Re: dictionary question
Jackson Jerry-NPC637 wrote: > 1. I’ve installed version 1.1.6, but have some dictionary files that > are/were setup for > Freeradius 1.1.3. I’ve seen from the README/faq that the dictionary > files have changed post 1.1.3 The dictionary files that are shipped with the server have changed. You MUST use the new dictionaries with 1.1.6, for a number of reasons. > & am wondering what I need to do/change to incooperate my 1.1.3 > dictionary files to work with > Freeradius 1.1.6? It looks like most of the 1.1.3 dict. files are > duplicated in 1.1.6, but notice I have > a couple (company specific) dictionary files that I need to use with > freeradius 1.1.6? That's what /etc/raddb/dictionary is for. You should $INCLUDE the dictionaries from 1.1.6, and then $INCLUDE your local dictionaries. Do NOT edit the dictionaries in /usr/share. > 2. Probably not a big deal (just curious), but was wondering what > exactly changed with the dictionary > files between freeradius 1.1.3 & 1.1.6. I see an error like “values > can only be Interger types”, but am not > sure what this means. Hopefully this is just a quick/short answer. The old dictionaries contained inconsistent and contradictory information. The new dictionaries don't, and the code no longer allows those kind of problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary question
I'm a freeradius newbie so bear with me. Two questions/issues: 1. I've installed version 1.1.6, but have some dictionary files that are/were setup for Freeradius 1.1.3. I've seen from the README/faq that the dictionary files have changed post 1.1.3 & am wondering what I need to do/change to incooperate my 1.1.3 dictionary files to work with Freeradius 1.1.6? It looks like most of the 1.1.3 dict. files are duplicated in 1.1.6, but notice I have a couple (company specific) dictionary files that I need to use with freeradius 1.1.6? 2. Probably not a big deal (just curious), but was wondering what exactly changed with the dictionary files between freeradius 1.1.3 & 1.1.6. I see an error like "values can only be Interger types", but am not sure what this means. Hopefully this is just a quick/short answer. Thanks, Jerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suggestions for multiple vlans in hundreds of switches
Phil Mayers wrote:
> Matt Ashfield wrote:
>
>> Hi,
>>
>> We'd like to use FR to assign users on our wired network to one of 30
>> different vlans on campus, based on an LDAP field. Currently, we are doing
>> this with huntgroups. Namely, we create a huntgroup for the NAS (in our
>> case, a network switch), and then in the users file, we put the following:
>>
>
> Credit to Alan DeKok for this idea - it was one of the first questions I
> asked on the list.
>
> Use two rlm_passwd modules to add "fake" items to the *request*:
>
> passwd nas2building {
>file = /etc/raddb/nas2building
>format = "*NAS-IP-Address:~MyBuilding"
>hashsize = 100
> }
> passwd user2vlantype {
>file = /etc/raddb/user2vlantype
>format = "*User-Name:~MyVlanType"
>hashsize = 100
>allowmultiplekeys = yes
> }
>
> ...then in the users file you reduce NxM to AxB which is a hopefully
> smaller combination:
>
> DEFAULT MyBuilding == "facility1", MyVlanType == "guests"
> ...
> DEFAULT MyBuilding == "facility1", MyVlanType == "staff"
> ...
>
> Note that if you're caching the files, FreeRadius will need to be HUPed
> to re-read them (boo!). Also, you'll need to add the MyXXX attributes to
> the dictionary like so:
>
> ATTRIBUTE MyBuilding 3000string
> ATTRIBUTE MyVlanType 3001string
>
> This could also be done cleaner (but slower) with cleverly designed SQL
> tables or stored procedures
>
Yeah, complex sql really can be quite slow, specially when the queries
are being run multiple times for all the rounds required in eap
authentication.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
I use a second instance of preprocess to read a second hints file called
'nas_hints' this uses dynamic sql queries to grab extra nas_attributes
from the server.
I actually use a really quick and dirty way of getting multiple values
from a very simple query. You store multiple bool vars as a binary
string representation of a 6 digit integer... can then use pattern
matching in group check items to select required values and values you
dont care about.
authorization {
nas_hints
}
preprocess nas_hints {
hints = ${confdir}/nas_hints
}
Here is my nas_hints file
#
# Should speed things up when proxying peap to itself
DEFAULT Packet-Src-IP-Address == localhost
#
# Set the 'PROXY' flag in the feature set for the JRS proxies
DEFAULT Packet-Src-IP-Address == roaming0.ja.net
NAS-Feature-Set = '01001000'
DEFAULT Packet-Src-IP-Address == roaming1.ja.net
NAS-Feature-Set = '01001000'
DEFAULT Packet-Src-IP-Address == roaming2.ja.net
NAS-Feature-Set = '01001000'
#
# Debug entry for home testing.
#DEFAULT Packet-Src-IP-Address == arr-land.co.uk
#NAS-Feature-Set = '01001000'
#
# Retrieve the feature set for all none recognised clients
# from the NetReg3 Database
# Note: Doing the initial pattern match is a far quicker was of doing things
# rather than concatinating the db columns and comparing with client ip !
DEFAULT Packet-Src-IP-Address =~
"^([0-9]+)[.]([0-9]+)[.]([0-9]+)[.]([0-9]+)$"
NAS-Feature-Set = "SELECT
EXPORT_SET(master.nas_flags,'1','0','',20) FROM `master` WHERE ip1 =
'%{1}' AND ip2 = '%{2}' AND ip3 = '%{3}' AND ip4 = '%{4}' LIMIT 0,1"
Heres some group examples...
SQL result
*Host:* localhost
*Database:* radius
*Generation Time:* Apr 20, 2007 at 10:20 PM
*Generated by:* phpMyAdmin 2.9.2 / MySQL 4.1.10a-standard-log
*SQL query:* SELECT * FROM `radgroupcheck` LIMIT 0, 30 ;
*Rows:* 5
id GroupName Attribute op Value
1 nas_admins Service-Type<= NAS-Prompt-User
2 nas_admins Service-Type>= Administrative-User
3 nas_operators Service-Type== NAS-Prompt-User
20 jrs_offsite_ao Huntgroup-Name == jrs-proxy
19 jrs_offsite_ao NAS-Feature-Set =~ 01001000
Heres a fun little php script to take a list of features and produce a
bit string or integer value.
#!/usr/local/php/bin/php
$pad_to)){
$bit_array = array_fill(0,count($flags_def),0);# Create an
array equal to the maximum amount of possible flgs
}else{
$bit_array = array_fill(0,$pad_to,0);# Create an array equal
to pad value, if created than maximum flags
}
foreach($flags as $value){ # For each of
the flags, see if it's value matches one of the keys
if(key_exists($value,$def_flags)){ # If it does then set
that BIT to true
$bit_array[$def_flags[$value]] = 1;
Re: suggestions for multiple vlans in hundreds of switches
Matt Ashfield wrote:
> Hi,
>
> We'd like to use FR to assign users on our wired network to one of 30
> different vlans on campus, based on an LDAP field. Currently, we are doing
> this with huntgroups. Namely, we create a huntgroup for the NAS (in our
> case, a network switch), and then in the users file, we put the following:
Credit to Alan DeKok for this idea - it was one of the first questions I
asked on the list.
Use two rlm_passwd modules to add "fake" items to the *request*:
passwd nas2building {
file = /etc/raddb/nas2building
format = "*NAS-IP-Address:~MyBuilding"
hashsize = 100
}
passwd user2vlantype {
file = /etc/raddb/user2vlantype
format = "*User-Name:~MyVlanType"
hashsize = 100
allowmultiplekeys = yes
}
...then in the users file you reduce NxM to AxB which is a hopefully
smaller combination:
DEFAULT MyBuilding == "facility1", MyVlanType == "guests"
...
DEFAULT MyBuilding == "facility1", MyVlanType == "staff"
...
Note that if you're caching the files, FreeRadius will need to be HUPed
to re-read them (boo!). Also, you'll need to add the MyXXX attributes to
the dictionary like so:
ATTRIBUTE MyBuilding 3000string
ATTRIBUTE MyVlanType 3001string
This could also be done cleaner (but slower) with cleverly designed SQL
tables or stored procedures
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
HI, I realize this was a thread from over a month ago, but thought I'd ask anyway. I have my original post, followed by your reply, followed by my new question. First off, my original post: >We're using FreeRadius to authenticating our wireless users (who's >credentials are stored in LDAP). But we'd also like to use it to >authenticate a select few users who need access to our networking gear. Our >networking gear is setup to do this, but I'm not sure how to set this up in >FreeRadius. > >I would assume that you'd specify in the clients.conf section which users >are allowed access to that device, but in looking at the documentation for >clients.conf, that doesn't seem to be the case. And your reply: You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: "admin1" NAS-Port-Type == "Virtual", Auth-Type = LDAP "admin2" NAS-Port-Type == "Virtual", Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == "Virtual", Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == "Wireless-802.11", Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] = My question here is, would doing what you mentioned above eliminate the possibility of users other than admin1 or admin2 authenticating to the network via that switch? What we're trying to do is rather odd I guess. On one hand, we want to use the switch as an 802.1x device for regular use. So it has to be able to authenticate at the switch port level via 802.1x. We currently have huntgroups for that and it works. We'd ALSO like to be able to use Radius to authenticate our comms staff when they telnet/login to switches mgmt interfaces. So while I think your suggestion above would work for that part, it would at the same time deny all my 802.1x users because of the Reject statement? I'm a bit confused, so any help is appreciated. Cheers Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use FreeRADIUS proxy to set an attribute value only if not provided by end RADIUS server ?
On 4/19/07, John Butala <[EMAIL PROTECTED]> wrote: > We would like to use FreeRADIUS (acting as a proxy server) to set the > Primary-DNS-Server and Secondary-DNS-server attributes in the auth > response to the RADIUS client only if these attributes are not provied > by the end RADIUS server (which we don't control). Is there anyway to > do this without making a FreeRADIUS source code change ? You can try to write simple rlm_perl script and call it from post-proxy. It will check for presence of attribute(s) and add it/them as needed. However, there may be better way to achieve this... th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: %{sql:} - length limit
Milan Holub wrote: > ==> I've increased the value of MAX_STRING_LEN to 1024. Here is a patch: It will break almost everything in the server. > My query works now but I'm not sure whether this change might not have > some unwanted impact somewhere else since the constant is used on many > places... Alan? It's used all over the place, for things other than queries. Do NOT change it! Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: %{sql:} - length limit
On Fri, Apr 20, 2007 at 01:25:05PM +0200, Milan Holub wrote: > Is there a way how to specify more complex(longer) sql queries in freeradius > configuration? ==> I've increased the value of MAX_STRING_LEN to 1024. Here is a patch: ndex: src/include/libradius.h === RCS file: /source/radiusd/src/include/libradius.h,v retrieving revision 1.133 diff -u -r1.133 libradius.h --- src/include/libradius.h 18 Apr 2007 13:24:13 - 1.133 +++ src/include/libradius.h 20 Apr 2007 13:23:50 - @@ -57,7 +57,7 @@ #define AUTH_VECTOR_LEN16 #define CHAP_VALUE_LENGTH 16 -#define MAX_STRING_LEN 254 /* RFC2138: string 0-253 octets */ +#define MAX_STRING_LEN 1024/* RFC2138: string 0-253 octets */ # define VENDOR(x)((x >> 16) & 0x7fff) My query works now but I'm not sure whether this change might not have some unwanted impact somewhere else since the constant is used on many places... Alan? Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grouping after Kerberos 5 authentication accepted?
Hello Alan, It works! After I changed the authorize_check_query the FreeRadius is now able to check for attributes after Kerberos authentications. Thanks! Regards, Jason -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, April 19, 2007 8:13 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: Grouping after Kerberos 5 authentication accepted? Jason Chan wrote: > For example, Kerberos successfully authenticate admin/admin (yes I > don't use MySQL for authentication), and FreeRadius knows this user > has permission to access. Now, in the postauth part, FreeRadius > searches the radreply table in its MySQL database for the proper > attributes that this particular user has, say Service-Type = > Administrative-User. I store these attribute information in radreply > table and leave other tables empty. > > So, I edited the postauth_query in sql.conf: I think for historical reasons, you have to perform the query in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007 5:32 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: %{sql:} - length limit
Hi Alan and others,
using cvs head from yesterday...
I have some query in radgroupcheck for some custom attribute defined in
dictionary:
dictionary:
# test_query
ATTRIBUTE test_query 3014string
select * from radgroupcheck where id=67;
++---+++--+
| id | GroupName | Attribute | op | Value
|
++---+++--+
| 67 | hotzone | test_query | := | `%{sql:select charge, charge_plan.name as
'charge_plan', zone.name as zone from charge_plan, zone, zone_definition where
(nasid=(select nas.id from nas where nas.nasname='%{NAS-IP-Address}' and
nas.ports='%{NAS-Port}') or nasid is null) and batchid=(select batchid from
card where username='%{SQL-User-Name}') and charge_planid=charge_plan.id and
zoneid=zone.id order by nasid desc limit 1}` |
++---+++--+
I wanted to use the value of test_query attribute later in rlm_perl module(as
I do it for my other attributes configured from DB).
My approach is to fetch all neccesary data into "custom" attributes and
in rlm_perl I'm doing just simple "decissions" based on custom
attributes. I do not want to connect from within perl to database to
fetch those values(new DB connections, using other perl modules,
performance hit...)
My problem:
- it looks like Value field in radgroupcheck is limited by 253
characters
==> I did:
mysql> alter table radgroupcheck modify column Value varchar(1024);
but still the possible length of string to be xlated is limited by
MAX_STRING_LEN rather than by MAX_QUERY_LEN...
rlm_sql (sql): User found in group hotzone
radius_xlat: 'SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = 'hotzone' ORDER BY id'
radius_xlat: Running registered xlat function of module sql for string 'select
charge, charge_plan.name as 'charge_plan', zone.name as zone from charge_plan,
zone, zone_definition where (nasid=(select nas.id from nas where
nas.nasname='%{NAS-IP-Address}' and nas.ports='%{NAS-Port}') or nasid is null)
and batchid=(sel'
rlm_sql (sql): - sql_xlat
radius_xlat: 'pexcmp'
rlm_sql (sql): sql_set_user escaped user --> 'pexcmp'
radius_xlat: 'select charge, charge_plan.name as 'charge_plan', zone.name as
zone from charge_plan, zone, zone_definition where (nasid=(select nas.id from
nas where nas.nasname='193.247.122.178' and nas.ports='5280') or nasid is null)
and batchid=(sel'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql (sql): database query error, select charge, charge_plan.name as
'charge_plan', zone.name as zone from charge_plan, zone, zone_definition where
(nasid=(select nas.id from nas where nas.nasname='193.247.122.178' and
nas.ports='5280') or nasid is null) and batchid=(sel: You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '' at line 1
rlm_sql (sql): Released sql socket id: 2
I did not test yet but I think the string length limit is common for all
%{sql:} dynamic strings(not only for those in [rad|group][check|reply]
tables.).
Is there a way how to specify more complex(longer) sql queries in freeradius
configuration?
Please advise.
Milan Holub
holub (at) thenet (dot) ch
--
TheNet-Internet Services AG,
im Bernertechnopark, Morgenstr. 129
CH-3018, Bern, Sw
Re: rlm_perl: perl 5.6 & segmentation fault when reloaded
Hi Boian,
On Fri, Apr 20, 2007 at 11:25:43AM +0300, Boian Jordanov wrote:
> An empty detach function should help. If you don't need it just leave
> it empty.
I set in perl.conf "func_detach = NULL" but it did not helped
then I've left in perl.conf "func_detach = detach" and defined the
empty detach function(in perl_module.pm:
"sub detach {}"
==> but the same negative result:( Which means I have to stay with my
patch...
Milan Holub
holub (at) thenet (dot) ch
--
TheNet-Internet Services AG,
im Bernertechnopark, Morgenstr. 129
CH-3018, Bern, Switzerland
031 998 4333, Fax 031 998 4330
http://www.thenet.ch
http://wlan.thenet.ch
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions regarding authentication systems and protocols to password types compatibility
Reimer Karlsen-Masur, DFN-CERT wrote: > Which freeradius modules can be used for the *simple password store*? > files (the users file) > unix > pam > ldap > sql (?) Not PAM. > Could you please complete this list? Are these entries ending up in the > authenticate or authorize or both sections of the freeradius config? Databases don't do authentication. They do not get listed in the "authenticate" section. As for completing the list, it really depends. You can configure many modules to add a clear-text password for the user. Please read radiusd.conf, and the documentation for examples. I'm not going to re-type all that here. > How do I differ within the ldap module configuration if I do an ldap > authentication via the *oracle* or if I *retrieve* (additional) attributes > for a user like e.g. his password? See the documentation for the LDAP module. > Is the difference that the 'ldap' entry shows up in the 'authenticate' > section for attribute retrieval use (plain password store) which I have > configured here and believe to be working and in the 'authorize' section for > oracle use? You have that completely backwards. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions regarding authentication systems and protocols to password types compatibility
Thanks Alan! Your answer is raising some more questions though: Alan DeKok wrote: > Reimer Karlsen-Masur, DFN-CERT wrote: >> I appreciate the tables explaining the compatibility of authentication >> systems / protocols to password type compatibility from: > >> But I am still confused about the relationship of these two tables to each >> other and how to use them. >> >> Is the following considered correct? >> >> 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple >> *password store*, only [table 1] if of interest. > > Yes. Which freeradius modules can be used for the *simple password store*? files (the users file) unix pam ldap sql (?) Could you please complete this list? Are these entries ending up in the authenticate or authorize or both sections of the freeradius config? ... >> 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication >> oracle*, [table 2] tells me which authentication oracle system I can use >> (depending on the authentication protocol that the supplicant/client/user is >> using) > > Yes. > >> and [table 1] tells me in which format the passwords need to be >> stored in the authentication oracle. > > Yes. Except that PAP is compatible with all password formats. Also, > ntlm_auth is used on Windows, which stores passwords in cleartext or > NT-Hash format, and nothing else. > > So after reading the "oracle" page, there's no need to go back to the > other page to see how to store the passwords. > >> And freeradius is able to connect to >> the back end (if there is a rlm_ module available), to >> authenticate *with the user provided* credentials (username/password) and to >> optionally retrieve some attribute values if the *user* authenticated >> successfully against the authN oracle. > > No. Authentication has nothing to do with retrieving other > information. When an authentication oracle is used, FreeRADIUS takes > the username && password, and hands them to the oracle. The oracle > returns yes/no, and nothing else. How do I differ within the ldap module configuration if I do an ldap authentication via the *oracle* or if I *retrieve* (additional) attributes for a user like e.g. his password? Is the difference that the 'ldap' entry shows up in the 'authenticate' section for attribute retrieval use (plain password store) which I have configured here and believe to be working and in the 'authorize' section for oracle use? Thanks again for more insight on this! -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: re: configuration
You are not sending gie.local to your IAS but dealing with them locally.
Change realm gie.local back to realm LOCAL and it should start to proxy
such requests.
Ivan Kalik
Kalik Informatika ISP
Dana 20/4/2007, "parfait kouassi nda" <[EMAIL PROTECTED]> piše:
>my last coonfiguration of these files is:
>radiusd.conf
>proxy_request = yes
>
>proxy.conf
>realm gie.local {
> type = radius
> authhost = LOCAL
> accthost = LOCAL
> }
>
>realm DEFAULT {
> type = radius
> authhost = araignee.gie.local:1812
> accthost = araignee.gie.local:1813
> secret = parfait
> nostrip
> }
>
>Clients.conf
>client 192.168.0.2 {
>secret = parfait
>shortname = araignee.gie.local
>}
>
>when i do configuration in all flies my freeradius reject my packets!
>this is the show of radiusd -X!
>
>Starting - reading configuration files ...
>reread_config: reading radiusd.conf
>Config: including file: /usr/local/etc/raddb/proxy.conf
>Config: including file: /usr/local/etc/raddb/clients.conf
>Config: including file: /usr/local/etc/raddb/snmp.conf
>Config: including file: /usr/local/etc/raddb/eap.conf
>main: prefix = "/usr/local"
>main: localstatedir = "/usr/local/var"
>main: logdir = "/usr/local/var/log/radius"
>main: libdir = "/usr/local/lib"
>main: radacctdir = "/usr/local/var/log/radius/radacct"
>main: hostname_lookups = no
>main: max_request_time = 30
>main: cleanup_delay = 5
>main: max_requests = 1024
>main: delete_blocked_requests = 0
>main: port = 1812
>main: allow_core_dumps = no
>main: log_stripped_names = yes
>main: log_file = "/usr/local/var/log/radius/radius.log"
>main: log_auth = yes
>main: log_auth_badpass = yes
>main: log_auth_goodpass = yes
>main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>main: user = "(null)"
>main: group = "nobody"
>main: usercollide = no
>main: lower_user = "no"
>main: lower_pass = "no"
>main: nospace_user = "no"
>main: nospace_pass = "no"
>main: checkrad = "/usr/local/sbin/checkrad"
>main: proxy_requests = yes
>proxy: retry_delay = 5
>proxy: retry_count = 3
>proxy: synchronous = no
>proxy: default_fallback = yes
>proxy: dead_time = 0
>proxy: post_proxy_authorize = no
>proxy: wake_all_if_all_dead = no
>security: max_attributes = 200
>security: reject_delay = 1
>security: status_server = no
>main: debug_level = 0
>read_config_files: reading dictionary
>read_config_files: reading naslist
>Using deprecated naslist file. Support for this will go away soon.
>read_config_files: reading clients
>read_config_files: reading realms
>radiusd: entering modules setup
>Module: Library search path is /usr/local/lib
>Module: Loaded exec
>exec: wait = yes
>exec: program = "(null)"
>exec: input_pairs = "request"
>exec: output_pairs = "(null)"
>exec: packet_type = "(null)"
>rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>Module: Instantiated exec (exec)
>Module: Loaded expr
>Module: Instantiated expr (expr)
>Module: Loaded PAP
>pap: encryption_scheme = "crypt"
>Module: Instantiated pap (pap)
>Module: Loaded CHAP
>Module: Instantiated chap (chap)
>Module: Loaded System
>unix: cache = no
>unix: passwd = "(null)"
>unix: shadow = "(null)"
>unix: group = "(null)"
>unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
>unix: usegroup = no
>unix: cache_reload = 600
>Module: Instantiated unix (unix)
>Module: Loaded eap
>eap: default_eap_type = "md5"
>eap: timer_expire = 60
>eap: ignore_unknown_eap_types = no
>eap: cisco_accounting_username_bug = no
>rlm_eap: Loaded and initialized type md5
>rlm_eap: Loaded and initialized type leap
>gtc: challenge = "Password: "
>gtc: auth_type = "PAP"
>rlm_eap: Loaded and initialized type gtc
>mschapv2: with_ntdomain_hack = no
>rlm_eap: Loaded and initialized type mschapv2
>Module: Instantiated eap (eap)
>Module: Loaded preprocess
>preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
>preprocess: hints = "/usr/local/etc/raddb/hints"
>preprocess: with_ascend_hack = no
>preprocess: ascend_channels_per_line = 23
>preprocess: with_ntdomain_hack = no
>preprocess: with_specialix_jetstream_hack = no
>preprocess: with_cisco_vsa_hack = no
>Module: Instantiated preprocess (preprocess)
>Module: Loaded realm
>realm: format = "suffix"
>realm: delimiter = "@"
>realm: ignore_default = no
>realm: ignore_null = no
>Module: Instantiated realm (suffix)
>Module: Loaded Acct-Unique-Session-Id
>acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port"
>Module: Instantiated acct_unique (acct_unique)
>Module: Loaded detail
>detail: detailfile =
>"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>detail: detailperm = 384
>detail: dirperm = 493
>detail: locking = no
>Module: Instantiated detail (detail)
>Mo
Re: configuration
Hi,
> my last coonfiguration of these files is:
> radiusd.conf
> proxy_request = yes
>
> proxy.conf
> realm gie.local {
> type = radius
> authhost = LOCAL
> accthost = LOCAL
> }
>
> realm DEFAULT {
>type = radius
>authhost = araignee.gie.local:1812
>accthost = araignee.gie.local:1813
>secret = parfait
>nostrip
>}
you are totally aware that this configuration means that your FR box
will see any gie.local and attempt the AAA itself. is this what you want?
from your debug logs it looks like you really want everything to be sent
to your IAS - so why are you attempting to handle gie.local or anything
at all if all you want to do is proxy?
ie remove the realm gie.local stuff and just keep the DEFAULT if your
FR isnt configured to handle those clients!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: configuration
my last coonfiguration of these files is:
radiusd.conf
proxy_request = yes
proxy.conf
realm gie.local {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = araignee.gie.local:1812
accthost = araignee.gie.local:1813
secret = parfait
nostrip
}
Clients.conf
client 192.168.0.2 {
secret = parfait
shortname = araignee.gie.local
}
when i do configuration in all flies my freeradius reject my packets!
this is the show of radiusd -X!
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "nobody"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 0
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request pac
Re: Questions regarding authentication systems and protocols to password types compatibility
Reimer Karlsen-Masur, DFN-CERT wrote: > I appreciate the tables explaining the compatibility of authentication > systems / protocols to password type compatibility from: > But I am still confused about the relationship of these two tables to each > other and how to use them. > > Is the following considered correct? > > 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple > *password store*, only [table 1] if of interest. Yes. > And freeradius is able to > connect to the back end (if there is a rlm_ module available), > authenticate itself with a special radius server account/user credential and > to retrieve the password plus optionally some other attribute values if the > radius server *itself* authenticates successfully with the back end DB. The > radius server itself is then performing the user name/password check to > accept or reject the authentication request of the user trying to connect. Yes. > 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication > oracle*, [table 2] tells me which authentication oracle system I can use > (depending on the authentication protocol that the supplicant/client/user is > using) Yes. > and [table 1] tells me in which format the passwords need to be > stored in the authentication oracle. Yes. Except that PAP is compatible with all password formats. Also, ntlm_auth is used on Windows, which stores passwords in cleartext or NT-Hash format, and nothing else. So after reading the "oracle" page, there's no need to go back to the other page to see how to store the passwords. > And freeradius is able to connect to > the back end (if there is a rlm_ module available), to > authenticate *with the user provided* credentials (username/password) and to > optionally retrieve some attribute values if the *user* authenticated > successfully against the authN oracle. No. Authentication has nothing to do with retrieving other information. When an authentication oracle is used, FreeRADIUS takes the username && password, and hands them to the oracle. The oracle returns yes/no, and nothing else. > ps: There is probably a small typo in the column heading of [table 1]: > 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted > SHA1 hash (SSHA1)' Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions regarding authentication systems and protocols to password types compatibility
Hi Alan, hi list, I appreciate the tables explaining the compatibility of authentication systems / protocols to password type compatibility from: [table 1] http://deployingradius.com/documents/protocols/compatibility.html and [table 2] http://deployingradius.com/documents/protocols/oracles.html But I am still confused about the relationship of these two tables to each other and how to use them. Is the following considered correct? 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple *password store*, only [table 1] if of interest. And freeradius is able to connect to the back end (if there is a rlm_ module available), authenticate itself with a special radius server account/user credential and to retrieve the password plus optionally some other attribute values if the radius server *itself* authenticates successfully with the back end DB. The radius server itself is then performing the user name/password check to accept or reject the authentication request of the user trying to connect. 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication oracle*, [table 2] tells me which authentication oracle system I can use (depending on the authentication protocol that the supplicant/client/user is using) and [table 1] tells me in which format the passwords need to be stored in the authentication oracle. And freeradius is able to connect to the back end (if there is a rlm_ module available), to authenticate *with the user provided* credentials (username/password) and to optionally retrieve some attribute values if the *user* authenticated successfully against the authN oracle. Confirmation or further clarification is welcome. Thanks Reimer ps: There is probably a small typo in the column heading of [table 1]: 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted SHA1 hash (SSHA1)' -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with eap/tls after crl update
inverse wrote: > EAP-TLS is implemented and works fine, so does the CRL. > My problem is as follows: the HUP works but radiusd segfaults at the > first authentication after the HUP. The server doesn't handle HUP that well. You're *much* better off just killing it and re-starting it. > Now I'm in the process of performance and stability testing. if this > version shows the same outstanding level of performance shown by the > bleeding edge I'll keep it, otherwise I'll consider taking the risk of > CVS. The CVS head doesn't handle HUP much better in some cases. I should have fixes in the next few weeks. At that point, I think 2.0 can be released. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration
There is nothing you need to modify in radiusd.conf - proxying is enabled by default. All you need to do is enter info about IAS server into proxy.conf. IAS uses both 1812/1813 and 1645/1646 ports for authentication/accounting by default, so take your pick. Instructions in proxy.conf about setting up proxy realms are quite clear. Ivan Kalik Kalik Informatika ISP Dana 20/4/2007, "parfait kouassi nda" <[EMAIL PROTECTED]> piše: >i want to configure my freeradius server to be a proxy server! can i have >the config of the modification of freeradius's files? >My proxy's server must turn with IAS of windows server 2003! >thanks! > >_ >MSN Messenger : discutez en direct avec vos amis ! >http://www.msn.fr/msger/default.asp > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: server crashes with eap/tls after crl update
Hi, it's possible that the radiusd crashes on the next authentication - i only noticed that it runs for a few seconds up to some minutes and then crashes with a seg fault. But I wondering why I don't see any incoming requests when running "radiusd -X" before the seg fault. That would imply that radiusd crashes before it writes the first debug message. bye Daniel -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von inverse Gesendet: Freitag, 20. April 2007 10:36 An: FreeRadius users mailing list Betreff: Re: server crashes with eap/tls after crl update On 4/20/07, Fiederling, Daniel <[EMAIL PROTECTED]> wrote: > Hello, > > this week I updated to freeradius 1.1.6. We use eap/tls with a crl from a > Microsoft CA, which is downloaded and converted by a shell script every hour > or has to be updated manually. If it changes, I have to reload the server > config, right? Since the update the server crashes with a seg fault about a > minute after the config reload - but only if the crl changed. For now I > changed the reload (SIGHUP) to a complete restart as a work around. Before > we used freeradius 1.1.4. my test setup is: freeradius 1.1.6 compiled against openssll 0.9.8e. the system is RedHat EL4 with the latest updates and kernel 2.6.9-22.ELsmp EAP-TLS is implemented and works fine, so does the CRL. My problem is as follows: the HUP works but radiusd segfaults at the first authentication after the HUP. Now I'm in the process of performance and stability testing. if this version shows the same outstanding level of performance shown by the bleeding edge I'll keep it, otherwise I'll consider taking the risk of CVS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server crashes with eap/tls after crl update
On 4/20/07, Fiederling, Daniel <[EMAIL PROTECTED]> wrote: > Hello, > > this week I updated to freeradius 1.1.6. We use eap/tls with a crl from a > Microsoft CA, which is downloaded and converted by a shell script every hour > or has to be updated manually. If it changes, I have to reload the server > config, right? Since the update the server crashes with a seg fault about a > minute after the config reload - but only if the crl changed. For now I > changed the reload (SIGHUP) to a complete restart as a work around. Before > we used freeradius 1.1.4. my test setup is: freeradius 1.1.6 compiled against openssll 0.9.8e. the system is RedHat EL4 with the latest updates and kernel 2.6.9-22.ELsmp EAP-TLS is implemented and works fine, so does the CRL. My problem is as follows: the HUP works but radiusd segfaults at the first authentication after the HUP. Now I'm in the process of performance and stability testing. if this version shows the same outstanding level of performance shown by the bleeding edge I'll keep it, otherwise I'll consider taking the risk of CVS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration
Hi, > i want to configure my freeradius server to be a proxy server! can i have > the config of the modification of freeradius's files? > My proxy's server must turn with IAS of windows server 2003! > thanks! you've already posted them. exactly why its not working is another issue altogether! - is your FR box set as a client in the IAS? is your FR box configured to handled unknown EAP types? is you FR box firewalled? is your IAS firewalled? please show us some radiusd -X output! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl: perl 5.6 & segmentation fault when reloaded
On Apr 19, 2007, at 10:52 AM, Milan Holub wrote: > > This version of perl is without ithreads and does not support > multiplicity. > > Problem was localized to detach section of perl module and here is a > dummy patch(do not call custom detach function as I do not need it...) > An empty detach function should help. If you don't need it just leave it empty. Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuration
i want to configure my freeradius server to be a proxy server! can i have the config of the modification of freeradius's files? My proxy's server must turn with IAS of windows server 2003! thanks! _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
