Thanks alot everyone
Thanks very much everyone, specially Phil, Alan and the rest who helped me but I cant recall just now. I Have fiiinally got it going (properly this time to). Here is a quick outline of my setup, I may write a detailed howto later on. Windows XP home client - cisco wap - freeradius on Fedora - Windows 2003 ADS FREERADIUS: I used EAP-TTLS as the encryption / tunneling. Used certs (needed for TTLS) that came with rpm. Used PAP inside of EAP-TTLS (sends plain text password which ldap expects) WINDOWS SERVER: * Add 1 user with password for ldap searching (cant remember if user needs special permision to search LDAP). * Fortunately not much config is needed on the server, enabling anonymous LDAP searching is very handy when figuring out a new domain and its users. WINDOWS XP CLIENTS: I reccomend using SecureW2 on XP clients as it allows you to use PAP inside of EAP. Configure clients with these options: My windows client details: Network Authentication: Open Data Encryption: WEP the key is provided for me automatically: (ticked) EAP type: SecureW2 Authenticate as a computer: (unticked) Authenticate as a guest: (unticked) Securew2 config details: use alternate outer identity: (unticked) verify server cert: (unticked) Select Authentication Method: PAP Prompt user for credentials: (ticked) http://www.securew2.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets segmentation fault
Milan Holub wrote:
500 switch(packet-code) {
Fixed.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: request from unknown NAS vulnerability
Milan Holub wrote: with latest cvs head: * NASes in database * when sending 1 access request from NAS not defined in NAS table I get following repeating error message (-X) flooding my screen: Fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hi, Any one who can help me with this ? thanks in advance SB On 4/27/07, shrikant Bhat [EMAIL PROTECTED] wrote: On Line 154 I have default Auth-Type = ntlm_auth. If I comment this out I get the Access-reject packet. thanks, SB On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log
FreeRADIUS crash on Solaris 10 after start
Hi all, I built FreeRADIUS on Solaris 10 ./configure --prefix=/usr/local/freeradius --with-mysql-include-dir=/usr/local/mysql/include/mysql --with-mysql-lib-dir=/usr/local/mysql/lib/mysql --with-openssl-includes=/usr/sfw/include --with-openssl-libraries=/usr/sfw/lib --without-rlm_perl --without-threads make make install and when I want to start FreeRADIUS it crash: # radiusd -X Config: including file: /usr/local/freeradius/etc/raddb/radiusd.conf Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf Config: including file: /usr/local/freeradius/etc/raddb/clients.conf Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf Config: including file: /usr/local/freeradius/etc/raddb/eap.conf Config: including file: /usr/local/freeradius/etc/raddb/sql.conf Config: including file: /usr/local/freeradius/etc/raddb/sql/mysql- dialup.conf FreeRADIUS Version 2.0.0-pre0, for host sparc-sun-solaris2.10, built on Apr 30 2007 at 11:11:35 Starting - reading configuration files ... read_config_files: reading dictionary zsh: bus error (core dumped) radiusd -X # dbx - core Corefile specified executable: /usr/local/freeradius/sbin/radiusd For information about new features see `help changes' To remove this message, put `dbxenv suppress_startup_message 7.5' in your .dbxrc Reading radiusd core file header read successfully Reading ld.so.1 Reading libradius-2.0.0-pre0.so Reading libnsl.so.1 Reading libresolv.so.2 Reading libsocket.so.1 Reading libcrypt_i.so.1 Reading libltdl.so.3.1.0 Reading libdl.so.1 Reading libssl.so.0.9.7 Reading libcrypto.so.0.9.7 Reading libc.so.1 Reading libgcc_s.so.1 Reading libgen.so.1 Reading libc_psr.so.1 program terminated by signal BUS (invalid address alignment) Current function is lrad_isaac (optimized) 37 rngstep( a13, a, b, mm, m, m2, r, x); I have same problem with FR 1.1.6. Can you help me fix this problem? My settings: # gcc -v Using built-in specs. Target: sparc-sun-solaris2.10 Configured with: /net/tibia/export/bldmstr/nightly/20061019_mars_gcc.s10.opt.tarbuild/src/configure --prefix=/opt/gcc --enable-shared --with-system-zlib --enable-checking=release --disable-libmudflap --enable-languages=c,c++ --enable-version-specific-runtime-libs --with-gxx-include-dir=/opt/gcc/include/c++/4.0.3 --with-cpu=v9 Thread model: posix gcc version 4.0.3 (gccfss) LD_LIBRARY_PATH=/lib:/usr/local/lib:/usr/sfw/lib:/usr/ccs/lib:/usr/lib:/usr/local/mysql/lib/mysql:/usr/local/freeradius/lib LDFLAGS=-L/usr/local/lib -R/usr/local/lib -L/usr/local/mysql/lib/mysql -R/usr/local/mysql/lib/mysql -L/usr/sfw/lib -R/usr/sfw/lib -L/usr/ccs/lib -R/usr/ccs/lib -L/usr/local/freeradius/lib -R/usr/local/freeradius/lib PATH=/opt/gcc/bin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/local/mysql/bin:/usr/local/sbin:/opt/csw/bin:/opt/csw/sbin:/usr/sfw/bin:/usr/sfw/sbin:/usr/local/freeradius/sbin:/usr/local/freeradius/bin:/usr/ccs/bin best regards Peter Micunek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: ... Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . Have you read the debug output? ... radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 What part of that is unclear? You think the user isn't in Active Directory. Yet ntlm_auth is returning that the user is in AD. Either the user is in AD, or ntlm_auth is doing something magical. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
I dont have the user in Active directory, yet free radius sends a accept packet. thanks On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: ... Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . Have you read the debug output? ... radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 What part of that is unclear? You think the user isn't in Active Directory. Yet ntlm_auth is returning that the user is in AD. Either the user is in AD, or ntlm_auth is doing something magical. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crash on Solaris 10 after start
Peter Micunek wrote: and when I want to start FreeRADIUS it crash: ... program terminated by signal BUS (invalid address alignment) Current function is lrad_isaac (optimized) 37 rngstep( a13, a, b, mm, m, m2, r, x); Let me guess... it's a 64-bit machine? I have same problem with FR 1.1.6. Can you help me fix this problem? This is the first I've seen the problem. Looking at the code, it's all explicitly 32-bit, so the compiler should produce the correct code to access 32-bit data that's not aligned on a 64-bit boundary. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: I dont have the user in Active directory, yet free radius sends a accept packet. I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses. It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it. Do NOT reply with but freeradius sends an access accept. That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS PEAP MCHAPv2
Any one has an idea of how to get rid of The server certificate is not trusted because there are no explicit trust settings on MAC OSX 10.4.9 without selecting always trust these freecertificate ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crash on Solaris 10 after start
Alan, You are right. It is 64-bit machine but # file radiusd radiusd: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, dynamically linked, stripped regards Peter Micunek On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: Peter Micunek wrote: and when I want to start FreeRADIUS it crash: ... program terminated by signal BUS (invalid address alignment) Current function is lrad_isaac (optimized) 37 rngstep( a13, a, b, mm, m, m2, r, x); Let me guess... it's a 64-bit machine? I have same problem with FR 1.1.6. Can you help me fix this problem? This is the first I've seen the problem. Looking at the code, it's all explicitly 32-bit, so the compiler should produce the correct code to access 32-bit data that's not aligned on a 64-bit boundary. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad + NoCat
Hi all,
I was wondering whether nocat (http://nocat.net/) could be queried for
simultaneous use somehow. I've found only some outdated patch on
http://lists.nocat.net/pipermail/nocat/2003-October/003795.html
I've inspired from the idea and attached is a patch to checkrad.pl.in.
You need additional perl module HTTP::Lite(downloadable from CPAN). I've
tested and it's working well.
In order to deploy checkrad you need to set your nas type to nocat and
enable simultaneous-use checking for your user(Simultaneous-Use:=1 in users
file|radcheck|radgroupcheck)
and your freeradius server has to be allowed in NAS firewall to access
http://$nas_ip:$nas_port/status
NAS iptables -A INPUT -p tcp --dport $nas_port -s $radius_server -j ACCEPT
I hope this can help someone...
Milan Holub
holub (at) thenet (dot) ch
--
TheNet-Internet Services AG,
im Bernertechnopark, Morgenstr. 129
CH-3018, Bern, Switzerland
031 998 4333, Fax 031 998 4330
http://www.thenet.ch
http://wlan.thenet.ch
--
Index: src/main/checkrad.pl.in
===
RCS file: /source/radiusd/src/main/checkrad.pl.in,v
retrieving revision 1.33
diff -u -r1.33 checkrad.pl.in
--- src/main/checkrad.pl.in 1 May 2004 09:32:14 - 1.33
+++ src/main/checkrad.pl.in 30 Apr 2007 13:21:32 -
@@ -32,6 +32,7 @@
# mikrotik_telnet 1.1Author: Evren Yurtesen [EMAIL PROTECTED]
# mikrotik_snmp1.0Author: Evren Yurtesen [EMAIL PROTECTED]
# redback_telnet Author: Eduardo Roldan
+# nocat_http Author: Milan Holub
#
# Config: $debug is the file you want to put debug messages in
# $snmpget is the location of your ``snmpget'' program
@@ -43,6 +44,9 @@
# $naspass is the location of your NAS admin password file
#
+# for nocat gateway
+use HTTP::Lite;
+
$prefix= @prefix@;
$localstatedir = @localstatedir@;
$logdir= @logdir@;
@@ -1344,6 +1348,20 @@
return 0;
}
+sub nocat_http {
+my ($nas_ip, $nas_port, $login, $session_id) = ($ARGV[1], $ARGV[2], $ARGV[3], $ARGV[4]);
+my $http = new HTTP::Lite;
+my $req = $http-request(http://$nas_ip:$nas_port/status;) or die Unable to get document: $!;
+die Request failed ($req): .$http-status_message() if $req ne 200;
+my $body = $http-body();
+#print $body;
+if ($body =~ /^trtd$login\/td.*td.*$session_id\/td.*\/tr$/m) {
+print LOG User is logged in! if ($debug);
+return 1;
+}
+return 0;
+}
+
###
# Poor man's getopt (for -d)
@@ -1418,6 +1436,8 @@
$ret = mikrotik_snmp;
} elsif ($ARGV[0] eq 'redback'){
$ret = redback_telnet;
+} elsif ($ARGV[0] eq 'nocat'){
+$ret = nocat_http;
} elsif ($ARGV[0] eq 'other') {
$ret = 1;
} else {
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No available IP Addresses in the pool ...
Hello everyone,
FreeRadius 1.0.1 from RHEL 4.
I get the following error (only shown in debug mode) after 1-2 weeks of
server working fine, without any issues:
rlm_ippool: Searching for an entry for nas/port: 172.25.254.218/9931392
rlm_ippool: No available ip addresses in pool.
modcall[post-auth]: module pool_name returns notfound for request 0
The outcome of this error is that the client is not issued any IP
address (which is a show stopper).
Here is the pool declaration:
# IP pool used by
#--
ippool *** {
range-start = 172.26.4.1
range-stop = 172.26.5.254
netmask = 255.255.254.0
cache-size = 300
session-db = ${raddbdir}/ippools/*-db.ippool
ip-index = ${raddbdir}/ippools/*-db.ipindex
override = no
maximum-timeout = 86400
}
The only fix so far was to remove the pool files and recreate them again.
Any thoughts of what could be wrong ?
Many thanks in advance.
Regards,
Florin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius proxy code questions and proposed patch
Hello to everyone.
In a previous thread
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg33354.html
I had described a strange behavior in our large proxy setup. After
running the server in debug mode (radiusd -xxx) in our production
systems we found out what was causing our problems. The problem was
that the home server in our proxy setup was marked dead quite often
during the day and with a dead_time of 30 secs every request that came
within these 30 secs was rejected.
Our proxy conf initially looked like the following:
proxy server {
synchronous = yes
retry_delay = 0
retry_count = 0
dead_time = 30
default_fallback = yes
post_proxy_authorize = no
}
###
#
# Configuration for the proxy realms.
#
...
We first changed the dead_time to 0 so as to avoid marking the home
server dead in synchronous mode.
Additionally, we implemented the following patch (against version 1.1.6):
--- ./src/main/files.c.orig 2007-04-23 15:14:14.569932000 +0300
+++ ./src/main/files.c 2007-04-23 15:22:30.995686000 +0300
@@ -489,6 +489,15 @@
if (cl-last_reply (( now -
mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count ))) {
continue;
}
+ /*
+* If we are running in synchronous proxy mode, there's
no point marking the target
+* server(s) dead, since this should be done by the
radius client
+*/
+ if (mainconfig.proxy_synchronous) {
+ radlog(L_PROXY, authentication server %s:%d
for realm %s seems unresponsive.,
+ cl-server, port, cl-realm);
+ continue;
+ }
cl-active = FALSE;
cl-wakeup = now + mainconfig.proxy_dead_time;
@@ -498,6 +507,15 @@
if (cl-last_reply (( now -
mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count ))) {
continue;
}
+ /*
+* If we are running in synchronous proxy mode, there's
no point marking the target
+* server(s) dead, since this should be done by the
radius client
+*/
+ if (mainconfig.proxy_synchronous) {
+ radlog(L_PROXY, accounting server %s:%d for
realm %s seems unresponsive.,
+ cl-acct_server, port, cl-realm);
+ continue;
+ }
cl-acct_active = FALSE;
cl-acct_wakeup = now + mainconfig.proxy_dead_time;
The purpose of this patch is to not have the freeradius server mark
the home server dead when working in synchronous mode. We believe that
in synchronous operation it is a good idea to leave the job of marking
the server dead to the NAS client.
All the above actions solved our initial problems. However, after a
while we noticed again clients being rejected when they shouldn't.
The following code in request_list.c caught my attention:
/*
* Refresh a request, by using proxy_retry_delay, cleanup_delay,
* max_request_time, etc.
*
* When walking over the request list, all of the per-request
* magic is done here.
*/
static int refresh_request(REQUEST *request, void *data)
{
...
(around line 1264 version 1.1.6)
} else if (request-proxy !request-proxy_reply) {
/*
* The request is NOT finished, but there is an
* outstanding proxy request, with no matching
* proxy reply.
*
* Wake up when it's time to re-send
* the proxy request.
*
* But in synchronous proxy, we don't retry but we update
* the next retry time as NAS has not resent the request
* in the given retry window.
*/
if (mainconfig.proxy_synchronous) {
/*
* If the retry_delay * count has passed,
* then mark the realm dead.
*/
if (info-now (request-timestamp +
(mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count))) {
rad_assert(request-child_pid ==
NO_SUCH_CHILD_PID);
request_reject(request);
realm_disable(request-proxy-dst_ipaddr,
request-proxy-dst_port);
request-finished = TRUE;
RE : No available IP Addresses in the pool ...
Hello everyone,
FreeRadius 1.0.1 from RHEL 4.
I get the following error (only shown in debug mode) after
1-2 weeks of
server working fine, without any issues:
rlm_ippool: Searching for an entry for nas/port:
172.25.254.218/9931392
rlm_ippool: No available ip addresses in pool.
modcall[post-auth]: module pool_name returns notfound
for request 0
The only fix so far was to remove the pool files and recreate
them again.
Any thoughts of what could be wrong ?
First check if your assigned IP addresses are released from the pool:
man rlm_ippool_tool
If not, confirm that the pool module name is defined in the acctounting{}
section of radiusd.conf and that your NAS sends accounting Stop messages.
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No available IP Addresses in the pool ...
Florin wrote: FreeRadius 1.0.1 from RHEL 4. I wonder what it would take to convince RedHat to use a version that wasn't almost THREE YEARS out of date. I get the following error (only shown in debug mode) after 1-2 weeks of server working fine, without any issues: rlm_ippool: Searching for an entry for nas/port: 172.25.254.218/9931392 rlm_ippool: No available ip addresses in pool. modcall[post-auth]: module pool_name returns notfound for request 0 The outcome of this error is that the client is not issued any IP address (which is a show stopper). Maybe the pool really is full? If the server doesn't get logout packets, it will not be able to release IP's. See also rlm_ippool_tool for how to release IP's. Any thoughts of what could be wrong ? Ask Redhat to use a recent version, among other things. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy code questions and proposed patch
Kostas Zorbadelos wrote: I had described a strange behavior in our large proxy setup. After running the server in debug mode (radiusd -xxx) in our production systems we found out what was causing our problems. The problem was that the home server in our proxy setup was marked dead quite often during the day and with a dead_time of 30 secs every request that came within these 30 secs was rejected. Yes. In 1.x, the proxy code does this. It's fixed in 2.0, which should be released real soon now. + /* +* If we are running in synchronous proxy mode, there's no point marking the target +* server(s) dead, since this should be done by the radius client Uh, no. The RADIUS client doesn't know about the home servers. It only knows about the server it's sending packets to. The purpose of this patch is to not have the freeradius server mark the home server dead when working in synchronous mode. We believe that in synchronous operation it is a good idea to leave the job of marking the server dead to the NAS client. Which server? All your patch does is make sure that the NAS marks the proxying server as dead. ... It seems that in some strange occations the code enters the above path. A decision is made in case the current time is older than mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count. If this is the case, the request is rejected and the code tries to disable the realm. However in the proxy.conf configuration file it is mentioned: All of that code is *gone* in 2.0. The new code is so much better that it's really quite hard to describe how much better it is. Please let me know your thoughts on these matters (also on the patch we provide) Take a look at the current CVS snapshot. It should be pretty robust with some recent bug fixes, and it will solve *all* of your proxying problems. And I do mean ALL of the problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crash on Solaris 10 after start
Peter Micunek wrote: Alan, You are right. It is 64-bit machine but # file radiusd radiusd: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, dynamically linked, stripped shrug The data structures are marked as being 32-bit. The compiler should generate the appropriate instructions to perform 32-bit accesses without causing bus errors due to alignment issues. I'm not sure what to suggest. Maybe a Solaris / Sparc expert knows more. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
depending on the wifi auth method, you may want to also investigate a
NTLM_AUTH method instead of straight ldap. This requires the freeradius
machine to be a member of the domain, but once you do that it works great.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for weekend
study).
Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
5. Start the server with -X
6. Run radtest to send a checking PAP request
It should work.
The above config is the ABSOLUTE BARE MINIMUM server config which
will
check PAP requests ONLY against an AD LDAP server. I do NOT
recommend
you go into service with this config. Try to look at it, understand
how
it's doing what it's doing, *then* start again with the default
FreeRadius config and make the absolute minimum changes to get back
to
that point.
-
List info/subscribe/unsubscribe? See
Re: Freeradius proxy code questions and proposed patch
On Mon, Apr 30, 2007 at 05:41:06PM +0200, Alan DeKok wrote: Kostas Zorbadelos wrote: I had described a strange behavior in our large proxy setup. After running the server in debug mode (radiusd -xxx) in our production systems we found out what was causing our problems. The problem was that the home server in our proxy setup was marked dead quite often during the day and with a dead_time of 30 secs every request that came within these 30 secs was rejected. Yes. In 1.x, the proxy code does this. It's fixed in 2.0, which should be released real soon now. + /* +* If we are running in synchronous proxy mode, there's no point marking the target +* server(s) dead, since this should be done by the radius client Uh, no. The RADIUS client doesn't know about the home servers. It only knows about the server it's sending packets to. Precicely. But when we work in 'synchronous' mode we want the NAS to be in charge of the retransmision policy not our proxy server. If the home server does not reply for any reason, we want the client (NAS) to notice it and retransmit. Eventually, the client will mark our proxy server dead not because it is its fault, but because the home server is not responding. The purpose of this patch is to not have the freeradius server mark the home server dead when working in synchronous mode. We believe that in synchronous operation it is a good idea to leave the job of marking the server dead to the NAS client. Which server? All your patch does is make sure that the NAS marks the proxying server as dead. Eventually, yes this is what the NAS will do. All that is due to the synchronous mode in proxy operation. ... It seems that in some strange occations the code enters the above path. A decision is made in case the current time is older than mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count. If this is the case, the request is rejected and the code tries to disable the realm. However in the proxy.conf configuration file it is mentioned: All of that code is *gone* in 2.0. The new code is so much better that it's really quite hard to describe how much better it is. Please let me know your thoughts on these matters (also on the patch we provide) Take a look at the current CVS snapshot. It should be pretty robust with some recent bug fixes, and it will solve *all* of your proxying problems. And I do mean ALL of the problems. I have read in the list about the major clean up version 2.0 of the server will be. While reading the code of versions 1.x I could see that there is great room for improvement. I will take a look in the 2.0 sources and I look forward to testing it when it becomes available. Thanks a lot Alan. Kostas Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS PEAP MCHAPv2
On Mon 30 Apr 2007, Eshun Benjamin wrote: Any one has an idea of how to get rid of The server certificate is not trusted because there are no explicit trust settings on MAC OSX 10.4.9 without selecting always trust these freecertificate Yep. Buy a certificate that your machine trusts :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Groups
[EMAIL PROTECTED] wrote: Yes. Use NAS-IP-Address as check item. If you need a list of groups and/or users/callerIDs/etc. that are allowed then use a huntgroup. I added the following lines to huntgroup. fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2 fw-pix-groupNAS-IP-Address == 10.0.0.1 User-Name = fw-admin, Group = fw-group However, I'm getting the following error. Could someone please give me few pointers? Norman --- Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 25 with timestamp 46362f79 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 26 to 10.0.0.1:1812 Cisco-AVPair = shell:priv-lvl=1 Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.0.0.1:1812, id=27, length=109 User-Name = fw-admin NAS-IP-Address = 10.0.0.1 Calling-Station-Id = 10.0.0.3 User-Password = \025\372\202`\370RE\005\327\231^\200\303\353 NAS-Port = 27 Cisco-AVPair = ip:source-ip=10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = fw-admin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 7 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 7 modcall: group authorize returns ok for request 7 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_unix: [fw-admin]: invalid password modcall[authenticate]: module unix returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [fw-admin] (from client pix-network port 27 cli 10.0.0.3) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 7 for 1 seconds Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 26 with timestamp 46362f7e Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 27 to 10.0.0.1:1812 Cisco-AVPair = shell:priv-lvl=1 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 27 with timestamp 46362f83 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS PEAP MCHAPv2
Or, if you're using an Enterprise CA with a self signed cert, then make sure that the CA's cert is installed on your Mac. I do this at home and it's fine once you've installed the CA's cert. Rgds, Guy On 30/04/07, Peter Nixon [EMAIL PROTECTED] wrote: On Mon 30 Apr 2007, Eshun Benjamin wrote: Any one has an idea of how to get rid of The server certificate is not trusted because there are no explicit trust settings on MAC OSX 10.4.9 without selecting always trust these freecertificate Yep. Buy a certificate that your machine trusts :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maximum Attribute Size
Is there any maximum size for the value of an attribute? Thanks, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum Attribute Size
Matt Dunkin wrote: Is there any maximum size for the value of an attribute? The RFC's say 253 bytes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL for return attributes only?
Phil Mayers [EMAIL PROTECTED] wrote: Hugh Messenger wrote: Is it possible with freeradius to use SQL to retrieve certain return attributes (in this case rate limiting values for PPPOE sessions), whilst still handling authentication through PAM? Yes. Great! Thanks for the pointers, very much appreciated. I got the basic AD authentication going with pam/winbind, about to dive head first into the SQL docs, armed with your suggestions and a powerful need to get this going by Friday. No doubt I'll be back soon with more questions, but I'll give it The Good Old College Try before I bug you any more. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me:
1 - no way of retrieving ldap groups
2 - Been requested not to have samba on the machine.
ntlm_auth was very straight forward for me because it supports all the
encryption methods.
On 5/1/07, Ryan Kramer [EMAIL PROTECTED] wrote:
depending on the wifi auth method, you may want to also investigate a
NTLM_AUTH method instead of straight ldap. This requires the freeradius
machine to be a member of the domain, but once you do that it works great.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for weekend
study).
Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My
Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter =
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
