributes, are the userid's obvious etc? rlm_perl can then be used, for example
to query and set the VLAN attribute correctly (if the WLAN kit supports such
attributes)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius consuming a lot of memory 1.6G

2006-10-26 Thread Pshem Kowalczyk


Hi,

We've built a radius-proxy using freeradius and rlm_perl (with
ithreads). Currently we have the following settings:

thread pool {
   start_servers = 20
   max_servers = 100
   min_spare_servers = 20
   max_spare_servers = 50
   max_requests_per_server = 500
}

   perl {
   module = /usr/lib/perl5/rlmPerl.pm

   func_authenticate = authenticate
   func_authorize = authorize
   func_preacct = preacct
   func_accounting = accounting
   func_checksimul = checksimul
   func_pre_proxy = pre_proxy
   func_post_proxy = post_proxy
   func_post_auth = post_auth
   func_xlat = xlat
   func_detach = detach

   max_clones = 100
   start_clones = 20
   min_spare_clones = 20
   max_spare_clones = 100
   cleanup_delay = 5
   max_request_per_clone = 100

   }


The whole setup works fine (there are two machines, load-balanced).
Every single request is piped to the rlm_perl. The number of threads
(ps -eLf) oscillates around 45-50 on both machines. There are no
dealys, or any problems, except for the huge memory consumption.
Authentication request are simply proxied (with minimal changes to the
packets - filtering out some attributes and setting the others, no db
access), accounting is send to a session database (postgresql) on a
separate machine (no load problems there).
Should freeradius use that amount of memory?
The amount of memory is directly linked to the number of threads -
with 25 threads (in the middle of the night) the memory consumption
drops to about 900M.

perl useses the following modules:
use DBI;
use Digest::JHash qw(jhash);
use IPC::Shareable (':lock');
use Storable;

(all variables shared between perl threads are stored in shared memory
using perl IPC).

So the question is should freeradius use that amount of memory and how
can I decrease that?

regards
pshemko
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Number of concurrencies requests

2006-10-26 Thread Italo Morellato




When I deselect more than 6 user in my Mikrotik PPPoE 
HotSpot I see this situation:
- user send accounting request correctly vs radius 
server
- radius reply with OK (sql database)
- in mikrotik log I see "radius timeout"

I try to increase timeout up to 3000ms (300ms is the 
default timeout)but problem persist...
sunday I install 1.1.3 but I think is not depend from 
different release...
Any idea?

Many Thanks


  - Original Message - 
  From: 
  Alan DeKok 
  To: FreeRadius users mailing 
  list 
  Sent: Thursday, October 26, 2006 8:41 
  PM
  Subject: Re: Number of concurrencies 
  requests 
  "Italo Morellato" [EMAIL PROTECTED] wrote: my 
  freeradius 1.1.1 with CentOS 4.4 have a big problem with more than 6 
  concurrencies requests... What's the problem? Alan 
  DeKok.-- http://deployingradius.com 
  - The web site of the book http://deployingradius.com/blog/ - 
  The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Number of concurrencies requests

Italo Morellato [EMAIL PROTECTED] wrote:
 When I deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this =
 situation:
 - user send accounting request correctly vs radius server
 - radius reply with OK (sql database)
 - in mikrotik log I see radius timeout

  Does the RADIUS server *respond* with a packet?  What does tcpdump
say?  What does radiusd -X say?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQLIPPOOL problem

2006-10-26 Thread Guilherme Franco


Hi,

This is very important, please.

In ippool module I can use two or more pools just by setting

ippool POOL1{...}
ippool POOL2{...}

In SQLIPPOOL, I know that I can create as many pools as I wan't but I
need to treat that pools differently, say, POOL1 assigns static IPs
and POOL2 dynamic ones, or POOL1 is in databaseX and POOL2 in
databaseY.

So I did this sqlippool.conf:

sqlippool POOL1{...}
sqlippool POOL2{...}

And then in radiusd.conf

post-auth{
POOL1
POOL2
}

But the user that have Pool-Name := POOL2 in radcheck receives the IP
(because POOL2 exists in the database), but it's not treated by the
POOL2 instance created in sqlippool.conf (radiusd -X shows that both
module POOL1 and POOL2 are instantiated), it's being treated by the
POOL1 instance.

So, how can I tell that for users that belong to POOL2 use the POOL2
module, instead of POOL1 and vice-versa?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius against AD not working


Using freeradius v1.1.1 on a RHEL 4 box trying to authenticate users against Windows 2003 Active directory. I was able to bind linux box to Windows domain successfully and able to read the active directory users and groups using

wbinfo - uR1\AdministratorR1\Guest
and wbinfo -g.
Using ntlm_auth tool am able to successfully authenticate the users too.
-bash-3.00# ntlm_auth --request-nt-key --username=kartthikrpassword:NT_STATUS_OK: Success (0x0)
But while using radtest tool with the same logon credentials as above it rejects the user and here is the log message.
rad_recv: Access-Request packet from host 127.0.0.1:32927, id=243, length=61 User-Name = removed User-Password = removed
 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0
 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = removed, looking up realm NULL
 rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0
 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 0modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System
auth: type System Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0auth: Failed to validate the user.Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---
Sending Access-Reject of id 243 to 127.0.0.1 port 32927Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 243 with timestamp 45413139
Nothing to do. Sleeping until we see a request.
Here is nss config file:
passwd: files winbindshadow: files winbindgroup: files winbind
hosts: files winbind nis dns
protocols: files winbind # nisservices: files winbind # nisnetgroup: files winbind # nisautomount: files winbind nis
Here is radiusd.conf file:
modules {pap {encryption_scheme = crypt}
chap {authtype = CHAP}
pam {pam_auth = radiusd}unix {cache = nocache_reload = 600radwtmp = ${logdir}/radwtmp}
$INCLUDE ${confdir}/eap.conf
mschap {authtype = MS-CHAP#use_mppe = no
require_encryption = yes
#require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}

Thanks in advance.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Number of concurrencies requests

2006-10-26 Thread Italo Morellato




in radiusd -X I see:

Going to the next requestrad_recv: Accounting-Request 
packet from host 10.10.0.50:4216, id=84, 
length=153 Service-Type = 
Framed-User Framed-Protocol = 
PPP NAS-Port = 
1788 NAS-Port-Type = 
Ethernet User-Name = 
"cesar.paredes" Calling-Station-Id 
= "00:15:D6:02:34:94" 
Called-Station-Id = 
"pppoe-Cimarani" NAS-Port-Id = 
"hotspot" Acct-Session-Id = 
"81f00366" Framed-IP-Address = 
10.0.6.245 Acct-Authentic = 
RADIUS Acct-Status-Type = 
Start NAS-Identifier = 
"Cimarani" NAS-IP-Address = 
10.10.0.50 Acct-Delay-Time = 
0 Processing the preacct section of radiusd.confmodcall: entering 
group preacct for request 3 modcall[preacct]: module "preprocess" 
returns noop for request 3rlm_acct_unique: Hashing 'NAS-Port = 
1788,Client-IP-Address = 10.10.0.50,NAS-IP-Address = 10.10.0.50,Acct-Session-Id 
= "81f00366",User-Name = "cesar.paredes"'rlm_acct_unique: 
Acct-Unique-Session-ID = "8a2b71e9b25570c2". modcall[preacct]: module 
"acct_unique" returns ok for request 3 rlm_realm: No '@' in User-Name = "cesar.paredes", looking up realm 
NULL rlm_realm: No such realm "NULL" 
modcall[preacct]: module "suffix" returns noop for request 3modcall: leaving 
group preacct (returns ok) for request 3 Processing the accounting 
section of radiusd.confmodcall: entering group accounting for request 
3radius_xlat: 
'/usr/local/var/log/radius/radacct/10.10.0.50/detail-20061027'rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to 
/usr/local/var/log/radius/radacct/10.10.0.50/detail-20061027 
modcall[accounting]: module "detail" returns ok for request 
3radius_xlat: 
'/usr/local/var/log/radius/radutmp'radius_xlat: 
'cesar.paredes' modcall[accounting]: module "radutmp" returns ok for 
request 3radius_xlat: 'cesar.paredes'rlm_sql (sql): sql_set_user 
escaped user -- 'cesar.paredes'radius_xlat: 'INSERT into radacct 
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, 
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, 
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, 
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, 
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) 
values('81f00366', '8a2b71e9b25570c2', 'cesar.paredes', '', '10.10.0.50', 
'1788', 'Ethernet', '2006-10-27 01:03:02', '0', '0', 'RADIUS', '', '', '0', '0', 
'pppoe-Cimarani', '00:15:D6:02:34:94', '', 'Framed-User', 'PPP', '10.0.6.245', 
'0', '0')'rlm_sql (sql): Reserving sql socket id: 1
at this point radius stop to work for few 
time

  - Original Message - 
  From: 
  Alan DeKok 
  To: FreeRadius users mailing 
  list 
  Sent: Friday, October 27, 2006 12:01 
  AM
  Subject: Re: Number of concurrencies 
  requests 
  "Italo Morellato" [EMAIL PROTECTED] wrote: When I 
  deselect more than 6 user in my Mikrotik PPPoE HotSpot I see this = 
  situation: - user send accounting request correctly vs radius 
  server - radius reply with OK (sql database) - in mikrotik log 
  I see "radius timeout" Does the RADIUS server *respond* with a 
  packet? What does tcpdumpsay? What does "radiusd -X" 
  say? Alan DeKok.-- http://deployingradius.com 
  - The web site of the book http://deployingradius.com/blog/ - 
  The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR with AD authentication not working