Re: dictionary question
Jackson Jerry-NPC637 wrote: > 1. I’ve installed version 1.1.6, but have some dictionary files that > are/were setup for > Freeradius 1.1.3. I’ve seen from the README/faq that the dictionary > files have changed post 1.1.3 The dictionary files that are shipped with the server have changed. You MUST use the new dictionaries with 1.1.6, for a number of reasons. > & am wondering what I need to do/change to incooperate my 1.1.3 > dictionary files to work with > Freeradius 1.1.6? It looks like most of the 1.1.3 dict. files are > duplicated in 1.1.6, but notice I have > a couple (company specific) dictionary files that I need to use with > freeradius 1.1.6? That's what /etc/raddb/dictionary is for. You should $INCLUDE the dictionaries from 1.1.6, and then $INCLUDE your local dictionaries. Do NOT edit the dictionaries in /usr/share. > 2. Probably not a big deal (just curious), but was wondering what > exactly changed with the dictionary > files between freeradius 1.1.3 & 1.1.6. I see an error like “values > can only be Interger types”, but am not > sure what this means. Hopefully this is just a quick/short answer. The old dictionaries contained inconsistent and contradictory information. The new dictionaries don't, and the code no longer allows those kind of problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary question
I'm a freeradius newbie so bear with me. Two questions/issues: 1. I've installed version 1.1.6, but have some dictionary files that are/were setup for Freeradius 1.1.3. I've seen from the README/faq that the dictionary files have changed post 1.1.3 & am wondering what I need to do/change to incooperate my 1.1.3 dictionary files to work with Freeradius 1.1.6? It looks like most of the 1.1.3 dict. files are duplicated in 1.1.6, but notice I have a couple (company specific) dictionary files that I need to use with freeradius 1.1.6? 2. Probably not a big deal (just curious), but was wondering what exactly changed with the dictionary files between freeradius 1.1.3 & 1.1.6. I see an error like "values can only be Interger types", but am not sure what this means. Hopefully this is just a quick/short answer. Thanks, Jerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suggestions for multiple vlans in hundreds of switches
Phil Mayers wrote: > Matt Ashfield wrote: > >> Hi, >> >> We'd like to use FR to assign users on our wired network to one of 30 >> different vlans on campus, based on an LDAP field. Currently, we are doing >> this with huntgroups. Namely, we create a huntgroup for the NAS (in our >> case, a network switch), and then in the users file, we put the following: >> > > Credit to Alan DeKok for this idea - it was one of the first questions I > asked on the list. > > Use two rlm_passwd modules to add "fake" items to the *request*: > > passwd nas2building { >file = /etc/raddb/nas2building >format = "*NAS-IP-Address:~MyBuilding" >hashsize = 100 > } > passwd user2vlantype { >file = /etc/raddb/user2vlantype >format = "*User-Name:~MyVlanType" >hashsize = 100 >allowmultiplekeys = yes > } > > ...then in the users file you reduce NxM to AxB which is a hopefully > smaller combination: > > DEFAULT MyBuilding == "facility1", MyVlanType == "guests" > ... > DEFAULT MyBuilding == "facility1", MyVlanType == "staff" > ... > > Note that if you're caching the files, FreeRadius will need to be HUPed > to re-read them (boo!). Also, you'll need to add the MyXXX attributes to > the dictionary like so: > > ATTRIBUTE MyBuilding 3000string > ATTRIBUTE MyVlanType 3001string > > This could also be done cleaner (but slower) with cleverly designed SQL > tables or stored procedures > Yeah, complex sql really can be quite slow, specially when the queries are being run multiple times for all the rounds required in eap authentication. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > I use a second instance of preprocess to read a second hints file called 'nas_hints' this uses dynamic sql queries to grab extra nas_attributes from the server. I actually use a really quick and dirty way of getting multiple values from a very simple query. You store multiple bool vars as a binary string representation of a 6 digit integer... can then use pattern matching in group check items to select required values and values you dont care about. authorization { nas_hints } preprocess nas_hints { hints = ${confdir}/nas_hints } Here is my nas_hints file # # Should speed things up when proxying peap to itself DEFAULT Packet-Src-IP-Address == localhost # # Set the 'PROXY' flag in the feature set for the JRS proxies DEFAULT Packet-Src-IP-Address == roaming0.ja.net NAS-Feature-Set = '01001000' DEFAULT Packet-Src-IP-Address == roaming1.ja.net NAS-Feature-Set = '01001000' DEFAULT Packet-Src-IP-Address == roaming2.ja.net NAS-Feature-Set = '01001000' # # Debug entry for home testing. #DEFAULT Packet-Src-IP-Address == arr-land.co.uk #NAS-Feature-Set = '01001000' # # Retrieve the feature set for all none recognised clients # from the NetReg3 Database # Note: Doing the initial pattern match is a far quicker was of doing things # rather than concatinating the db columns and comparing with client ip ! DEFAULT Packet-Src-IP-Address =~ "^([0-9]+)[.]([0-9]+)[.]([0-9]+)[.]([0-9]+)$" NAS-Feature-Set = "SELECT EXPORT_SET(master.nas_flags,'1','0','',20) FROM `master` WHERE ip1 = '%{1}' AND ip2 = '%{2}' AND ip3 = '%{3}' AND ip4 = '%{4}' LIMIT 0,1" Heres some group examples... SQL result *Host:* localhost *Database:* radius *Generation Time:* Apr 20, 2007 at 10:20 PM *Generated by:* phpMyAdmin 2.9.2 / MySQL 4.1.10a-standard-log *SQL query:* SELECT * FROM `radgroupcheck` LIMIT 0, 30 ; *Rows:* 5 id GroupName Attribute op Value 1 nas_admins Service-Type<= NAS-Prompt-User 2 nas_admins Service-Type>= Administrative-User 3 nas_operators Service-Type== NAS-Prompt-User 20 jrs_offsite_ao Huntgroup-Name == jrs-proxy 19 jrs_offsite_ao NAS-Feature-Set =~ 01001000 Heres a fun little php script to take a list of features and produce a bit string or integer value. #!/usr/local/php/bin/php $pad_to)){ $bit_array = array_fill(0,count($flags_def),0);# Create an array equal to the maximum amount of possible flgs }else{ $bit_array = array_fill(0,$pad_to,0);# Create an array equal to pad value, if created than maximum flags } foreach($flags as $value){ # For each of the flags, see if it's value matches one of the keys if(key_exists($value,$def_flags)){ # If it does then set that BIT to true $bit_array[$def_flags[$value]] = 1;
Re: suggestions for multiple vlans in hundreds of switches
Matt Ashfield wrote: > Hi, > > We'd like to use FR to assign users on our wired network to one of 30 > different vlans on campus, based on an LDAP field. Currently, we are doing > this with huntgroups. Namely, we create a huntgroup for the NAS (in our > case, a network switch), and then in the users file, we put the following: Credit to Alan DeKok for this idea - it was one of the first questions I asked on the list. Use two rlm_passwd modules to add "fake" items to the *request*: passwd nas2building { file = /etc/raddb/nas2building format = "*NAS-IP-Address:~MyBuilding" hashsize = 100 } passwd user2vlantype { file = /etc/raddb/user2vlantype format = "*User-Name:~MyVlanType" hashsize = 100 allowmultiplekeys = yes } ...then in the users file you reduce NxM to AxB which is a hopefully smaller combination: DEFAULT MyBuilding == "facility1", MyVlanType == "guests" ... DEFAULT MyBuilding == "facility1", MyVlanType == "staff" ... Note that if you're caching the files, FreeRadius will need to be HUPed to re-read them (boo!). Also, you'll need to add the MyXXX attributes to the dictionary like so: ATTRIBUTE MyBuilding 3000string ATTRIBUTE MyVlanType 3001string This could also be done cleaner (but slower) with cleverly designed SQL tables or stored procedures - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
HI, I realize this was a thread from over a month ago, but thought I'd ask anyway. I have my original post, followed by your reply, followed by my new question. First off, my original post: >We're using FreeRadius to authenticating our wireless users (who's >credentials are stored in LDAP). But we'd also like to use it to >authenticate a select few users who need access to our networking gear. Our >networking gear is setup to do this, but I'm not sure how to set this up in >FreeRadius. > >I would assume that you'd specify in the clients.conf section which users >are allowed access to that device, but in looking at the documentation for >clients.conf, that doesn't seem to be the case. And your reply: You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: "admin1" NAS-Port-Type == "Virtual", Auth-Type = LDAP "admin2" NAS-Port-Type == "Virtual", Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == "Virtual", Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == "Wireless-802.11", Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] = My question here is, would doing what you mentioned above eliminate the possibility of users other than admin1 or admin2 authenticating to the network via that switch? What we're trying to do is rather odd I guess. On one hand, we want to use the switch as an 802.1x device for regular use. So it has to be able to authenticate at the switch port level via 802.1x. We currently have huntgroups for that and it works. We'd ALSO like to be able to use Radius to authenticate our comms staff when they telnet/login to switches mgmt interfaces. So while I think your suggestion above would work for that part, it would at the same time deny all my 802.1x users because of the Reject statement? I'm a bit confused, so any help is appreciated. Cheers Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use FreeRADIUS proxy to set an attribute value only if not provided by end RADIUS server ?
On 4/19/07, John Butala <[EMAIL PROTECTED]> wrote: > We would like to use FreeRADIUS (acting as a proxy server) to set the > Primary-DNS-Server and Secondary-DNS-server attributes in the auth > response to the RADIUS client only if these attributes are not provied > by the end RADIUS server (which we don't control). Is there anyway to > do this without making a FreeRADIUS source code change ? You can try to write simple rlm_perl script and call it from post-proxy. It will check for presence of attribute(s) and add it/them as needed. However, there may be better way to achieve this... th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: %{sql:} - length limit
Milan Holub wrote: > ==> I've increased the value of MAX_STRING_LEN to 1024. Here is a patch: It will break almost everything in the server. > My query works now but I'm not sure whether this change might not have > some unwanted impact somewhere else since the constant is used on many > places... Alan? It's used all over the place, for things other than queries. Do NOT change it! Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: %{sql:} - length limit
On Fri, Apr 20, 2007 at 01:25:05PM +0200, Milan Holub wrote: > Is there a way how to specify more complex(longer) sql queries in freeradius > configuration? ==> I've increased the value of MAX_STRING_LEN to 1024. Here is a patch: ndex: src/include/libradius.h === RCS file: /source/radiusd/src/include/libradius.h,v retrieving revision 1.133 diff -u -r1.133 libradius.h --- src/include/libradius.h 18 Apr 2007 13:24:13 - 1.133 +++ src/include/libradius.h 20 Apr 2007 13:23:50 - @@ -57,7 +57,7 @@ #define AUTH_VECTOR_LEN16 #define CHAP_VALUE_LENGTH 16 -#define MAX_STRING_LEN 254 /* RFC2138: string 0-253 octets */ +#define MAX_STRING_LEN 1024/* RFC2138: string 0-253 octets */ # define VENDOR(x)((x >> 16) & 0x7fff) My query works now but I'm not sure whether this change might not have some unwanted impact somewhere else since the constant is used on many places... Alan? Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grouping after Kerberos 5 authentication accepted?
Hello Alan, It works! After I changed the authorize_check_query the FreeRadius is now able to check for attributes after Kerberos authentications. Thanks! Regards, Jason -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, April 19, 2007 8:13 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: Grouping after Kerberos 5 authentication accepted? Jason Chan wrote: > For example, Kerberos successfully authenticate admin/admin (yes I > don't use MySQL for authentication), and FreeRadius knows this user > has permission to access. Now, in the postauth part, FreeRadius > searches the radreply table in its MySQL database for the proper > attributes that this particular user has, say Service-Type = > Administrative-User. I store these attribute information in radreply > table and leave other tables empty. > > So, I edited the postauth_query in sql.conf: I think for historical reasons, you have to perform the query in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007 5:32 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: %{sql:} - length limit
Hi Alan and others, using cvs head from yesterday... I have some query in radgroupcheck for some custom attribute defined in dictionary: dictionary: # test_query ATTRIBUTE test_query 3014string select * from radgroupcheck where id=67; ++---+++--+ | id | GroupName | Attribute | op | Value | ++---+++--+ | 67 | hotzone | test_query | := | `%{sql:select charge, charge_plan.name as 'charge_plan', zone.name as zone from charge_plan, zone, zone_definition where (nasid=(select nas.id from nas where nas.nasname='%{NAS-IP-Address}' and nas.ports='%{NAS-Port}') or nasid is null) and batchid=(select batchid from card where username='%{SQL-User-Name}') and charge_planid=charge_plan.id and zoneid=zone.id order by nasid desc limit 1}` | ++---+++--+ I wanted to use the value of test_query attribute later in rlm_perl module(as I do it for my other attributes configured from DB). My approach is to fetch all neccesary data into "custom" attributes and in rlm_perl I'm doing just simple "decissions" based on custom attributes. I do not want to connect from within perl to database to fetch those values(new DB connections, using other perl modules, performance hit...) My problem: - it looks like Value field in radgroupcheck is limited by 253 characters ==> I did: mysql> alter table radgroupcheck modify column Value varchar(1024); but still the possible length of string to be xlated is limited by MAX_STRING_LEN rather than by MAX_QUERY_LEN... rlm_sql (sql): User found in group hotzone radius_xlat: 'SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'hotzone' ORDER BY id' radius_xlat: Running registered xlat function of module sql for string 'select charge, charge_plan.name as 'charge_plan', zone.name as zone from charge_plan, zone, zone_definition where (nasid=(select nas.id from nas where nas.nasname='%{NAS-IP-Address}' and nas.ports='%{NAS-Port}') or nasid is null) and batchid=(sel' rlm_sql (sql): - sql_xlat radius_xlat: 'pexcmp' rlm_sql (sql): sql_set_user escaped user --> 'pexcmp' radius_xlat: 'select charge, charge_plan.name as 'charge_plan', zone.name as zone from charge_plan, zone, zone_definition where (nasid=(select nas.id from nas where nas.nasname='193.247.122.178' and nas.ports='5280') or nasid is null) and batchid=(sel' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: MYSQL check_error: 1064 received rlm_sql (sql): database query error, select charge, charge_plan.name as 'charge_plan', zone.name as zone from charge_plan, zone, zone_definition where (nasid=(select nas.id from nas where nas.nasname='193.247.122.178' and nas.ports='5280') or nasid is null) and batchid=(sel: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 rlm_sql (sql): Released sql socket id: 2 I did not test yet but I think the string length limit is common for all %{sql:} dynamic strings(not only for those in [rad|group][check|reply] tables.). Is there a way how to specify more complex(longer) sql queries in freeradius configuration? Please advise. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Sw
Re: rlm_perl: perl 5.6 & segmentation fault when reloaded
Hi Boian, On Fri, Apr 20, 2007 at 11:25:43AM +0300, Boian Jordanov wrote: > An empty detach function should help. If you don't need it just leave > it empty. I set in perl.conf "func_detach = NULL" but it did not helped then I've left in perl.conf "func_detach = detach" and defined the empty detach function(in perl_module.pm: "sub detach {}" ==> but the same negative result:( Which means I have to stay with my patch... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions regarding authentication systems and protocols to password types compatibility
Reimer Karlsen-Masur, DFN-CERT wrote: > Which freeradius modules can be used for the *simple password store*? > files (the users file) > unix > pam > ldap > sql (?) Not PAM. > Could you please complete this list? Are these entries ending up in the > authenticate or authorize or both sections of the freeradius config? Databases don't do authentication. They do not get listed in the "authenticate" section. As for completing the list, it really depends. You can configure many modules to add a clear-text password for the user. Please read radiusd.conf, and the documentation for examples. I'm not going to re-type all that here. > How do I differ within the ldap module configuration if I do an ldap > authentication via the *oracle* or if I *retrieve* (additional) attributes > for a user like e.g. his password? See the documentation for the LDAP module. > Is the difference that the 'ldap' entry shows up in the 'authenticate' > section for attribute retrieval use (plain password store) which I have > configured here and believe to be working and in the 'authorize' section for > oracle use? You have that completely backwards. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions regarding authentication systems and protocols to password types compatibility
Thanks Alan! Your answer is raising some more questions though: Alan DeKok wrote: > Reimer Karlsen-Masur, DFN-CERT wrote: >> I appreciate the tables explaining the compatibility of authentication >> systems / protocols to password type compatibility from: > >> But I am still confused about the relationship of these two tables to each >> other and how to use them. >> >> Is the following considered correct? >> >> 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple >> *password store*, only [table 1] if of interest. > > Yes. Which freeradius modules can be used for the *simple password store*? files (the users file) unix pam ldap sql (?) Could you please complete this list? Are these entries ending up in the authenticate or authorize or both sections of the freeradius config? ... >> 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication >> oracle*, [table 2] tells me which authentication oracle system I can use >> (depending on the authentication protocol that the supplicant/client/user is >> using) > > Yes. > >> and [table 1] tells me in which format the passwords need to be >> stored in the authentication oracle. > > Yes. Except that PAP is compatible with all password formats. Also, > ntlm_auth is used on Windows, which stores passwords in cleartext or > NT-Hash format, and nothing else. > > So after reading the "oracle" page, there's no need to go back to the > other page to see how to store the passwords. > >> And freeradius is able to connect to >> the back end (if there is a rlm_ module available), to >> authenticate *with the user provided* credentials (username/password) and to >> optionally retrieve some attribute values if the *user* authenticated >> successfully against the authN oracle. > > No. Authentication has nothing to do with retrieving other > information. When an authentication oracle is used, FreeRADIUS takes > the username && password, and hands them to the oracle. The oracle > returns yes/no, and nothing else. How do I differ within the ldap module configuration if I do an ldap authentication via the *oracle* or if I *retrieve* (additional) attributes for a user like e.g. his password? Is the difference that the 'ldap' entry shows up in the 'authenticate' section for attribute retrieval use (plain password store) which I have configured here and believe to be working and in the 'authorize' section for oracle use? Thanks again for more insight on this! -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: re: configuration
You are not sending gie.local to your IAS but dealing with them locally. Change realm gie.local back to realm LOCAL and it should start to proxy such requests. Ivan Kalik Kalik Informatika ISP Dana 20/4/2007, "parfait kouassi nda" <[EMAIL PROTECTED]> piše: >my last coonfiguration of these files is: >radiusd.conf >proxy_request = yes > >proxy.conf >realm gie.local { > type = radius > authhost = LOCAL > accthost = LOCAL > } > >realm DEFAULT { > type = radius > authhost = araignee.gie.local:1812 > accthost = araignee.gie.local:1813 > secret = parfait > nostrip > } > >Clients.conf >client 192.168.0.2 { >secret = parfait >shortname = araignee.gie.local >} > >when i do configuration in all flies my freeradius reject my packets! >this is the show of radiusd -X! > >Starting - reading configuration files ... >reread_config: reading radiusd.conf >Config: including file: /usr/local/etc/raddb/proxy.conf >Config: including file: /usr/local/etc/raddb/clients.conf >Config: including file: /usr/local/etc/raddb/snmp.conf >Config: including file: /usr/local/etc/raddb/eap.conf >main: prefix = "/usr/local" >main: localstatedir = "/usr/local/var" >main: logdir = "/usr/local/var/log/radius" >main: libdir = "/usr/local/lib" >main: radacctdir = "/usr/local/var/log/radius/radacct" >main: hostname_lookups = no >main: max_request_time = 30 >main: cleanup_delay = 5 >main: max_requests = 1024 >main: delete_blocked_requests = 0 >main: port = 1812 >main: allow_core_dumps = no >main: log_stripped_names = yes >main: log_file = "/usr/local/var/log/radius/radius.log" >main: log_auth = yes >main: log_auth_badpass = yes >main: log_auth_goodpass = yes >main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" >main: user = "(null)" >main: group = "nobody" >main: usercollide = no >main: lower_user = "no" >main: lower_pass = "no" >main: nospace_user = "no" >main: nospace_pass = "no" >main: checkrad = "/usr/local/sbin/checkrad" >main: proxy_requests = yes >proxy: retry_delay = 5 >proxy: retry_count = 3 >proxy: synchronous = no >proxy: default_fallback = yes >proxy: dead_time = 0 >proxy: post_proxy_authorize = no >proxy: wake_all_if_all_dead = no >security: max_attributes = 200 >security: reject_delay = 1 >security: status_server = no >main: debug_level = 0 >read_config_files: reading dictionary >read_config_files: reading naslist >Using deprecated naslist file. Support for this will go away soon. >read_config_files: reading clients >read_config_files: reading realms >radiusd: entering modules setup >Module: Library search path is /usr/local/lib >Module: Loaded exec >exec: wait = yes >exec: program = "(null)" >exec: input_pairs = "request" >exec: output_pairs = "(null)" >exec: packet_type = "(null)" >rlm_exec: Wait=yes but no output defined. Did you mean output=none? >Module: Instantiated exec (exec) >Module: Loaded expr >Module: Instantiated expr (expr) >Module: Loaded PAP >pap: encryption_scheme = "crypt" >Module: Instantiated pap (pap) >Module: Loaded CHAP >Module: Instantiated chap (chap) >Module: Loaded System >unix: cache = no >unix: passwd = "(null)" >unix: shadow = "(null)" >unix: group = "(null)" >unix: radwtmp = "/usr/local/var/log/radius/radwtmp" >unix: usegroup = no >unix: cache_reload = 600 >Module: Instantiated unix (unix) >Module: Loaded eap >eap: default_eap_type = "md5" >eap: timer_expire = 60 >eap: ignore_unknown_eap_types = no >eap: cisco_accounting_username_bug = no >rlm_eap: Loaded and initialized type md5 >rlm_eap: Loaded and initialized type leap >gtc: challenge = "Password: " >gtc: auth_type = "PAP" >rlm_eap: Loaded and initialized type gtc >mschapv2: with_ntdomain_hack = no >rlm_eap: Loaded and initialized type mschapv2 >Module: Instantiated eap (eap) >Module: Loaded preprocess >preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" >preprocess: hints = "/usr/local/etc/raddb/hints" >preprocess: with_ascend_hack = no >preprocess: ascend_channels_per_line = 23 >preprocess: with_ntdomain_hack = no >preprocess: with_specialix_jetstream_hack = no >preprocess: with_cisco_vsa_hack = no >Module: Instantiated preprocess (preprocess) >Module: Loaded realm >realm: format = "suffix" >realm: delimiter = "@" >realm: ignore_default = no >realm: ignore_null = no >Module: Instantiated realm (suffix) >Module: Loaded Acct-Unique-Session-Id >acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, >Client-IP-Address, NAS-Port" >Module: Instantiated acct_unique (acct_unique) >Module: Loaded detail >detail: detailfile = >"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" >detail: detailperm = 384 >detail: dirperm = 493 >detail: locking = no >Module: Instantiated detail (detail) >Mo
Re: configuration
Hi, > my last coonfiguration of these files is: > radiusd.conf > proxy_request = yes > > proxy.conf > realm gie.local { > type = radius > authhost = LOCAL > accthost = LOCAL > } > > realm DEFAULT { >type = radius >authhost = araignee.gie.local:1812 >accthost = araignee.gie.local:1813 >secret = parfait >nostrip >} you are totally aware that this configuration means that your FR box will see any gie.local and attempt the AAA itself. is this what you want? from your debug logs it looks like you really want everything to be sent to your IAS - so why are you attempting to handle gie.local or anything at all if all you want to do is proxy? ie remove the realm gie.local stuff and just keep the DEFAULT if your FR isnt configured to handle those clients! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: configuration
my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } when i do configuration in all flies my freeradius reject my packets! this is the show of radiusd -X! Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 0 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request pac
Re: Questions regarding authentication systems and protocols to password types compatibility
Reimer Karlsen-Masur, DFN-CERT wrote: > I appreciate the tables explaining the compatibility of authentication > systems / protocols to password type compatibility from: > But I am still confused about the relationship of these two tables to each > other and how to use them. > > Is the following considered correct? > > 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple > *password store*, only [table 1] if of interest. Yes. > And freeradius is able to > connect to the back end (if there is a rlm_ module available), > authenticate itself with a special radius server account/user credential and > to retrieve the password plus optionally some other attribute values if the > radius server *itself* authenticates successfully with the back end DB. The > radius server itself is then performing the user name/password check to > accept or reject the authentication request of the user trying to connect. Yes. > 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication > oracle*, [table 2] tells me which authentication oracle system I can use > (depending on the authentication protocol that the supplicant/client/user is > using) Yes. > and [table 1] tells me in which format the passwords need to be > stored in the authentication oracle. Yes. Except that PAP is compatible with all password formats. Also, ntlm_auth is used on Windows, which stores passwords in cleartext or NT-Hash format, and nothing else. So after reading the "oracle" page, there's no need to go back to the other page to see how to store the passwords. > And freeradius is able to connect to > the back end (if there is a rlm_ module available), to > authenticate *with the user provided* credentials (username/password) and to > optionally retrieve some attribute values if the *user* authenticated > successfully against the authN oracle. No. Authentication has nothing to do with retrieving other information. When an authentication oracle is used, FreeRADIUS takes the username && password, and hands them to the oracle. The oracle returns yes/no, and nothing else. > ps: There is probably a small typo in the column heading of [table 1]: > 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted > SHA1 hash (SSHA1)' Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions regarding authentication systems and protocols to password types compatibility
Hi Alan, hi list, I appreciate the tables explaining the compatibility of authentication systems / protocols to password type compatibility from: [table 1] http://deployingradius.com/documents/protocols/compatibility.html and [table 2] http://deployingradius.com/documents/protocols/oracles.html But I am still confused about the relationship of these two tables to each other and how to use them. Is the following considered correct? 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple *password store*, only [table 1] if of interest. And freeradius is able to connect to the back end (if there is a rlm_ module available), authenticate itself with a special radius server account/user credential and to retrieve the password plus optionally some other attribute values if the radius server *itself* authenticates successfully with the back end DB. The radius server itself is then performing the user name/password check to accept or reject the authentication request of the user trying to connect. 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication oracle*, [table 2] tells me which authentication oracle system I can use (depending on the authentication protocol that the supplicant/client/user is using) and [table 1] tells me in which format the passwords need to be stored in the authentication oracle. And freeradius is able to connect to the back end (if there is a rlm_ module available), to authenticate *with the user provided* credentials (username/password) and to optionally retrieve some attribute values if the *user* authenticated successfully against the authN oracle. Confirmation or further clarification is welcome. Thanks Reimer ps: There is probably a small typo in the column heading of [table 1]: 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted SHA1 hash (SSHA1)' -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with eap/tls after crl update
inverse wrote: > EAP-TLS is implemented and works fine, so does the CRL. > My problem is as follows: the HUP works but radiusd segfaults at the > first authentication after the HUP. The server doesn't handle HUP that well. You're *much* better off just killing it and re-starting it. > Now I'm in the process of performance and stability testing. if this > version shows the same outstanding level of performance shown by the > bleeding edge I'll keep it, otherwise I'll consider taking the risk of > CVS. The CVS head doesn't handle HUP much better in some cases. I should have fixes in the next few weeks. At that point, I think 2.0 can be released. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration
There is nothing you need to modify in radiusd.conf - proxying is enabled by default. All you need to do is enter info about IAS server into proxy.conf. IAS uses both 1812/1813 and 1645/1646 ports for authentication/accounting by default, so take your pick. Instructions in proxy.conf about setting up proxy realms are quite clear. Ivan Kalik Kalik Informatika ISP Dana 20/4/2007, "parfait kouassi nda" <[EMAIL PROTECTED]> piše: >i want to configure my freeradius server to be a proxy server! can i have >the config of the modification of freeradius's files? >My proxy's server must turn with IAS of windows server 2003! >thanks! > >_ >MSN Messenger : discutez en direct avec vos amis ! >http://www.msn.fr/msger/default.asp > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: server crashes with eap/tls after crl update
Hi, it's possible that the radiusd crashes on the next authentication - i only noticed that it runs for a few seconds up to some minutes and then crashes with a seg fault. But I wondering why I don't see any incoming requests when running "radiusd -X" before the seg fault. That would imply that radiusd crashes before it writes the first debug message. bye Daniel -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von inverse Gesendet: Freitag, 20. April 2007 10:36 An: FreeRadius users mailing list Betreff: Re: server crashes with eap/tls after crl update On 4/20/07, Fiederling, Daniel <[EMAIL PROTECTED]> wrote: > Hello, > > this week I updated to freeradius 1.1.6. We use eap/tls with a crl from a > Microsoft CA, which is downloaded and converted by a shell script every hour > or has to be updated manually. If it changes, I have to reload the server > config, right? Since the update the server crashes with a seg fault about a > minute after the config reload - but only if the crl changed. For now I > changed the reload (SIGHUP) to a complete restart as a work around. Before > we used freeradius 1.1.4. my test setup is: freeradius 1.1.6 compiled against openssll 0.9.8e. the system is RedHat EL4 with the latest updates and kernel 2.6.9-22.ELsmp EAP-TLS is implemented and works fine, so does the CRL. My problem is as follows: the HUP works but radiusd segfaults at the first authentication after the HUP. Now I'm in the process of performance and stability testing. if this version shows the same outstanding level of performance shown by the bleeding edge I'll keep it, otherwise I'll consider taking the risk of CVS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with eap/tls after crl update
On 4/20/07, Fiederling, Daniel <[EMAIL PROTECTED]> wrote: > Hello, > > this week I updated to freeradius 1.1.6. We use eap/tls with a crl from a > Microsoft CA, which is downloaded and converted by a shell script every hour > or has to be updated manually. If it changes, I have to reload the server > config, right? Since the update the server crashes with a seg fault about a > minute after the config reload - but only if the crl changed. For now I > changed the reload (SIGHUP) to a complete restart as a work around. Before > we used freeradius 1.1.4. my test setup is: freeradius 1.1.6 compiled against openssll 0.9.8e. the system is RedHat EL4 with the latest updates and kernel 2.6.9-22.ELsmp EAP-TLS is implemented and works fine, so does the CRL. My problem is as follows: the HUP works but radiusd segfaults at the first authentication after the HUP. Now I'm in the process of performance and stability testing. if this version shows the same outstanding level of performance shown by the bleeding edge I'll keep it, otherwise I'll consider taking the risk of CVS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration
Hi, > i want to configure my freeradius server to be a proxy server! can i have > the config of the modification of freeradius's files? > My proxy's server must turn with IAS of windows server 2003! > thanks! you've already posted them. exactly why its not working is another issue altogether! - is your FR box set as a client in the IAS? is your FR box configured to handled unknown EAP types? is you FR box firewalled? is your IAS firewalled? please show us some radiusd -X output! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl: perl 5.6 & segmentation fault when reloaded
On Apr 19, 2007, at 10:52 AM, Milan Holub wrote: > > This version of perl is without ithreads and does not support > multiplicity. > > Problem was localized to detach section of perl module and here is a > dummy patch(do not call custom detach function as I do not need it...) > An empty detach function should help. If you don't need it just leave it empty. Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuration
i want to configure my freeradius server to be a proxy server! can i have the config of the modification of freeradius's files? My proxy's server must turn with IAS of windows server 2003! thanks! _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html