[no subject]
Hi, I have a question about Freeradius' log. My costomer has used Remote Access VPN with Freeradius and Cisco VPN 3000, and 2 months ago, they added Cisco ASA on their system in order to expanse their VPN system. Now their users can use both VPN 3000 and ASA. VPN 3000's IP address is xx.xxx.xxx.9 and ASA's IP address is xxx.xxx.xxx.10. Both are global addresses. When their users use VPN through VPN 3000, ahthentication log can be seen on /var/log/radius/radacct/xxx.xxx.xxx.9, however when their users use VPN though ASA, no log can be seen in /var/log/radius/radacct/. I think xxx.xxx.xxx.10 should be seen there for the newly added ASA. Of course their users can connect to servers since they are ahtenticated and authorized, but no log are made on radius server. Does nyone have any idea about this? any solutions? any more configurations? This is the Linux and Radius version that they use; Linux Server: fedora-release-1-3Radius version: freeradius-0.9.3-1.1 This is the configuration on the client.conf on the server;} client xxx.xxx.xxx.10 { secret = tti shortname = VPN2 nastype = cisco # localhost isn't usually a NAS...} client xxx.xxx.xxx.9 { secret = tti shortname = VPN nastype = cisco # localhost isn't usually a NAS...} client xxx.xxx.xxx.1 { secret = tti shortname = localhost nastype = other # localhost isn't usually a NAS...} Thanks,Ken _ Missed the show? Watch videos of the Live Earth Concert on MSN. http://liveearth.msn.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS as proxy to Windows IAS
On Mon 30 Jul 2007, Clive Gould wrote: > Hi > > I'd be grateful to hear from anyone out there who has got Freeradius (on a > Linux box) running as a proxy server successfully validating usernames and > passwords against a Windows IAS server using the MSChapv2 protocol. > > I have the Freeradius server up and running on CentOS 4.5, but can't get > it to validate against the IAS server successfully. Check your shared secret on both sides... -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS as proxy to Windows IAS
Clive Gould wrote: > Hi > > I'd be grateful to hear from anyone out there who has got Freeradius (on a > Linux box) running as a proxy server successfully validating usernames and > passwords against a Windows IAS server using the MSChapv2 protocol. > > I have the Freeradius server up and running on CentOS 4.5, but can't get > it to validate against the IAS server successfully. There is this: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS as proxy to Windows IAS
Hi I'd be grateful to hear from anyone out there who has got Freeradius (on a Linux box) running as a proxy server successfully validating usernames and passwords against a Windows IAS server using the MSChapv2 protocol. I have the Freeradius server up and running on CentOS 4.5, but can't get it to validate against the IAS server successfully. Please feel free to contact me off list. Thanks in advance. Clive - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
> > The best thing you can do right now is test current cvs HEAD and report any > bugs to us! Hopefully we can get a 2.0 release (or at least another > prerelease) out the door soon. > Perfect! I can definitely do that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
On Mon 30 Jul 2007, Jeffrey Sewell wrote: > On 7/30/07, Jeffrey Sewell <[EMAIL PROTECTED]> wrote: > > On 7/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > You could add CalledStationId field to the radgroupreply table and > > > modify authorize_group_reply_query to check that that field is equal > > > to %{Called-Station-Id}. > > After posting my last reply/question, I was re-reading the rlm_sql > wiki section on SQL xlat and found that little note on version 2's use > of conditionals! :) > > Looks like that was designed to do exactly what I'm thinking. I > haven't been following the threads on version 2's status, how is it > coming? Anything I can do to help? The best thing you can do right now is test current cvs HEAD and report any bugs to us! Hopefully we can get a 2.0 release (or at least another prerelease) out the door soon. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] Out of Office AutoReply: Re[2]: Adding a NAS via SQL
[Out of Topic AutoReply] ATMEL is still in vacation! ARM rulz :) Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 This is a forwarded message From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Monday, July 30, 2007, 7:11:02 PM Subject: Out of Office AutoReply: Re[2]: Adding a NAS via SQL ===8<==Original message text=== danke für ihre mail, aber ich bin bis einschliesslich 19.08.2007 nicht im büro. wenden Sie sich bei dringenden anfragen bitte an [EMAIL PROTECTED] i'm out of office until 19.08.2007 in urgent cases please send your email to [EMAIL PROTECTED] Ulrich Hofacker IT2 ===8<===End of original message text=== - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
On 7/30/07, Jeffrey Sewell <[EMAIL PROTECTED]> wrote: > On 7/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > You could add CalledStationId field to the radgroupreply table and modify > > authorize_group_reply_query to check that that field is equal to > > %{Called-Station-Id}. > > After posting my last reply/question, I was re-reading the rlm_sql wiki section on SQL xlat and found that little note on version 2's use of conditionals! :) Looks like that was designed to do exactly what I'm thinking. I haven't been following the threads on version 2's status, how is it coming? Anything I can do to help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Adding a NAS via SQL
Hi Paul, Saturday, July 28, 2007, 6:08:23 PM, you wrote: > I however just tried hitting radiusd with a SIGHUP and it really > didn't like it Output attached, I just got a segfault when I hit it with > the next radius request. Currently, I'm able to run a SIGHUPed freeradius 20070420 snapshot, with postgresql backend. If you search through the archives, I've sent a rude email to the list back in March 2007 (containing 3 questions in one message).. I'm sorry for that email, but I'll be very happy (even now) to get an advice about the workarounds. The server seems to run ok so far, without any problems but I didnt put too much stress on it. My solution to let the freeradius handle a SIGHUP was: 1) > I solved this problem by commenting out the "we do other magic" > in mainconfig.c lines 1059->1064. This will disable debug level > change on the fly facility, it's not that important anyway 2) > clients.c > - if (clients) return clients; > + if (clients) clients_free(clients); > mainconfig.c > -clients_free(old_clients); > +if ((void *)old_clients != (void *)clients) > + clients_free(old_clients); > solved the problem. > Do I still need the clients_free(old_clients)? >> Is there a way to automatically activate a new NAS device that I add to >> the SQL database? > cron ;-) My advice is to create a database trigger on INSERTs, UPDATEs, DELETEs. For example, my postgresql trigger written in plperlu: CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ system("/usr/bin/sudo /usr/bin/killall -HUP radiusd"); return; $rr_rad$ LANGUAGE plperlu; DROP TRIGGER IF EXISTS need_to_restart_radiusd ON nas_table; CREATE TRIGGER need_to_restart_radiusd AFTER INSERT OR UPDATE OR DELETE ON nas_table FOR EACH STATEMENT EXECUTE PROCEDURE restart_radiusd(); /etc/sudoers: postgresqluser ALL=(radiususer) NOPASSWD: /usr/bin/killall -HUP radiusd This way, you will restart freeradius only when needed. You said that your backend is mysql, you will probably be able to come up with the mysql version, but your main issue is not that. SIGHUP must work. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
On 7/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > You could add CalledStationId field to the radgroupreply table and modify > authorize_group_reply_query to check that that field is equal to > %{Called-Station-Id}. > > Ivan Kalik > Kalik Informatika ISP > I like this idea a lot. I know that I can create more than one SQL query for different scenarios (sql1, sql2, etc). What other capabilities do I have with this conf file? For example, can I do an "if-then-else" with queries? Thinking to check first that the Called-Station-Id matches what the user is allowed, if so, do the regular auth query, if not do a different query to give that user limited access (say to a "would you like to buy roaming" page). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using the various User-Password, Chap-Password, etc... with MySQL
Hey, some updates... Ok I've done some tests and thanks to Kegal I was able to move forward with these different 'scenarios'. For having an encrypted password in the database what can be done is to give the user the attribute Crypt-Password and set the Value to be ENCRYPT('somepass') where ENCRYPT() is a MySQL function. Still has to figure out about MD5, SHA1 and CHAP. Thanks so far, Liran. On 7/30/07, liran tal <[EMAIL PROTECTED]> wrote: > > Thanks Alan, > > I've read the manpage on rlm_pap. > Regarding the User-Password attribute I understand that it is still > support but we moved > to using Cleartext-Password which is essentially the same. > > Regarding the other attributes like Crypt-Password or MD5-Password, the > manpage says that > these contain the crypted/md5 hashed form of the password. Does that mean > that if I use > those as the password attribute then in the database I'm supposed to use > the MD5() function > to encrypt the password I save there? > > This also brings me to another question, if I can encrypt like that a > password in the database > even for the Cleartext-Password (or the deprecated User-Password) > attribute as the manpage > also mentions that rlm_pap, if put last in the authorize section will try > to decrypt the password. > > > Do I understand this correctly? > > > Regards, > Liran. > > > On 7/29/07, Alan DeKok <[EMAIL PROTECTED] > wrote: > > > > liran tal wrote: > > > I was wondering if someone can clearly explain the use of different > > > Password attributes when they're used in a scenario where MySQL is > > involved. > > > > The different password attributes have nothing to do with MySQL. > > > > Put a clear-text password in MySQL, and let the server deal with > > different authentication protocols. > > > > > The basic case of User-Password is clear. > > > When the attribute in the radcheck table is User-Password then it's > > value is > > > the password in clear text and the op is == > > > > No. See the recent documentation in 1.1.5 and following. The > > attribute is Cleartext-Password, and the operator is :=. > > > > > What about Cleartext-Password? I've added this attribute with op of := > > and > > > value password in clear text and used radtest as a test, and it > > results in > > > just re-transmission of Access-Request queries, and basically not > > working. > > > > See the FAQ for "it doesn't work". The FAQ, README, INSTALL, etc. all > > > > say to run the server in debugging mode. > > > > > What about Chap-Password, MD5-Password, SHA1-Password, what are their > > > corresponding values and op like? > > > > Read the documentation in "man rlm_pap", as suggested in the README. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using the various User-Password, Chap-Password, etc... with MySQL
liran tal wrote: > also mentions that rlm_pap, if put last in the authorize section will > try to decrypt the password. There is no decrypt. The server will crypt the plain text password that comes in the request and compare that to the stored crypted password. That is why only PAP will work since other protocols do not send the password in cleartext in the request. This is why it is recommended that the cleartext password be stored in the DB since then all protocols will work. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using the various User-Password, Chap-Password, etc... with MySQL
Thanks Alan, I've read the manpage on rlm_pap. Regarding the User-Password attribute I understand that it is still support but we moved to using Cleartext-Password which is essentially the same. Regarding the other attributes like Crypt-Password or MD5-Password, the manpage says that these contain the crypted/md5 hashed form of the password. Does that mean that if I use those as the password attribute then in the database I'm supposed to use the MD5() function to encrypt the password I save there? This also brings me to another question, if I can encrypt like that a password in the database even for the Cleartext-Password (or the deprecated User-Password) attribute as the manpage also mentions that rlm_pap, if put last in the authorize section will try to decrypt the password. Do I understand this correctly? Regards, Liran. On 7/29/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > liran tal wrote: > > I was wondering if someone can clearly explain the use of different > > Password attributes when they're used in a scenario where MySQL is > involved. > > The different password attributes have nothing to do with MySQL. > > Put a clear-text password in MySQL, and let the server deal with > different authentication protocols. > > > The basic case of User-Password is clear. > > When the attribute in the radcheck table is User-Password then it's > value is > > the password in clear text and the op is == > > No. See the recent documentation in 1.1.5 and following. The > attribute is Cleartext-Password, and the operator is :=. > > > What about Cleartext-Password? I've added this attribute with op of := > and > > value password in clear text and used radtest as a test, and it results > in > > just re-transmission of Access-Request queries, and basically not > working. > > See the FAQ for "it doesn't work". The FAQ, README, INSTALL, etc. all > say to run the server in debugging mode. > > > What about Chap-Password, MD5-Password, SHA1-Password, what are their > > corresponding values and op like? > > Read the documentation in "man rlm_pap", as suggested in the README. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
On 2007-07-30 17:06, Dennis Skinner wrote: > Krzysztof Olędzki wrote: >> I'm not sure it this is a good idea. What if you need to change for >> example a shared secret? > > Poke it with radclient from a host that is not in the client table? Like 127.15.16.18? Good idea. So maybe a magic-client solution that rereads a sql client database? Best regards, Krzysztof Olędzki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Krzysztof Olędzki wrote: > I'm not sure it this is a good idea. What if you need to change for > example a shared secret? Poke it with radclient from a host that is not in the client table? -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
On 2007-07-30 15:54, Stefan Winter wrote: > Hi, > >> It is an issue that has been discussed previously and FreeRADIUS is >> unlikely to ever do an SQL SELECT of the nas table for every inbound >> packet. What may be possible is to reload the nas list at certain intervals >> (from cron is the easiest) but until/unless HUP handling is improved that >> is problematic for deployments that need to keep session state (ie. EAP >> users). If you dont use EAP, then there is no problem doing a full restart >> on a regular basis.. > > regular checks still would be a waste of resources most of the time (how > often > do you add a NAS?). How about: > > - doing the SQL query when it encounters a request from a new, unknown IP > address, > - RATE-LIMITED to once per minute or so. > > That would make re-reading event-driven, and not make the server be DoS'ed > when a wave of fake requests comes in. > Not sure how difficult to implement this though... I'm not sure it this is a good idea. What if you need to change for example a shared secret? Pozdrawiam, Krzysztof Olędzki -- Krzysztof Olędzki Axel Springer Polska Sp. z o.o. tel: +48-22-2320969 fax: +48-22-2325530 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
On Mon 30 Jul 2007, Stefan Winter wrote: > Hi, > > > It is an issue that has been discussed previously and FreeRADIUS is > > unlikely to ever do an SQL SELECT of the nas table for every inbound > > packet. What may be possible is to reload the nas list at certain > > intervals (from cron is the easiest) but until/unless HUP handling is > > improved that is problematic for deployments that need to keep session > > state (ie. EAP users). If you dont use EAP, then there is no problem > > doing a full restart on a regular basis.. > > regular checks still would be a waste of resources most of the time (how > often do you add a NAS?). How about: > > - doing the SQL query when it encounters a request from a new, unknown IP > address, > - RATE-LIMITED to once per minute or so. > > That would make re-reading event-driven, and not make the server be DoS'ed > when a wave of fake requests comes in. > Not sure how difficult to implement this though... Yes. I think this would be a reasonable option, which should default to off. This should of course be rate limitted to one re-read per minute for the whole server, not per source IP as spoofing UDP packets it obviously not terribly difficult.. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Hi, > It is an issue that has been discussed previously and FreeRADIUS is > unlikely to ever do an SQL SELECT of the nas table for every inbound > packet. What may be possible is to reload the nas list at certain intervals > (from cron is the easiest) but until/unless HUP handling is improved that > is problematic for deployments that need to keep session state (ie. EAP > users). If you dont use EAP, then there is no problem doing a full restart > on a regular basis.. regular checks still would be a waste of resources most of the time (how often do you add a NAS?). How about: - doing the SQL query when it encounters a request from a new, unknown IP address, - RATE-LIMITED to once per minute or so. That would make re-reading event-driven, and not make the server be DoS'ed when a wave of fake requests comes in. Not sure how difficult to implement this though... Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
YvesDM wrote: > Hi Robert, > > > As for m0n0wall (and I guess pfsense too), you can also use the > "diable concurrent logins" option in the CP setup. > This way there will never be simultaneous use from the same nas. > > Kind Regards, > Yves > Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL usage ideas
No. Fastusers uses flat (users type) file. There is no "fastsql" module. Again, if you think that database stored on disk is too slow for you feel free to use heap (memory) tables. Ivan Kalik Kalik Informatika ISP Dana 30/7/2007, "Roy Walker" <[EMAIL PROTECTED]> piše: >Maybe I am misunderstanding you, but are you saying there is already a method >to pull the data from the database and cache it using 'fastusers'? I do not >see anyway to do that... > >There are a lot reasons to keep the data in a database, look at the NAS table >(I realize it is read-on-start for DOS reasons) but someone must be of the >same mind set as me or there would be no client support in the SQL module. > >Roy > > > >From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] >Sent: Sun 7/29/2007 3:42 PM >To: FreeRadius users mailing list >Subject: Re: SQL usage ideas > > > >Hi, >> Well if you understand server/client systems, no client request is >> INIFINATELY faster than a server cached request. So when you get to the >> point where you need to handle several hundred requests a second, you do the >> math. > >depends on how the SQL tables are indexed, how the server is configured >etc etc - certainly I've got some very complex queries that upon benchmarking >against a million entries can run in less than 0.00 (ie MySQL basic >counter in seconds isnt good enough to measure ;-) ) > >but if you want to take your data, then cache it in memory rather than >query it.well, that sounds much like having it in memory and not >in a database at all - ie 'fastusers' and the such...rather than a >database as we know it. > >alan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL usage ideas
> the other tables). One really useful option would be to add an option > to read some of the database tables into the radius servers memory on > startup. This would be EXTREMELY useful for my case in that I am man rlm_passwd > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSER + Freeradius accounting
On Mon 30 Jul 2007, Marc LEURENT wrote: > Good Morning, > I have some trouble accounting openser calls with freeradius. > Calls are accounted, but only AcctSessionId / AcctUniqueId are stored in > the database, UserName and Realm fields are empty! And what do the accounting detail file records look like? Do they have the information in them that you require? -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSER + Freeradius accounting
Hi, > Good Morning, > I have some trouble accounting openser calls with freeradius. > Calls are accounted, but only AcctSessionId / AcctUniqueId are stored in > the database, UserName and Realm fields are empty! FR can only account what it is sent. check the openser mailing list for further application-specific help alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSER + Freeradius accounting
Good Morning, I have some trouble accounting openser calls with freeradius. Calls are accounted, but only AcctSessionId / AcctUniqueId are stored in the database, UserName and Realm fields are empty! Any idea? Thanks My openser.cfg looklikes: # -- acc params (with radius )-- modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "early_media", 1) modparam("acc", "report_cancels", 1) modparam("acc", "detect_direction", 1) modparam("acc", "service_type", 15) # Radius service type used for accounting : 15 = (SIP) modparam("acc", "radius_extra", "Sip-Src-IP=$si; SIP-Method=$rm") - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
On 7/27/07, Phil Mayers <[EMAIL PROTECTED]> wrote: > DEFAULT > Ldap-UserDn = `cn=%{User-Name},ou=whatever,...` > > Note that the DN need not be "real" Hi Phil, lol, I browsed the source too and I was gonna recompile it to exclude the hardcoded uid search. Clearly that would have been useless. Thanks for the hints suggestion. The line above, modified to match the needed suffix and DN did the trick. I also found there was no need to tweak the radiusd.conf file and move ldap to the instantiate section. That's good news. -- "In a sea of glass shards, I hear you screaming" --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html