Re: Performance Stats
Arran Cudbard-Bell wrote: > It was PAP... > > Running with debugging mode *off* yields much better results ! Well, yes. > Still with completely vanilla install , > only getting > > [req] => 5000 > [parallel] => 10 > [total] => 5 > [start] => 1178820825.99 > [stop] => 1178820836.79 > [period] => 10.791821003 > [req_s] => 4633 That's pretty low. I'm a little surprised, in fact. I was getting that performance almost 6 years ago on machines available then. > localhost to localhost Try from one machine to another. Maybe the client & server are competing for resources on the same machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Hi list While doing eap-tls authentication i am getting the following debug message.Anybody please clarify. TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 eaptls_verify returned 1 eaptls_process returned 13 What is these debug messages indicate... Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance Stats
[EMAIL PROTECTED] wrote: > Hi, > >> Running with debugging mode *off* yields much better results ! >> >> Still with completely vanilla install , >> only getting > > what are your results when running the performance testing method > as prescribed in the docs ? > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well it's basically the same as what im doing, Wrapper PHP script will record the time more accurately thats all... What are your stats like ? Did you say something like 3600 a second or was that a minute ? -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance Stats
Hi, > Running with debugging mode *off* yields much better results ! > > Still with completely vanilla install , > only getting what are your results when running the performance testing method as prescribed in the docs ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Center for Internet Security - Call for Participation for FreeRADIUS Benchmark
***Thanks to moderators for allowing this post - it's for a good cause!*** Hi folks, I'd like to introduce myself. My name is Dave Shackleford, and I represent the Center for Internet Security. Some of you may know of us, and some of you may not. CIS is a non-profit that coordinates teams of volunteers who collaborate to create benchmark guides for securing systems. Many of you may have used some of the CIS tools to score your systems against the benchmarks at one time or another, and thousands of people download the benchmarks and scoring tools every month. We are actively seeking IT and security professionals to participate in the benchmark development process. We are also looking for anyone experienced in Java and/or XML programming to assist with our newest scoring tool development (contact me off-list). We are about to begin the consensus process for a FreeRADIUS security benchmark. Time commitments are minimal, all you need to do is go and sign up on the mailing list and provide some input to the group on the benchmark draft when it's released. We always have a team leader who puts together the initial draft, pulling from a variety of sources; this is then sent to the mailing list for review and comment. After a consensus is reached, we publish it. We also list participants' names on our "Honor Roll" page at http://www.cisecurity.org/honor_roll.html. Our benchmarks are gaining a lot of attention right now. We are mentioned specifically in the PCI DSS (section 2.2), we are working with NIST to develop tools and content, and a lot more. If you would like to participate, please visit the site and sign up. We won't send you any unsolicited email, just the list postings for benchmark development. Also, please feel free to sign up for anything not mentioned below, we will be working on all of the benchmarks over the course of the next year or so. There are also lots of opportunities to earn CPE credits for participation. If you have any questions, please reply to me off-list (dshackleford at cisecurity dot org). Thanks for your help! -Dave 1. FreeRADIUS Benchmark (OpenLDAP will also be discussed here) MAILING LIST: http://lists.cisecurity.org/mailman/listinfo/access-controls Also the Virtualization Benchmark (may interest some) MAILING LIST: http://lists.cisecurity.org/mailman/listinfo/vm-security-benchmark Note: This list will benefit from varied backgrounds and skill sets. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Performance Stats
It was PAP... Running with debugging mode *off* yields much better results ! Still with completely vanilla install , only getting [req] => 5000 [parallel] => 10 [total] => 5 [start] => 1178820825.99 [stop] => 1178820836.79 [period] => 10.791821003 [req_s] => 4633 [req_m] => 277988 [req_h] => 16679298 localhost to localhost using #!/usr/local/php/bin/php and with make CC="gcc -O3 -mcpu=970 -mtune=970 -mpowerpc64 -mpowerpc-gpopt" Setting CC / CFLAGS at configure time doesn't seem to work ... -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem
I would have a look at radiusd.conf. Something is wrong there. None of the modules (PAP, CHAP, sql etc.) have loaded. Ivan Kalik Kalik Informatika ISP Dana 10/5/2007, "Elie Hani" <[EMAIL PROTECTED]> piše: >Hi; > >Sorry; this is the capital X output attached. > >Elie > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On >Behalf Of [EMAIL PROTECTED] >Sent: Thursday, May 10, 2007 6:34 PM >To: FreeRadius users mailing list >Subject: Re: Authentication problem > >Hi, >> This is the output i'm getting with radiusd -x, but nothing about the SQL: >> >> Starting - reading configuration files ... >> Using deprecated naslist file. Support for this will go away soon. >> Initializing the thread pool... >> Listening on authentication *:1812 >> Listening on accounting *:1813 >> Ready to process requests. > > >radiusd -X > > > >capital X. lower case is next to useless (and should be removed >from the code imho) > >alan >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
Hi, > Thank you Alan, I will review it. > I used the same configuration on Fedora core 4 and it's working perfectly. > When I installed Fedora 6, the freeradius version has been changed, does it > matter? the newer, the better . 1.1.6 is the current general stable release...and i prefer to roll my own (or roll my own RPM and install that.) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem
Thank you Alan, I will review it. I used the same configuration on Fedora core 4 and it's working perfectly. When I installed Fedora 6, the freeradius version has been changed, does it matter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 10, 2007 7:22 PM To: FreeRadius users mailing list Subject: Re: Authentication problem Hi, > Sorry; this is the capital X output attached. yep. not a single mention of SQL - that means that you havent changed the config files to enable SQL. you need to read and edit at LEAST the following 2 files. $YOUR_CONFIG_LOCATION/sql.conf- to enable postgres engine and database table name and password etc $YOUR_CONFIG_LOCATION/radius.conf - $INCLUDE ${confdir}/sql.conf without this basic work, 1) freeradius wont use a database 2) freeradius wont be ABLE to use a database alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
Hi, > Sorry; this is the capital X output attached. and sorry, i see you are loading in via postgresql.conf however, i see no successful connect to the DB - so 1) did you compile FR yourself...or did you use RPM? 2) if compiled yourself, do you have postgresq-devel etc installed? (ie read the config.log and look for ERROR/WARNING etc) 3) if you used RPMs - which RPMS did you install? then we get onto the possible connection 1) is postgresql listening/configured to listen? 2) are you running a firewall? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
Hi, > Sorry; this is the capital X output attached. yep. not a single mention of SQL - that means that you havent changed the config files to enable SQL. you need to read and edit at LEAST the following 2 files. $YOUR_CONFIG_LOCATION/sql.conf- to enable postgres engine and database table name and password etc $YOUR_CONFIG_LOCATION/radius.conf - $INCLUDE ${confdir}/sql.conf without this basic work, 1) freeradius wont use a database 2) freeradius wont be ABLE to use a database alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP/RACF authentication issue
quot; realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/opt/local/etc/raddb/users" files: acctusersfile = "/opt/local/etc/raddb/acct_users" files: preproxy_usersfile = "/opt/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/opt/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/opt/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.71.175.19:36661, id=228, length=59 User-Name = "NBCTST1" User-Password = "testpwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/opt/local/var/log/radius/radacct/10.71.175.19/auth-detail-20070510' rlm_detail: /opt/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/local/var/log/radius/radacct/10.71.175.19/auth-detail-20070510 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "NBCTST1", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [NBCTST1/testpwd] (from client denord01 port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 228 to 10.71.175.19 port 36661 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 228 with timestamp 46433e16 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem
Hi; Sorry; this is the capital X output attached. Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 10, 2007 6:34 PM To: FreeRadius users mailing list Subject: Re: Authentication problem Hi, > This is the output i'm getting with radiusd -x, but nothing about the SQL: > > Starting - reading configuration files ... > Using deprecated naslist file. Support for this will go away soon. > Initializing the thread pool... > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. radiusd -X capital X. lower case is next to useless (and should be removed from the code imho) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/postgresql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib64" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib64 Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
Hi, > This is the output i'm getting with radiusd -x, but nothing about the SQL: > > Starting - reading configuration files ... > Using deprecated naslist file. Support for this will go away soon. > Initializing the thread pool... > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. radiusd -X capital X. lower case is next to useless (and should be removed from the code imho) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem
This is the output i'm getting with radiusd -x, but nothing about the SQL: Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 10, 2007 12:20 PM To: FreeRadius users mailing list Subject: Re: Authentication problem Parameters for database access are in sql.conf. But post output from radiusd -X so we can see what's happening. If it can't access the database it will fail during server setup stage as well. Ivan Kalik Kalik Informatika ISP Dana 10/5/2007, "Elie Hani" <[EMAIL PROTECTED]> piše: > >Hi > >I have configured freeradius on Fedora core 6, and using postgresql >database. >I've created also a username locally on the server, defining from which pool >to take it's IP, it works fine, but when I do the necessary changes and >re-do the tests again with a username and password from the database, it >sends the request, but it rejected it. It says login incorrect, eventhough >it has been configured on the database. >The pb is that the server cannot access the database to get the info. > >Any idea how to solve it? >Thanks > >Elie > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: > pippo metallaro wrote: >> i use freeradius with eap -peap and MySQL...but the freeradius don't send an >> access-accept at the end of authentication ...the server send an >> access-challenge,i don't know what's the problem... > > Perhaps you could try reading "eap.conf", or the FAQ, or other > documentation that comes with the server. > What Alan points to is in the default eap.conf from the disto: ## # # ! WARNINGS for Windows compatibility ! # ## # # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the "scripts/xpextensions" file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # ## RTFM! - -- == +-+ Martin Gadbois | "Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQyvZ9Y3/iTTCEDkRAkAmAJ9A7Fk22hZNBtliHlb2dMYs49nYawCgiFxk EQ/1vhPi3RL0h1wuC/vAATc= =Rc9S -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP
pippo metallaro wrote: > i use freeradius with eap -peap and MySQL...but the freeradius don't send an > access-accept at the end of authentication ...the server send an > access-challenge,i don't know what's the problem... Perhaps you could try reading "eap.conf", or the FAQ, or other documentation that comes with the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
Guilherme Franco wrote: > On my earlier posts (months ago, with 1.1.4), it has been told that the > latest CVS would solve the problem. I thought that 1.1.6 would include > the fix from the CVS head. > > 1.1.6 Changelog: > *Fixed bug in PostgreSQL module that caused server crash. The error you posted is not a server crash. > I thought that this would correct the behaviour as well, because the > server did crash sometimes (I've sent some valgrind outputs to you in > previous posts). Perhaps there are two unrelated bugs. One got fixed. I have no idea what the other bug is. > Using the latest CVS will fix the problem? No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
Hi again. I reconfigured securew2 but at this time i get "received invalid server certificate" error. Which part of my server certificate or root ca certificate could be missed. Could it be related with xpextensions. My radiusd for new configuration is listed below: -- Ready to process requests. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=93, length=139 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0x347739ec23b1b972260f284960b9fa26 EAP-Message = 0x0202000f01746b697a696c6f72656e NAS-Port-Type = Wireless-802.11 NAS-Port = 499 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0 rlm_ldap: bind as / to ldap.anadolu.edu.tr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_1x" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 93 to 10.10.7.203 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x9ae25e553dacaa7dd5a8f8c3b05a1636 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.7.203:1645, id=94, length=202 User-Name = "tkiziloren" Framed-MTU = 1400 Called-Station-Id = "0017.0e85.f190" Calling-Station-Id = "0011.2fb9.d08b" Service-Type = Login-User Message-Authenticator = 0xee6738dc415fc0906c869a55334f7f48 EAP-Message = 0x0203003c15800032160301002d0129030151574cfbb06da8313b8d207a29398758f18d010fd687534a1739da58174089f202000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 499 State = 0x9ae25e553dacaa7dd5a8f8c3b05a1636 NAS-IP-Address = 10.10.7.203 NAS-Identifier = "testbaum" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "tkiziloren", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 29 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiz
Problems with PEAP
hi, i use freeradius with eap -peap and MySQL...but the freeradius don't send an access-accept at the end of authentication ...the server send an access-challenge,i don't know what's the problem... i'use a hp 2650 switch client,and a win xp supplicant, this is the the result of the debug mode.. Wed May 9 17:51:58 2007 : Info: Starting - reading configuration files ... Wed May 9 17:51:58 2007 : Debug: reread_config: reading radiusd.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/proxy.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/clients.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/snmp.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/eap.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/sql.conf Wed May 9 17:51:58 2007 : Debug: main: prefix = "/usr" Wed May 9 17:51:58 2007 : Debug: main: localstatedir = "/var" Wed May 9 17:51:58 2007 : Debug: main: logdir = "/var/log/freeradius" Wed May 9 17:51:58 2007 : Debug: main: libdir = "/usr/lib/freeradius" Wed May 9 17:51:58 2007 : Debug: main: radacctdir = "/var/log/freeradius/radacct" Wed May 9 17:51:58 2007 : Debug: main: hostname_lookups = no Wed May 9 17:51:58 2007 : Debug: main: max_request_time = 30 Wed May 9 17:51:58 2007 : Debug: main: cleanup_delay = 5 Wed May 9 17:51:58 2007 : Debug: main: max_requests = 1024 Wed May 9 17:51:58 2007 : Debug: main: delete_blocked_requests = 0 Wed May 9 17:51:58 2007 : Debug: main: port = 0 Wed May 9 17:51:58 2007 : Debug: main: allow_core_dumps = no Wed May 9 17:51:58 2007 : Debug: main: log_stripped_names = no Wed May 9 17:51:58 2007 : Debug: main: log_file = "/var/log/freeradius/radius.log" Wed May 9 17:51:58 2007 : Debug: main: log_auth = no Wed May 9 17:51:58 2007 : Debug: main: log_auth_badpass = no Wed May 9 17:51:58 2007 : Debug: main: log_auth_goodpass = no Wed May 9 17:51:58 2007 : Debug: main: pidfile = "/var/run/freeradius/freeradius.pid" Wed May 9 17:51:58 2007 : Debug: main: bind_address = 192.168.0.1 IP address [192.168.0.1] Wed May 9 17:51:58 2007 : Debug: main: user = "freerad" Wed May 9 17:51:58 2007 : Debug: main: group = "freerad" Wed May 9 17:51:58 2007 : Debug: main: usercollide = no Wed May 9 17:51:58 2007 : Debug: main: lower_user = "no" Wed May 9 17:51:58 2007 : Debug: main: lower_pass = "no" Wed May 9 17:51:58 2007 : Debug: main: nospace_user = "no" Wed May 9 17:51:58 2007 : Debug: main: nospace_pass = "no" Wed May 9 17:51:58 2007 : Debug: main: checkrad = "/usr/sbin/checkrad" Wed May 9 17:51:58 2007 : Debug: main: proxy_requests = yes Wed May 9 17:51:58 2007 : Debug: proxy: retry_delay = 5 Wed May 9 17:51:58 2007 : Debug: proxy: retry_count = 3 Wed May 9 17:51:58 2007 : Debug: proxy: synchronous = no Wed May 9 17:51:58 2007 : Debug: proxy: default_fallback = yes Wed May 9 17:51:58 2007 : Debug: proxy: dead_time = 120 Wed May 9 17:51:58 2007 : Debug: proxy: post_proxy_authorize = no Wed May 9 17:51:58 2007 : Debug: proxy: wake_all_if_all_dead = no Wed May 9 17:51:58 2007 : Debug: security: max_attributes = 200 Wed May 9 17:51:58 2007 : Debug: security: reject_delay = 1 Wed May 9 17:51:58 2007 : Debug: security: status_server = no Wed May 9 17:51:58 2007 : Debug: main: debug_level = 0 Wed May 9 17:51:58 2007 : Debug: read_config_files: reading dictionary Wed May 9 17:51:58 2007 : Debug: read_config_files: reading naslist Wed May 9 17:51:58 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 9 17:51:58 2007 : Debug: read_config_files: reading clients Wed May 9 17:51:58 2007 : Debug: read_config_files: reading realms Wed May 9 17:51:58 2007 : Debug: radiusd: entering modules setup Wed May 9 17:51:58 2007 : Debug: Module: Library search path is /usr/lib/freeradius Wed May 9 17:51:58 2007 : Debug: Module: Loaded exec Wed May 9 17:51:58 2007 : Debug: exec: wait = yes Wed May 9 17:51:58 2007 : Debug: exec: program = "(null)" Wed May 9 17:51:58 2007 : Debug: exec: input_pairs = "request" Wed May 9 17:51:58 2007 : Debug: exec: output_pairs = "(null)" Wed May 9 17:51:58 2007 : Debug: exec: packet_type = "(null)" Wed May 9 17:51:58 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 9 17:51:58 2007 : Debug: Module: Instantiated exec (exec) Wed May 9 17:51:58 2007 : Debug: Module: Loaded expr Wed May 9 17:51:58 2007 : Debug: Module: Instantiated expr (expr) Wed May 9 17:51:58 2007 : Debug: Module: Loaded PAP Wed May 9 17:51:58 2007 : Debug: pap: encryption_scheme = "crypt" Wed May 9 17:51:58 2007 : Debug: Module: Instantiated pap (pap) Wed May 9 17:51:58 2007 : Debug: Module: Loaded CHAP Wed May 9 17:51:58 2007 : Debug: Module: Instantiated chap (chap) Wed May 9 17:51:58 2007 : Debug: Module: Loaded MS-CHAP Wed May 9 17:51:58 2007 : Debug:
Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
Hello Mr. DeKok, On my earlier posts (months ago, with 1.1.4), it has been told that the latest CVS would solve the problem. I thought that 1.1.6 would include the fix from the CVS head. 1.1.6 Changelog: *Fixed bug in PostgreSQL module that caused server crash. I thought that this would correct the behaviour as well, because the server did crash sometimes (I've sent some valgrind outputs to you in previous posts). Using the latest CVS will fix the problem? Thank you very much. On 5/10/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Guilherme Franco wrote: > This was happening with 1.1.4 and I thought that 1.1.6 would correct > this. > > Wasn't 1.1.6 supposed to work this out? Which part of the ChangeLog said that? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
execute more than one sql query
Dear All, I need to execute two queries using radius in sql.conf. i tried to put two queries like this : in the file i have accounting_update_query_alt = "query_1" i made it accounting_update_query_alt = "query_1 ; query_2" but i got an error from MySql concerning the second section '; query_2' how can i do it ?? Thanks Amr el-Saeed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
My certificates have read write and execute permissions A.L.M.Buxey wrote: > > Hi, > > what are the permissions of your certificates? can radiusd (or whatever > the ID is of the freeradius process) read them? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10411507 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls authentication with free radius 1.1.6
Hi all I am trying to do eap-tls authentication with 1.1.6.My xp client is saying attempting to authenticate. So in the output i got when i tried to connect in debug mode is Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \\\"/usr/local\\\" main: localstatedir = \\\"/usr/local/var\\\" main: logdir = \\\"/usr/local/var/log/radius\\\" main: libdir = \\\"/usr/local/lib\\\" main: radacctdir = \\\"/usr/local/var/log/radius/radacct\\\" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = \\\"/usr/local/var/log/radius/radius.log\\\" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \\\"/usr/local/var/run/radiusd/radiusd.pid\\\" main: user = \\\"(null)\\\" main: group = \\\"(null)\\\" main: usercollide = no main: lower_user = \\\"no\\\" main: lower_pass = \\\"no\\\" main: nospace_user = \\\"no\\\" main: nospace_pass = \\\"no\\\" main: checkrad = \\\"/usr/local/sbin/checkrad\\\" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \\\"(null)\\\" exec: input_pairs = \\\"request\\\" exec: output_pairs = \\\"(null)\\\" exec: packet_type = \\\"(null)\\\" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \\\"(null)\\\" unix: shadow = \\\"(null)\\\" unix: group = \\\"(null)\\\" unix: radwtmp = \\\"/usr/local/var/log/radius/radwtmp\\\" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \\\"tls\\\" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \\\"(null)\\\" tls: pem_file_type = yes tls: private_key_file = \\\"/etc/1x/07xwifi.pem\\\" tls: certificate_file = \\\"/etc/1x/07xwifi.pem\\\" tls: CA_file = \\\"/etc/1x/root.pem\\\" tls: private_key_password = \\\"password\\\" tls: dh_file = \\\"/etc/1x/DH\\\" tls: random_file = \\\"/etc/1x/random\\\" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \\\"(null)\\\" tls: cipher_list = \\\"(null)\\\" tls: check_cert_issuer = \\\"(null)\\\" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \\\"/etc/raddb/huntgroups\\\" preprocess: hints = \\\"/etc/raddb/hints\\\" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \\\"suffix\\\" realm: delimiter = \\\"@\\\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \\\"/etc/raddb/users\\\" files: acctusersfile = \\\"/etc/raddb/acct_users\\\" files: preproxy_usersfile = \\\"/etc/raddb/preproxy_users\\\" files: compat = \\\"no\\\" Module: Instantiated files (files) Module: Loaded PAP pap: encryption_scheme = \\\"crypt\\\" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \\\"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port\\\" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = \\\"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de tail-%Y%m%d\\\" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radut
Re: ttls problem
Can i post my radiusd.conf and eap.conf here. Would it be helpfull? A.L.M.Buxey wrote: > > Hi, > > what are the permissions of your certificates? can radiusd (or whatever > the ID is of the freeradius process) read them? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10410941 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
I posted the question to the forum. Thank you for your help. SecureW2 (List) wrote: > > tevfik, > > Post the question in the SecureW2 forum, www.securew2.com/forum/. I will > get back to you via the forum. > > Regards, > > Tom > > tevfik schreef: >>> did you configure SecureW2 to allow new connections? >>> >> >> Yes i tried both combinations, nothing is changed. >> >> In addition to this when I enter correct username but wrong password, I >> got >> similar debug log which i lised below. >> >> I wasn't able to see any problem with ldap configuration because it works >> with radtest command. (That is when i entered correct usrname but wrong >> password, I got Access-Rejected message. When both of them was true, I >> got >> Access-Accepted) >> >> Is there a problem with my ldap configuration. Is there any weird message >> in >> my debug log? >> >> I am dealing with this thing about 20 days. Could anybody tell me whats >> wrong with it? >> >> Thanks in advance: >> >> My full debug log: (username was entered true, password was entered false >> ) >> - >> ldap:~ # radiusd -X -A >> Starting - reading configuration files ... >> reread_config: reading radiusd.conf >> Config: including file: /etc/raddb/proxy.conf >> Config: including file: /etc/raddb/clients.conf >> Config: including file: /etc/raddb/snmp.conf >> Config: including file: /etc/raddb/eap.conf >> Config: including file: /etc/raddb/sql.conf >> main: prefix = "/usr" >> main: localstatedir = "/var" >> main: logdir = "/var/log/radius" >> main: libdir = "/usr/lib/freeradius" >> main: radacctdir = "/var/log/radius/radacct" >> main: hostname_lookups = no >> main: max_request_time = 30 >> main: cleanup_delay = 5 >> main: max_requests = 1024 >> main: delete_blocked_requests = 0 >> main: port = 0 >> main: allow_core_dumps = no >> main: log_stripped_names = no >> main: log_file = "/var/log/radius/radius.log" >> main: log_auth = no >> main: log_auth_badpass = no >> main: log_auth_goodpass = no >> main: pidfile = "/var/run/radiusd/radiusd.pid" >> main: user = "radiusd" >> main: group = "radiusd" >> main: usercollide = no >> main: lower_user = "no" >> main: lower_pass = "no" >> main: nospace_user = "no" >> main: nospace_pass = "no" >> main: checkrad = "/usr/sbin/checkrad" >> main: proxy_requests = yes >> proxy: retry_delay = 5 >> proxy: retry_count = 3 >> proxy: synchronous = no >> proxy: default_fallback = yes >> proxy: dead_time = 120 >> proxy: post_proxy_authorize = no >> proxy: wake_all_if_all_dead = no >> security: max_attributes = 200 >> security: reject_delay = 1 >> security: status_server = no >> main: debug_level = 0 >> read_config_files: reading dictionary >> read_config_files: reading naslist >> read_config_files: reading clients >> read_config_files: reading realms >> radiusd: entering modules setup >> Module: Library search path is /usr/lib/freeradius >> Module: Loaded exec >> exec: wait = yes >> exec: program = "(null)" >> exec: input_pairs = "request" >> exec: output_pairs = "(null)" >> exec: packet_type = "(null)" >> rlm_exec: Wait=yes but no output defined. Did you mean output=none? >> Module: Instantiated exec (exec) >> Module: Loaded expr >> Module: Instantiated expr (expr) >> Module: Loaded PAP >> pap: encryption_scheme = "crypt" >> Module: Instantiated pap (pap) >> Module: Loaded CHAP >> Module: Instantiated chap (chap) >> Module: Loaded MS-CHAP >> mschap: use_mppe = yes >> mschap: require_encryption = no >> mschap: require_strong = no >> mschap: with_ntdomain_hack = no >> mschap: passwd = "(null)" >> mschap: authtype = "MS-CHAP" >> mschap: ntlm_auth = "(null)" >> Module: Instantiated mschap (mschap) >> Module: Loaded System >> unix: cache = no >> unix: passwd = "(null)" >> unix: shadow = "(null)" >> unix: group = "(null)" >> unix: radwtmp = "/var/log/radius/radwtmp" >> unix: usegroup = no >> unix: cache_reload = 600 >> Module: Instantiated unix (unix) >> Module: Loaded LDAP >> ldap: server = "ldap.anadolu.edu.tr" >> ldap: port = 389 >> ldap: net_timeout = 1 >> ldap: timeout = 4 >> ldap: timelimit = 3 >> ldap: identity = "" >> ldap: tls_mode = no >> ldap: start_tls = no >> ldap: tls_cacertfile = "(null)" >> ldap: tls_cacertdir = "(null)" >> ldap: tls_certfile = "(null)" >> ldap: tls_keyfile = "(null)" >> ldap: tls_randfile = "(null)" >> ldap: tls_require_cert = "allow" >> ldap: password = "" >> ldap: basedn = "ou=people,dc=anadolu,dc=edu,dc=tr" >> ldap: filter = "(uid=%u)" >> ldap: base_filter = "(objectclass=radiusprofile)" >> ldap: default_profile = "(null)" >> ldap: profile_attribute = "(null)" >> ldap: password_header = "(null)" >> ldap: password_attribute = "(null)" >> ldap: access_attr = "(null)" >> ldap: groupname_attribute = "cn" >> ldap: groupmembership_filter = >> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectCla
Re: ttls problem
tevfik, Post the question in the SecureW2 forum, www.securew2.com/forum/. I will get back to you via the forum. Regards, Tom tevfik schreef: >> did you configure SecureW2 to allow new connections? >> > > Yes i tried both combinations, nothing is changed. > > In addition to this when I enter correct username but wrong password, I got > similar debug log which i lised below. > > I wasn't able to see any problem with ldap configuration because it works > with radtest command. (That is when i entered correct usrname but wrong > password, I got Access-Rejected message. When both of them was true, I got > Access-Accepted) > > Is there a problem with my ldap configuration. Is there any weird message in > my debug log? > > I am dealing with this thing about 20 days. Could anybody tell me whats > wrong with it? > > Thanks in advance: > > My full debug log: (username was entered true, password was entered false ) > - > ldap:~ # radiusd -X -A > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /etc/raddb/proxy.conf > Config: including file: /etc/raddb/clients.conf > Config: including file: /etc/raddb/snmp.conf > Config: including file: /etc/raddb/eap.conf > Config: including file: /etc/raddb/sql.conf > main: prefix = "/usr" > main: localstatedir = "/var" > main: logdir = "/var/log/radius" > main: libdir = "/usr/lib/freeradius" > main: radacctdir = "/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: user = "radiusd" > main: group = "radiusd" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/lib/freeradius > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > mschap: ntlm_auth = "(null)" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded LDAP > ldap: server = "ldap.anadolu.edu.tr" > ldap: port = 389 > ldap: net_timeout = 1 > ldap: timeout = 4 > ldap: timelimit = 3 > ldap: identity = "" > ldap: tls_mode = no > ldap: start_tls = no > ldap: tls_cacertfile = "(null)" > ldap: tls_cacertdir = "(null)" > ldap: tls_certfile = "(null)" > ldap: tls_keyfile = "(null)" > ldap: tls_randfile = "(null)" > ldap: tls_require_cert = "allow" > ldap: password = "" > ldap: basedn = "ou=people,dc=anadolu,dc=edu,dc=tr" > ldap: filter = "(uid=%u)" > ldap: base_filter = "(objectclass=radiusprofile)" > ldap: default_profile = "(null)" > ldap: profile_attribute = "(null)" > ldap: password_header = "(null)" > ldap: password_attribute = "(null)" > ldap: access_attr = "(null)" > ldap: groupname_attribute = "cn" > ldap: groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > ldap: groupmembership_attribute = "(null)" > ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" > ldap: ldap_debug = 0 > ldap: ldap_connections_number = 5 > ldap: compare_check_items = no > ldap
Re: ttls problem
Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls authentication with free radius 1.1.5
On 5/10/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: anoop, please fix your quoting. Configurations are not interchangeable between the snapshot tree, 1.1.5 and 1.1.6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
Parameters for database access are in sql.conf. But post output from radiusd -X so we can see what's happening. If it can't access the database it will fail during server setup stage as well. Ivan Kalik Kalik Informatika ISP Dana 10/5/2007, "Elie Hani" <[EMAIL PROTECTED]> piše: > >Hi > >I have configured freeradius on Fedora core 6, and using postgresql >database. >I've created also a username locally on the server, defining from which pool >to take it's IP, it works fine, but when I do the necessary changes and >re-do the tests again with a username and password from the database, it >sends the request, but it rejected it. It says login incorrect, eventhough >it has been configured on the database. >The pb is that the server cannot access the database to get the info. > >Any idea how to solve it? >Thanks > >Elie > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR with MySQL - Stored Procedures
I added your hack to my version too. I also don't get any errors till now. It seems to work with SP, and also normal SQL-querys. I've modified your patch with some comments and also added a mysql_version check, so that the patch will only apply to MySQL version > 5. Here is the diff...so please, a FR developer take a look at it;) Thanks, Thomas --- sql_mysql.c 2007-05-08 15:55:47.0 +0200 +++ sql_mysql.c 2007-05-10 10:56:33.0 +0200 @@ -75,6 +75,7 @@ mysql_init(&(mysql_sock->conn)); mysql_options(&(mysql_sock->conn), MYSQL_READ_DEFAULT_GROUP, "freeradius"); + if (!(mysql_sock->sock = mysql_real_connect(&(mysql_sock->conn), config->sql_server, config->sql_login, @@ -82,7 +83,16 @@ config->sql_db, atoi(config->sql_port), NULL, - CLIENT_FOUND_ROWS))) { + CLIENT_FOUND_ROWS + #if MYSQL_VERSION_ID >= 5 + /* +* the CLIENT_MULTI_STATEMENTS flag also include the +* CLIENT_MULTI_RESULT flag, these are necessary for +* Stored Procedures (MySQL 5.x) +*/ + | CLIENT_MULTI_STATEMENTS + #endif + ))) { radlog(L_ERR, "rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:%s", config->sql_login, config->sql_server, config->sql_db); radlog(L_ERR, "rlm_sql_mysql: Mysql error '%s'", mysql_error(&mysql_sock->conn)); mysql_sock->sock = NULL; @@ -289,6 +299,18 @@ if (sqlsocket->row == NULL) { return sql_check_error(mysql_errno(mysql_sock->sock)); } + + #if MYSQL_VERSION_ID >= 5 + /* +* Stored Procedures return two results (the result and affected rows), +* so FR fails with a mysql errorcode 2014 (CR_COMMANDS_OUT_OF_SYNC), +* when a second mysql-query is executed +* +* so we drop the second result (assume FR expect just one result) +*/ + mysql_next_result(mysql_sock->sock); + #endif + return 0; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls authentication with free radius 1.1.5
Dear all With free radius 1.1.6 i am getting the following debug messages.Still authnticationi is not happenig [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \"/usr/local\" main: localstatedir = \"/usr/local/var\" main: logdir = \"/usr/local/var/log/radius\" main: libdir = \"/usr/local/lib\" main: radacctdir = \"/usr/local/var/log/radius/radacct\" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = \"/usr/local/var/log/radius/radius.log\" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main: user = \"(null)\" main: group = \"(null)\" main: usercollide = no main: lower_user = \"no\" main: lower_pass = \"no\" main: nospace_user = \"no\" main: nospace_pass = \"no\" main: checkrad = \"/usr/local/sbin/checkrad\" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \"(null)\" exec: input_pairs = \"request\" exec: output_pairs = \"(null)\" exec: packet_type = \"(null)\" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \"(null)\" unix: shadow = \"(null)\" unix: group = \"(null)\" unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \"tls\" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \"(null)\" tls: pem_file_type = yes tls: private_key_file = \"/etc/1x/07xwifi.pem\" tls: certificate_file = \"/etc/1x/07xwifi.pem\" tls: CA_file = \"/etc/1x/root.pem\" tls: private_key_password = \"password\" tls: dh_file = \"/etc/1x/DH\" tls: random_file = \"/etc/1x/random\" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \"(null)\" tls: cipher_list = \"(null)\" tls: check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \"/etc/raddb/huntgroups\" preprocess: hints = \"/etc/raddb/hints\" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \"suffix\" realm: delimiter = \"@\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \"/etc/raddb/users\" files: acctusersfile = \"/etc/raddb/acct_users\" files: preproxy_usersfile = \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module: Instantiated files (files) Module: Loaded PAP pap: encryption_scheme = \"crypt\" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port\" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de tail-%Y%m%d\" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = \"/usr/local/var/log/radius/radutmp\" radutmp: username = \"%{User-Name}\" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module:
Authentication problem
Hi I have configured freeradius on Fedora core 6, and using postgresql database. I've created also a username locally on the server, defining from which pool to take it's IP, it works fine, but when I do the necessary changes and re-do the tests again with a username and password from the database, it sends the request, but it rejected it. It says login incorrect, eventhough it has been configured on the database. The pb is that the server cannot access the database to get the info. Any idea how to solve it? Thanks Elie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
tevfik wrote: > I wasn't able to see any problem with ldap configuration because it works > with radtest command. Which doesn't use EAP. It means that your server configuration is mostly correct, but something else might still go wrong. > Is there a problem with my ldap configuration. Is there any weird message in > my debug log? The supplicant is starting EAP, doing part of EAP, and then giving up. See the logs on the supplicant for why it's doing this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius performance requirements
O/H Arnnei Speiser έγραψε: > Hi Guys, > Any recommendations on the Server minimum configuration - memory, cpu > etc for using FR with 10k, 20k, 50k users ? Moved to freeradius-users!! The number of users is not the major factor. Rather the number of requests/sec. Where are the users stored (plain text, ldap, sql)? Do you perform heavy accounting? To sql? How many logins do you expect per second,hour,day? Will you use EAP? If yes will you use one of the SSL versions (TLS,PEAP,TTLS)? In general freeradius should not have any problem as long as you set the thread and/or ldap/sql connection pool parameters large enough for your specific setup. The most important thing to check is your authentication and accounting database not radius itself. Any modern server should be more than adequate for freeradius. So check the directives in thread pool { }, the num_sql_socks in sql.conf and ldap_connections_number in ldap { } (if you are using ldap). > What would be the main configuration parameters that we have to > select/set in order to handle a high volume of authentication requests. > Thanks, > Arnnei > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Long Access time
Josh Shamir wrote: > The strange problem is that the long authentication time are about the > same for Win XP build-in supplicant and MAC OS X supplicant. What kind > of changes can i made in supplicant configuration to try to minimize > authentication time? I don't know. > Ok, but could I improve the system performance setting up in > appropriate way those attribute : > > retry_delay > dead_time > retry_count No. Read the extended debug log (-xX). Odds are that the successful authentications take 1-2 seconds from start to finish. If that's true, then everything would seem to be working properly. Look at the unsuccessful authentications. If they go on for 1-2 seconds and then stop, then they're mostly working correctly, too. The problem may be in the AP, or in the radio spectrum. Try a different AP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
>did you configure SecureW2 to allow new connections? Yes i tried both combinations, nothing is changed. In addition to this when I enter correct username but wrong password, I got similar debug log which i lised below. I wasn't able to see any problem with ldap configuration because it works with radtest command. (That is when i entered correct usrname but wrong password, I got Access-Rejected message. When both of them was true, I got Access-Accepted) Is there a problem with my ldap configuration. Is there any weird message in my debug log? I am dealing with this thing about 20 days. Could anybody tell me whats wrong with it? Thanks in advance: My full debug log: (username was entered true, password was entered false ) - ldap:~ # radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap.anadolu.edu.tr" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=anadolu,dc=edu,dc=tr" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap_1x-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
Guilherme Franco wrote: > This was happening with 1.1.4 and I thought that 1.1.6 would correct > this. > > Wasn't 1.1.6 supposed to work this out? Which part of the ChangeLog said that? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Date expansion fails for inner encryption tunnel log files.
Arran Cudbard-Bell wrote: > Firstly is is possible to specify return codes for users files depending > on matched sections ? Or will the files module always return ok ? You can't specify return codes from the "users" file. > Secondly, whats considered decent throughput in terms of (serial) > requests per second... > With none of the SQL or LDAP checking i'm getting around 300ish requests > per second ; That's a little low, to be honest. My tests on a dual core 1.8GHz intel show 25k PAP requests per second from localhost to localhost. That's rather different from what you're seeing. Unless you mean 300 full EAP-TLS/TTLS/PEAP authentications per second. That's pretty fast, considering that almost all of the CPU time is spent doing RSA key operations. And with 5-10 RADIUS packets per EAP authentication, that's 3k requests/s, not 300. > We have a user base of around 10,000 users with a absolute maximum of > 4,000 logged in at any one time, and two Dual Core 2.13ghz 64bit Apple > Xserves with basic load balancing. > > It's obvious that the SQL server is lagging behind, and the LDAP cluster > is on some ageing Xserves so probably isn't performing at it's peak... > > If you have any recommended figures that I could aim for, would be very > useful. For plain PAP: 10k+ requests/s would be expected. For EAP, substantially less than that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & redback sms
Samson Martinez wrote: > We are currently using a Redback SMS 500 to terminate PPPoE sessions for > client desktops. Up until now an older Steelbelted Radius server has > been used to authenticate RADIUS requests forwarded by the Redback and > it's worked ok. We want to transfer the RADIUS support to a freeradius > installation but I am having a bit of a fit trying to get it to work. See "radsniff" from the current release. Watch the packets going TO your old RADIUS server, and the responses comign BACK from it. Configure FreeRADIUS to respond to requests with the same attributes. The NAS has no idea which server you're running. All it sees is the attributes in the packet. The solution is to first find out what needs to be sent back, and then make FreeRADIUS send the correct response. There is no magic, and there is no need to fight with any configuration. The redback log looks like you're not sending back the correct attributes. If you don't know what attributes to send back, you WILL NOT be able to solve the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR with MySQL - Stored Procedures
Did some further research on the MySQL - FR Stored Procedure (SP) problem. When calling the SP, MySQL always returns two results. One is the actual result and the other is the number of affected rows, which is different to a normal e.g. SELECT query. SP: mysql> call CheckIt('myString'); ++ | result | ++ | 10 | (result is correct) ++ 1 row in set (0.00 sec) Query OK, 0 rows affected (0.00 sec) <-- Result plus the number of affected rows! Normal Query: mysql> select 25 AS result; ++ | result | ++ | 25 | ++ 1 row in set (0.00 sec) <--- Normal query with one result MYSQL 5.0 Ref manual If you write C programs that use the CALL SQL statement to execute stored procedures that produce result sets, you must set the CLIENT_MULTI_RESULTS flag, either explicitly, or implicitly by setting CLIENT_MULTI_STATEMENTS when you call mysql_real_connect(). This is because each such stored procedure produces multiple results: the result sets returned by statements executed within the procedure, as well as a result to indicate the call status. To process the result of a CALL statement, use a loop that calls mysql_next_result() to determine whether there are more results. The following procedure outlines a suggested strategy for handling multiple statements: 1. Pass CLIENT_MULTI_STATEMENTS to mysql_real_connect(), to fully enable multiple-statement execution and multiple-result processing. 2. After calling mysql_query() or mysql_real_query() and verifying that it succeeds, enter a loop within which you process statement results. 3. For each iteration of the loop, handle the current statement result, retrieving either a result set or an affected-rows count. If an error occurs, exit the loop. 4. At the end of the loop, call mysql_next_result() to check whether another result exists and initiate retrieval for it if so. If no more results are available, exit the loop. -- Just for a test, I added a very quick and dirty 'mysql_next_result' into the sql_free_result function of "sql_mysql.c" in row 292 of FR 1.1.6, the same location Thomas used the . if (sqlsocket->row == NULL) { return sql_check_error(mysql_errno(mysql_sock->sock)); } mysql_next_result(mysql_sock->sock); /* eat the number of affected rows result */ return 0; } . As a result I do not get the 2014 error anymore and everything seems to be working fine. Since I do not really know the implications of just adding this command, maybe one of the experts could help out here. In an ealier posting 3 days ago I said that the problem is not really stored procedure related ... but it is! Once the SP is called at least once other queries will have errors too. Gunther FR 1.1.6 - MySQL 5.0.41 - CentOS 4.4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html