Using the outer envelope attributes in an EAP-TTLS request?
Hi all, My problem has been fixed by setting"copy_request_to_tunnel = yes" in the eap.conf file. Thanks to all that responded. Rgds, begin:vcard fn:Marcus Packard n:Packard;Marcus org:Flinders University;Information Services Division adr:GPO Box 2100;;;Adelaide;SA;5001;Australia email;internet:[EMAIL PROTECTED] title:Campus Network Manager tel;work:+61 08 8201 2130 version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using the outer envelope attributes in an EAP-TTLS request?
Hi, I am currently configuring a Cisco WiSM blade (software version 4.1.185.0) and a FreeRadius Server (Version 1.1.3, for host i686-redhat-linux-gnu, built on Apr 25 2007) for EAP-TTLS I’ve have gotten VLAN override to work on the WiSM (no problem there). However, what I am trying to do now is let a user choose between two SSIDs, where one SSID supports VLAN overriding and one does not. The problem I am having is that the WISM appears to sends all the Radius attributes like Tunnel-Private-Group-Id in the initial anonymous request to the radius server. See below: rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:32769, id=86, length=182 User-Name = "anonymous" Calling-Station-Id = "00-13-CE-1A-9F-5D" Called-Station-Id = "00-1D-45-A6-02-10:ISD" NAS-Port = 29 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "Cisco_d4:2c:6b" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "251" EAP-Message = 0x0211000e01616e6f6e796d6f7573 Message-Authenticator = 0x7ad2cce223c93cf13030c0da463232e5 However they are not included in the TTLS tunnel data see below: TTLS tunnel data in 0020: 6b 65 00 00 TTLS: Got tunneled request User-Name = "x" User-Password = "" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "x" User-Password = "x" FreeRADIUS-Proxied-To = 127.0.0.1 I don’t know how (or if it is possible) to combine the outer envelope data with the tunnel data in a FreeRadius stanza. (At least it hasn’t worked the various ways I have tried). FreeRadius appears (to me) to just be using the tunnel data. I would like to do something (in FreeRadius) like: DEFAULT AUTH-TYPE := LDAP, Ldap-Group == isd, Airespace-Wlan-Id == 5 Fall-Through = No or DEFAULT AUTH-TYPE := LDAP, Tunnel-Private-Group-ID:0 == "251", Ldap-Group == isd Fall-Through = No The LDAP group attributes are being looked up properly in the previous stanzas but the outer envelope data appears not to be used. Any suggestions on how I can incorporate both? (Note i've tried both Tunnel-Private-Group-ID:0 and Tunnel-Private-Group-ID) Thanks, begin:vcard fn:Marcus Packard n:Packard;Marcus org:Flinders University;Information Services Division adr:GPO Box 2100;;;Adelaide;SA;5001;Australia email;internet:[EMAIL PROTECTED] title:Campus Network Manager tel;work:+61 08 8201 2130 version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error after updating to freeradius 2.0.1
> > Check that nothing is listening on port 1812, even for IPv6. > > Nothing listening except for ssh. Since ssh is TCP, you know that radius is UDP and you need to check with "netstat -ulnp" > ERROR: Failed to open socket: > /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port > 1812 BTW If you are using some virtualization or similar software, I've heard some of them don't support binding to 0.0.0.0 so you'll have to bind to the specific ip address. -- damjan | дамјан This is my jabber ID --> [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: error after updating to freeradius 2.0.1
> Check that nothing is listening on port 1812, even for IPv6. Nothing listening except for ssh. > Also try posting the full debug log. Maybe there's another "listen" > section which is conflicting with the 0.0.0.0:1812. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This is the full log: FreeRADIUS Version 2.0.1, for host i486-pc-linux-gnu, built on Feb 10 2008 at 19:29:19 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "insert-pass-here" nastype = "other" } client 192.168.0.1 { require_message_authenticator = no secret = "secret" shortname = "test" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "path here" certificate_file = "path here" CA_file = "/path herem" private_key_password = "secret" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/c
mod_auth_radius question
I have a question regarding mod_auth_radius which doesn't seem to be addressed by the included documentation or anything I have found with a google search. When configuring the module in the apache configuration (I'm using the latest 1.3 branch) is it possible to specify more than one radius server so that it will fail over in the even that the first is down? Something like this: # # AddRadiusAuth server[:port] [ timeout [ : retries ]] # AddRadiusAuth server1.example.com:1645 secret 5:3 AddRadiusAuth server2.example.com:1645 secret 5:3 AddRadiusCookieValid 60 It seems as though this doesn't work or it wants to use only the last one specified. Am I missing something? Anybody have experience trying to use this module in a similar setup? It would be great to be able to get this working with both of my radius servers. Thanks in advance! Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tnc.c source not stricly C
Andrew Hood wrote: > I know good style says newbies should lurk before posting, but anyway: > > Is freeradius supposed to be C89? It's supposed to be as portable as possible. > src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c > > Is full of C++ comments and C99isms. Yes. Most of those should be fixed. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap_tnc.c source not stricly C
I know good style says newbies should lurk before posting, but anyway: Is freeradius supposed to be C89? src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c Is full of C++ comments and C99isms. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > Right I've now managed to get v2.0.1 working on our radius server. > Although for some reason its not logging to radiusd.log. > Previously we have logged accounting to the log file and the radacct table. > If anyone can spare a thought on why this isn't now logging to the > radiusd.log file I would appreciate it. File permissions? Also see the log{} configuration in radiusd.conf. > Onto the different IP pool per realm... > This still doesn't seem to work. > The debug doesn't show the IP pool being loaded. > Does this still need to be put into radiusd.conf or the sites-enabled file? You can put everything in radiusd.conf, just like in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error after updating to freeradius 2.0.1
Joep Ruiter wrote: > ERROR: Failed to open socket: > /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port > 1812 This is likely due to the system having IPv6 support. Version 2.0 adds IPv6, and there are issues with binding to IPv4 and IPv6 sockets. > All 1.1.x versions have run smoothly on my Ubuntu server, this is the first > time I get this problem. > Does anyone know how to fix this? Check that nothing is listening on port 1812, even for IPv6. Also try posting the full debug log. Maybe there's another "listen" section which is conflicting with the 0.0.0.0:1812. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error after updating to freeradius 2.0.1
Hi After i found out today that Freeradius 2.0.1 was out i updated my old 1.1.7 release and installed this version. Problem is, that it won't start. I keep getting: ERROR: Failed to open socket: /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port 1812 All 1.1.x versions have run smoothly on my Ubuntu server, this is the first time I get this problem. Does anyone know how to fix this? Thanks in advance! Joep Ruiter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 11 February 2008 13:39 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: > We are running freeradius on Centos and the most supported package that gets > installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have > installed. Ugh. > I've tried to upgrade by downloading the latest version, 2.0.1. > Although it builds and installs it doesn't seem to try to connect to my SQL > database. When I start the old version with -X I see a lot of mention of > sql. > But version 2.0.1 started with -X doesn't seem to say anything apart from > its loading the sql.conf file. > Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf && sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure && debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell <[EMAIL PROTECTED]>: Markus Krause wrote: Zitat von David W Bell <[EMAIL PROTECTED]>: Markus Krause wrote: Zitat von David W Bell <[EMAIL PROTECTED]>: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~> I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=bel
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote: Zitat von David W Bell <[EMAIL PROTECTED]>: Markus Krause wrote: Zitat von David W Bell <[EMAIL PROTECTED]>: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~> I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell g
Re: rlm_perl with huge load (~1000-1500 request per minute)
John S. Doe wrote: Hello! i use freeradiusd 1.7, rlm_perl with thread conf: thread pool { start_servers = 100 max_servers = 1500 min_spare_servers = 1 max_spare_servers = 10 max_requests_per_server = 10 } rlm_sql uses mysql. All works fine, but sometime, at moment with high load: Error: Discarding duplicate request from client nas_4:63429 - ID: 154 due to unfinished request 2176280 and radiusd like "frozen", take 99% of CPU time, and not response for client's request. FreeBSD 6.3, Hardware is adequate - 2xXeon with 2 Gb Ram. Yikes. You're telling it to start 100 threads, and maybe start 1500 threads, but to start closing down threads when there are 1-10 inactive. You're also telling it to close each thread after it's done 10 requests, rather than just running forever. That is a silly config. The defaults are a long way from that, for a good reason. Set "max_requests_per_server = 0" and max_servers no greater than double start_servers (at a guess - certainly 1500 is a stupidly large number, your OS will never, every successfully schedule 1500 contending threads) As for why it's freezing; it could be related to the thread config, but more likely your perl module (or another module) is simply taking too long to respond. Spawning more threads won't help that - you need to solve why the module is responding slowly. What's the full config? What other modules are you running, any database lookups? Why did you change the thread config to something so extreme? How many NASes do you have? What's your load like? any ideas? Tnx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl with huge load (~1000-1500 request per minute)
Hi, > Hello! > > i use freeradiusd 1.7, rlm_perl with thread conf: > > thread pool { > start_servers = 100 > max_servers = 1500 > min_spare_servers = 1 > max_spare_servers = 10 > max_requests_per_server = 10 > } > > rlm_sql uses mysql. > > All works fine, but sometime, at moment with high load: > > Error: Discarding duplicate request from client nas_4:63429 - ID: 154 due to > unfinished request 2176280 > > and radiusd like "frozen", take 99% of CPU time, and not response for > client's request. > > FreeBSD 6.3, Hardware is adequate - 2xXeon with 2 Gb Ram. > > any ideas? yep - your database cant keep up with either the authentication traffic, the accounting traffic or both. try using sql_log for the accounting - to take it out of 100% realtime for each incoming packet. also your config looks a bit wonky. > thread pool { > start_servers = 100 > max_servers = 1500 > min_spare_servers = 1 > max_spare_servers = 10 > max_requests_per_server = 10 > } start servers = 100 max spare servers = 10 so the first thing it has to do it kill a load off(!) - set the spare to 100. how many SQL threads are you running? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Norbert Wegener wrote: > As usually, Alan has made a great job. After more than 7 eap > authentications everything is still working fine. > The bug is obviously fixed. ! Thanks for the testing. We can release 2.0.2 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl with huge load (~1000-1500 request per minute)
John S. Doe wrote: > i use freeradiusd 1.7, rlm_perl with thread conf: > > thread pool { ... > max_requests_per_server = 10 This should always be zero. > and radiusd like "frozen", take 99% of CPU time, and not response for > client's request. Run it in debugging mode (-fxxx for threading) to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl with huge load (~1000-1500 request per minute)
Hello! i use freeradiusd 1.7, rlm_perl with thread conf: thread pool { start_servers = 100 max_servers = 1500 min_spare_servers = 1 max_spare_servers = 10 max_requests_per_server = 10 } rlm_sql uses mysql. All works fine, but sometime, at moment with high load: Error: Discarding duplicate request from client nas_4:63429 - ID: 154 due to unfinished request 2176280 and radiusd like "frozen", take 99% of CPU time, and not response for client's request. FreeBSD 6.3, Hardware is adequate - 2xXeon with 2 Gb Ram. any ideas? Tnx. -- WBR, John mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
As usually, Alan has made a great job. After more than 7 eap authentications everything is still working fine. The bug is obviously fixed. Thanks Alan Norbert Wegener Norbert Wegener wrote: I am runnning those tests at the moment with the modified version. I will post the result of 7 authentications later. Norbert Wegener Sebastian Heil wrote: is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell <[EMAIL PROTECTED]>: Markus Krause wrote: Zitat von David W Bell <[EMAIL PROTECTED]>: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~> I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName
Re: EAP session matching the State variable.
Hi, > i am sorry, but my server doesn't have any internet-access... so, i can't use > cvs for updating. use CVS on another machine, tar up the resulting CVS checkout, copy it to the server and recompile. it must have networking or some sort to be a radius server, n'est pas? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
I am runnning those tests at the moment with the modified version. I will post the result of 7 authentications later. Norbert Wegener Sebastian Heil wrote: is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
> > is there anything, i can try to test? > > $ cvs update > $ cd src/modules/rlm_eap > $ make clean > $ make > > ... and re-run the tests. > i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Markus Krause wrote: Zitat von David W Bell <[EMAIL PROTECTED]>: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~> I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld logi
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > We are running freeradius on Centos and the most supported package that gets > installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have > installed. Ugh. > I've tried to upgrade by downloading the latest version, 2.0.1. > Although it builds and installs it doesn't seem to try to connect to my SQL > database. When I start the old version with -X I see a lot of mention of > sql. > But version 2.0.1 started with -X doesn't seem to say anything apart from > its loading the sql.conf file. > Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf && sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure && debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
We are running freeradius on Centos and the most supported package that gets installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have installed. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? That said I do have some debug for the version I am using for trying to assign a different IP pool per realm. Here is the section that shows that radius is loading the IP pool: Module: Loaded IPPOOL ippool: session-db = "/etc/raddb/db.ippool" ippool: ip-index = "/etc/raddb/db.ipindex" ippool: range-start = 85.92.168.1 IP address [85.92.168.1] ippool: range-stop = 85.92.168.254 IP address [85.92.168.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 ippool: override = no ippool: maximum-timeout = 0 Module: Instantiated ippool (main_pool) # This is the users entry: DEFAULT Realm == "dsl.realm.co.uk", Pool-Name := "main_ip_realm1" And here is the debug from a user using the realm logging in: ### rad_recv: Access-Request packet from host 192.168.1.88:1645, id=245, length=127 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0xb2cd36a39f414e084ae6ab6da5719886f7 NAS-Port-Type = Virtual NAS-Port = 2548 NAS-Port-Id = "Uniq-Sess-ID2548" Connect-Info = "4522000/1000" Service-Type = Framed-User NAS-IP-Address = 192.168.1.88 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "dsl.realm.co.uk" rlm_realm: Proxying request from user leekane to realm dsl.realm.co.uk rlm_realm: Adding Realm = "dsl.realm.co.uk" rlm_realm: Preparing to proxy authentication request to realm "dsl.realm.co.uk" modcall[authorize]: module "suffix" returns updated for request 14 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 14 users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok for request 14 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 21 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 21 modcall[authorize]: module "sql" returns notfound for request 14 modcall: group authorize returns updated for request 14 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 14 radius_xlat: '/var/log/rad
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell <[EMAIL PROTECTED]>: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] smime.p7s Description: S/MIME krytographische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with OpenLDAP (Suse Enterprise 10)
LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius integrated with Active Directory toautenticatecisco passwords
Still not working. When I added krb5 { } at the radius.conf file, it gave me the following error at startup /usr/local/etc/raddb/radiusd.conf[589]: Unexpected end of section Errors reading radiusd.conf Regards, 2008/2/8, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > > Hi, > > > Thank you all. > > > > But how do I do this? Does any one has a tutorial about it? > > > add the required parts to the radius config files to enable > krb5 (direct password check) against the AD - you will also need to ensure > your kerberos environment is sane and works > > eg run the command > > kinit your_user_id > > on the command line to validate that your machine can get a kerberos > ticket > > the bits you need to add to the radius config are: > > krb5 { > } > > to the module stanza (radiusd.conf) > > and > > Auth-Type krb5 { > krb5 > } > > to the authenticate stanza (radiusd.conf in 1.1.x and > sites-enabled/default > in radiusd 2.x ) > > you MAY need to set "Auth-Type = krb5" for the required user or NAS > setting > depending on your config! > > alan > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault over perl script.
> hello > i am trying to install freeradius over debian with perl support. > I am running the same config with same perl script over ubuntu. > I compiled 1.1.7 version, copied config files and script to same folder. > and when i try to run it i get the folllowing output. > > Starting - reading configuration files ... > Using deprecated naslist file. Support for this will go away soon. > Module: Loaded exec > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > Module: Instantiated mschap (mschap) > Module: Loaded perl > Module: Instantiated perl (perl) > Module: Loaded System > Module: Instantiated unix (unix) > Module: Loaded eap > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > rlm_eap: Loaded and initialized type gtc > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Module: Loaded preprocess > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > Module: Instantiated realm (suffix) > Module: Loaded files > Module: Instantiated files (files) > Module: Loaded SQL > rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and > linked > rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/wireless > rlm_sql (sql): starting 0 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 > rlm_sql_mysql: Starting connect to MySQL server for #0 > rlm_sql (sql): Connected new DB handle, #0 > rlm_sql (sql): starting 1 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 > rlm_sql_mysql: Starting connect to MySQL server for #1 > rlm_sql (sql): Connected new DB handle, #1 > rlm_sql (sql): starting 2 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 > rlm_sql_mysql: Starting connect to MySQL server for #2 > rlm_sql (sql): Connected new DB handle, #2 > rlm_sql (sql): starting 3 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 > rlm_sql_mysql: Starting connect to MySQL server for #3 > rlm_sql (sql): Connected new DB handle, #3 > rlm_sql (sql): starting 4 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 > rlm_sql_mysql: Starting connect to MySQL server for #4 > rlm_sql (sql): Connected new DB handle, #4 > Module: Instantiated sql (sql) > Module: Loaded Acct-Unique-Session-Id > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > Module: Instantiated detail (detail) > Module: Loaded radutmp > > > It starts waiting here.. > When any request submits.. > I just receive a message as > Segmentation Fault > and radiusd quits. > I know this script is working without any problem. > And the config file is also ok. But i couldnt find the problem > Any help would be great. > > Problem solved.. I recompiled freeradius with ./configure --enable-developer option And then i noticed that i forgot to add previous dictionary entries that i use in my mysql tables. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault over perl script.
hello i am trying to install freeradius over debian with perl support. I am running the same config with same perl script over ubuntu. I compiled 1.1.7 version, copied config files and script to same folder. and when i try to run it i get the folllowing output. Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded perl Module: Instantiated perl (perl) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/wireless rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp It starts waiting here.. When any request submits.. I just receive a message as Segmentation Fault and radiusd quits. I know this script is working without any problem. And the config file is also ok. But i couldnt find the problem Any help would be great. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Sebastian Heil wrote: > i don't know, if it's my stupid configuration or the freeradius, that > produces following: No. It's a bug. I committed a fix over the weekend. ... > Then, the server switches back to "normal" state-variables... > example: > State = 0x03040db7c026e2b769757300 Even that is wrong. > is there anything, i can try to test? $ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
> Sebastian Heil wrote: > > Hmm, i have the same error in 2.0.1. > > i did kind of a eap-tls-stress-test with a perl script based on the > rad_eap_test script. there are a lot of "login oks" in my log-file, but about > 5-10% are "login incorrect" with the same error-message as above. > > > > i did three stress-tests... here the result: > > > > Login OK Login incorrect > > 5290 281 > > If the State variable is mostly zero, then it's a problem... even if > authentication succeeds. > > Alan DeKok. > Hi, i don't know, if it's my stupid configuration or the freeradius, that produces following: i have two virtual machines (both suse linux 10). on one machine, the freeradius-server is running, on the other machine, i have my little perl-script, that uses rad_eap_test. perl-script: - #!/usr/bin/perl $i = 0; while ($i<=5) { $i++; &radtest; } sub radtest { $radiustest = `rad_eap_test -H *** -P 1812 -S testing123 -u sl90001 -m IEEE8021X -e TLS -j /etc/raddb/certs/sl90001_chain.pem -k /etc/raddb/certs/host_sl90001_chain.pem -a /tmp/rootcerts.pem`; print $radiustest; } -- if i run the script only one-time, the state-variable looks something like this: State = 0x066227990f682a3467daaa2d38adf01c If i run the script 3 or 4 times at the same time on my virtual-server, the freeradius-server gets some problems... after some time, the server produces such state-variables: example: State = 0x00010d00 Then, the server switches back to "normal" state-variables... example: State = 0x03040db7c026e2b769757300 and then back to: State = 0x04050d00 if the complete debug is helpful, alan, i can send it to you... is there anything, i can try to test? Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html