Re: FS trying to authenticate accounting data
Alan,
I recompiled with this patch, however, I am getting the same results as
before.
Jim Lohiser
- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list"
Sent: Friday, May 02, 2008 11:33 AM
Subject: Re: FS trying to authenticate accounting data
Jim L. wrote:
...
Sending proxied request internally to virtual server.
server ImagineNet_Detail {
auth: No authenticate method (Auth-Type) configuration found for the
Ugh. The code that does the internal proxying doesn't check for
auth/acct differences. Oops.
Try the attached patch. If it works, I'll commit it.
Alan DeKok.
Index: src/main/event.c
===
RCS file: /source/radiusd/src/main/event.c,v
retrieving revision 1.100
diff -u -r1.100 event.c
--- src/main/event.c 20 Apr 2008 15:00:06 - 1.100
+++ src/main/event.c 2 May 2008 15:37:25 -
@@ -1176,6 +1176,7 @@
static int proxy_to_virtual_server(REQUEST *request)
{
REQUEST *fake;
+ RAD_REQUEST_FUNP fun;
if (!request->home_server || !request->home_server->server) return 0;
@@ -1193,6 +1194,17 @@
fake->packet->vps = paircopy(request->proxy->vps);
fake->server = request->home_server->server;
+ if (request->proxy->code == PW_AUTHENTICATION_REQUEST) {
+ fun = rad_authenticate;
+
+ } else if (request->proxy->code == PW_ACCOUNTING_REQUEST) {
+ fun = rad_accounting;
+
+ } else {
+ DEBUG2("Unknown packet type %d", request->proxy->code);
+ return 0;
+ }
+
DEBUG2(">>> Sending proxied request internally to virtual server.");
radius_handle_request(fake, rad_authenticate);
DEBUG2("<<< Received proxied response from internal virtual server.");
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication problem between supplicant and radius server
>I need some explanation with what is going wrong in my config! > >i have : > - freeradius 2.0.2-3 AS RADIUS SERVER >- DWS3024 as authenticator (set up for transmit request to radius server >correctly) >- (this step) DWL-8500AP as Access point (my spplicant) > >i had not that problem using that config on my previous system (fedora 8 + >freeradius 1.1-7). > >"Radiusd - X" telles me that there is no "User-Password" attribute found on >the request whent the Access-Point (AP) tries to authenticate. >it shows me "@MAC_ADDRESS" as login and "000# as password. >the suppliers doc says default password is "NOPASSWORD". >when i update the password in "users" file as "NOPASSWORD" or "000" or hen i >leave it empty, i have exactly the same results. > >below is my radiusd -X log, a part of my clients.cnf. file and same of "users" >file. >maybe could someone tell me what i missed. > .. >rad_recv: Access-Request packet from host 192.168.0.254 port 49153, id=73, >length=79 >User-Name = "00-1c-f0-07-d6-90\000" >NAS-Identifier = "00-17-9A-95-0C-18" >Message-Authenticator = 0xe7734b66fdcbf582530af8458ee4627e AP is not sending anything as password. >### > >"Users" file >### > AP 1 Auth-Type := Local, >00-1c-f0-07-d6-90\000 Auth-Type := Local, User-Password += "000" Alter this to (and leave reply attributes as they are): 00-1c-f0-07-d6-90\000 Auth-Type := Accept Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
On Fri, May 2, 2008 at 2:47 PM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Andrew Olson wrote:
> > I would like to have my Perl authenticate method called after
> > eaptls_process is done. I gather that since eap returns "handled"
> > that no more processing is done. I'm pretty sure that I have Perl
> > configured correctly, since it gets called on other requests. Am I
> > missing something? If I ever get this working, I'll post the patch.
>
> You should run the Perl module in the "authenticate" section, after
> the EAP module is called.
>
This is what my authenticate section looks like. Should it be different?
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
Auth-Type EAP {
eap
perl
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant LDAP Servers
On 5/2/08 12:45 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> Jason Traeden wrote:
>> That did not work ether. Is there a better way to achieve ldap redundancy?
>
> Force Auth-Type = LDAP. But it would be best to have this required in
> as few situations as possible.
>
>> I have attached the log output from when I started radiusd -X and the login
>> failure.
>
> rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed
> in the "authenticate" section.
>
> So... you don't have:
>
> authenticate {
> ...
> Auth-Type LDAP {
> redundant {
> ad01
> ad02
> }
> }
> ...
> }
So I do have the authenticate section
authenticate {
Auth-Type LDAP {
redundant {
ad01
ad02
}
}
And I still get the following errors
rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in
the "authenticate" section.
rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in
the "authenticate" section.
It is acting like the modules ad01 and ad02 are not loading right.
Thanks
Jason
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: > I would like to have my Perl authenticate method called after > eaptls_process is done. I gather that since eap returns "handled" > that no more processing is done. I'm pretty sure that I have Perl > configured correctly, since it gets called on other requests. Am I > missing something? If I ever get this working, I'll post the patch. You should run the Perl module in the "authenticate" section, after the EAP module is called. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant LDAP Servers
Jason Traeden wrote:
> That did not work ether. Is there a better way to achieve ldap redundancy?
Force Auth-Type = LDAP. But it would be best to have this required in
as few situations as possible.
> I have attached the log output from when I started radiusd -X and the login
> failure.
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed
in the "authenticate" section.
So... you don't have:
authenticate {
...
Auth-Type LDAP {
redundant {
ad01
ad02
}
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DER format in TLS certificates
Hi,
Can I use DER format for certificates?
With PEM format TTLS works fine but if I use DER format it outputs:
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/pki/tls/certs/ips-spectrum-key.der"
certificate_file = "/etc/pki/tls/certs/ips-spectrum-crt.der"
CA_file = "/etc/pki/tls/certs/ips-ca-bundle.der"
dh_file = "/usr/local-2.0.2/etc/raddb/certs/dh"
random_file = "/usr/local-2.0.2/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file
/etc/pki/tls/certs/ips-spectrum-crt.der
rlm_eap: Failed to initialize type tls
/usr/local-2.0.2/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local-2.0.2/etc/raddb/sites-enabled/default[253]: Failed to find
module "eap".
/usr/local-2.0.2/etc/raddb/sites-enabled/default[200]: Errors parsing
authenticate section.
}
}
Errors initializing modules
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant LDAP Servers
That did not work ether. Is there a better way to achieve ldap redundancy?
I have attached the log output from when I started radiusd -X and the login
failure.
Thanks
Jason
On 5/2/08 11:45 AM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> Jason Traeden wrote:
> ..
>> Ok I patched my box with this ldap.c.diff and I still have the same results.
>
> Hmm... the same error messages?
>
> Try this. I think this one should work...
>
> Alan DeKok.
> Index: src/modules/rlm_ldap/rlm_ldap.c
> ===
> RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v
> retrieving revision 1.194
> diff -u -r1.194 rlm_ldap.c
> --- src/modules/rlm_ldap/rlm_ldap.c 17 Apr 2008 07:59:21 - 1.194
> +++ src/modules/rlm_ldap/rlm_ldap.c 2 May 2008 17:49:49 -
> @@ -160,6 +160,7 @@
> #endif
> int ldap_debug; /* Debug flag for LDAP SDK */
> char *xlat_name; /* name used to xlat */
> + char *auth_type;
> char *tls_cacertfile;
> char *tls_cacertdir;
> char *tls_certfile;
> @@ -456,9 +457,17 @@
> */
> if (inst->set_auth_type) {
> DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
> +
> + /*
> + * No section of *my* name, but maybe there's an
> + * LDAP section...
> + */
> + if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP");
> if (!dv) {
> DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed
> in the \"authenticate\" section.", xlat_name);
> inst->set_auth_type = 0;
> + } else {
> + inst->auth_type = dv->name; /* doesn't change on HUP */
> }
> } /* else no need to look up the value */
>
> @@ -1696,8 +1705,8 @@
>request->password &&
>(request->password->attribute == PW_USER_PASSWORD) &&
>!added_known_password) {
> - pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
> - DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name);
> + pairadd(check_pairs, pairmake("Auth-Type", inst->auth_type, T_OP_EQ));
> + DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->auth_type);
> }
>
> DEBUG("rlm_ldap: user %s authorized to use remote access",
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log.txt
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
So, I managed to find the place where the certificate gets taken
apart. I added some code to parse out the serialNumber and put it
back onto the request. I'd like to be able to do some processing
later with Perl. However, it appears that appears that my Perl module
isn't getting called where I want it to.
SSL Connection Established
eaptls_process returned 13
++[eap] returns handled
EAP-Message =
0x010900350d80002b14030100010116030100202bb95c025a504e497064ffa66b4138307aa4cc22c4b46b5da74712ad8553ce74
Message-Authenticator = 0x
State = 0xbe08af5fb801a2c65b78155ec5f3f1cf
Finished request 7.
I would like to have my Perl authenticate method called after
eaptls_process is done. I gather that since eap returns "handled"
that no more processing is done. I'm pretty sure that I have Perl
configured correctly, since it gets called on other requests. Am I
missing something? If I ever get this working, I'll post the patch.
Thanks,
Andrew Olson
On Tue, Apr 29, 2008 at 3:50 AM, Alan DeKok <[EMAIL PROTECTED]> wrote:
>
> Andrew Olson wrote:
> > Are there attributes available to get at properties of a certificate.
> > I want to look at properties like Subject DN, Serial number, etc.
> >
> > So, somewhere in the FR config, I could do something like
> > '%{cert-serial-number} == blah'.
>
> No. As always, patches are welcome.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication problem between supplicant and radius server
Hello
I need some explanation with what is going wrong in my config!
i have :
- freeradius 2.0.2-3 AS RADIUS SERVER
- DWS3024 as authenticator (set up for transmit request to radius server
correctly)
- (this step) DWL-8500AP as Access point (my spplicant)
i had not that problem using that config on my previous system (fedora 8 +
freeradius 1.1-7).
"Radiusd - X" telles me that there is no "User-Password" attribute found on
the request whent the Access-Point (AP) tries to authenticate.
it shows me "@MAC_ADDRESS" as login and "000# as password.
the suppliers doc says default password is "NOPASSWORD".
when i update the password in "users" file as "NOPASSWORD" or "000" or hen i
leave it empty, i have exactly the same results.
below is my radiusd -X log, a part of my clients.cnf. file and same of "users"
file.
maybe could someone tell me what i missed.
thank you
# radiusd -X
##
FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Mar 18 2008 at
19:47:59
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "radiusd"
group = "radiusd"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client dws3024 {
ipaddr = 192.168.0.254
require_message_authenticator = yes
secret = "wireless"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
ea
Re: Redundant LDAP Servers
Jason Traeden wrote:
..
> Ok I patched my box with this ldap.c.diff and I still have the same results.
Hmm... the same error messages?
Try this. I think this one should work...
Alan DeKok.
Index: src/modules/rlm_ldap/rlm_ldap.c
===
RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v
retrieving revision 1.194
diff -u -r1.194 rlm_ldap.c
--- src/modules/rlm_ldap/rlm_ldap.c 17 Apr 2008 07:59:21 - 1.194
+++ src/modules/rlm_ldap/rlm_ldap.c 2 May 2008 17:49:49 -
@@ -160,6 +160,7 @@
#endif
int ldap_debug; /* Debug flag for LDAP SDK */
char *xlat_name; /* name used to xlat */
+ char *auth_type;
char *tls_cacertfile;
char *tls_cacertdir;
char *tls_certfile;
@@ -456,9 +457,17 @@
*/
if (inst->set_auth_type) {
DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
+
+ /*
+ * No section of *my* name, but maybe there's an
+ * LDAP section...
+ */
+ if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP");
if (!dv) {
DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed in the \"authenticate\" section.", xlat_name);
inst->set_auth_type = 0;
+ } else {
+ inst->auth_type = dv->name; /* doesn't change on HUP */
}
} /* else no need to look up the value */
@@ -1696,8 +1705,8 @@
request->password &&
(request->password->attribute == PW_USER_PASSWORD) &&
!added_known_password) {
- pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
- DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name);
+ pairadd(check_pairs, pairmake("Auth-Type", inst->auth_type, T_OP_EQ));
+ DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->auth_type);
}
DEBUG("rlm_ldap: user %s authorized to use remote access",
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap attribute config stuff
Ok, to begin I am not a radius guru. In fact, the word novice applies very strongly here That being said on to my inquiry. I have two radius systems on site. One of them is for our wireless system and the other for our old trying to die dialup. The wireless system is setup to authenticate to our LDAP repository and make sure that users have a particular attribute before letting them on. Our dial up system is a big mess of flat files on a version of the software I wont admit to. I would very much like to get the radius server doing the wireless work to also do our dial up work. To do this I have loaded some attributes into our LDAP server for it to query, but then I run into a bit of a problem. How do I configure a required attribute of "Wireless=yes" for one set of clients and an attribute of "DialUP=yes" for the other? Can this be done? Did I miss the doc on this? Solaris 9 SPARC, FreeRadius 1.1.6 Any help I can get on this would be very appreciated. Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant LDAP Servers
On 5/2/08 9:45 AM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> Jason Traeden wrote:
>> I am running freeradius version 2.0.4 and using LDAP against Active
>> Directory. When I have a single LDAP server setup my authentication works
>> great. I am having trouble using the redundant ldap settings.
> ...
>> authenticate {
> ...
>> Auth-Type LDAP {
>
> If many people are setting redundant LDAP modules *inside* of
> Auth-Type LDAP, and *not* referencing the module elsewhere, that can be
> done.
>
> Try the attached patch. If it works, I'll commit it.
>
> Alan DeKok.
> Index: src/modules/rlm_ldap/rlm_ldap.c
> ===
> RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v
> retrieving revision 1.194
> diff -u -r1.194 rlm_ldap.c
> --- src/modules/rlm_ldap/rlm_ldap.c 17 Apr 2008 07:59:21 - 1.194
> +++ src/modules/rlm_ldap/rlm_ldap.c 2 May 2008 15:49:06 -
> @@ -456,6 +456,12 @@
> */
> if (inst->set_auth_type) {
> DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
> +
> + /*
> + * No section of *my* name, but maybe there's an
> + * LDAP section...
> + */
> + if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP");
> if (!dv) {
> DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed
> in the \"authenticate\" section.", xlat_name);
> inst->set_auth_type = 0;
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok I patched my box with this ldap.c.diff and I still have the same results.
Thanks
Jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
Alan DeKok wrote: rsg wrote: They are not on the same LAN. This delay is induced by SQL based IP assignment. Specially when around 30 concurrent Auth queries are made, the accounting response (Start) takes about 30 seconds (Delayed by New Auth requests) to reach NAS leading to the ultimate Auth failures. Huh? You're saying that the NAS rejects the user because it can't send an Accounting-Request packet? That's broken. I've seen NASes where this is configurable behaviour e.g. 3Com Superstack III switches. Thankfully the default is to be sensible - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
On Fri, May 2, 2008 at 6:17 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > rsg wrote: > > They are not on the same LAN. This delay is induced by SQL based IP > assignment. > > > > Specially when around 30 concurrent Auth queries are made, the > > accounting response (Start) takes about 30 seconds (Delayed by New > > Auth requests) to reach NAS leading to the ultimate Auth failures. > > Huh? You're saying that the NAS rejects the user because it can't > send an Accounting-Request packet? That's broken. No, NAS doesn't receive the Accounting-Response from AAA in time. > > > > Could Accouting-Responses be prioritized over New Auth-queries? > > No. > > (1) Your SQL server seems to have problems. 32 queries/s isn't a lot. > (2) Your NAS seems to have problems. Users should NOT be rejected > because it doesn't get an accounting response packet > (3) Even if it *did* prioritize accounting responses, all you would be > doing is trading off rejecting one user for rejecting another user. > > Something is broken in your system. It's not FreeRADIUS. > Thanks. Will have a closer look into the SQL first.. > > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
rsg wrote: > They are not on the same LAN. This delay is induced by SQL based IP > assignment. > > Specially when around 30 concurrent Auth queries are made, the > accounting response (Start) takes about 30 seconds (Delayed by New > Auth requests) to reach NAS leading to the ultimate Auth failures. Huh? You're saying that the NAS rejects the user because it can't send an Accounting-Request packet? That's broken. > Could Accouting-Responses be prioritized over New Auth-queries? No. (1) Your SQL server seems to have problems. 32 queries/s isn't a lot. (2) Your NAS seems to have problems. Users should NOT be rejected because it doesn't get an accounting response packet (3) Even if it *did* prioritize accounting responses, all you would be doing is trading off rejecting one user for rejecting another user. Something is broken in your system. It's not FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
I'm trying to process multiple queries at the same time and when it exceeds 32 this delay occurs. SQLIPPOOL is being used for Autz. On Fri, May 2, 2008 at 5:39 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: > >Or is there a possibility to Prioritize "Accounting-Response" over new > >Auth queries so that response delay could be minimized? > > > > I would look into why it takes so long to process Accounting-Requests. > Something is seriously wrong there. How long does it take to do an > insert for a Start packet? > > > Ivan Kalik > Kalik Informatika ISP > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
> rsg wrote: > > However, I'm actually talking about retransmissions. Please Refer to > > Accounting-Request IDs 142,134 and 236. They are retransmissions due > > to delay in response. > Alan DeKok <[EMAIL PROTECTED]> wrote: > Accounting packets are not re-transmitted. The contents change, so > they get allocated a new Id. OK, I understand. They 142 is a "Start" message whereas 134, and 236 are "Stop" messages with different Acct-Session-Ids. > > Auth process fails at the client end. Simply speaking, the client does > > not get the Framed-IP-Address. > > > > This occurs, when the (NAS <=> AAA) response delay exceeds ~5 seconds. > > Fix your NAS. 5 seconds SHOULD be an acceptable timeout for the NAS. > > If the NAS is on the same LAN as the RADIUS server, 5 seconds is *way* > too long for the RADIUS server to respond. > They are not on the same LAN. This delay is induced by SQL based IP assignment. Specially when around 30 concurrent Auth queries are made, the accounting response (Start) takes about 30 seconds (Delayed by New Auth requests) to reach NAS leading to the ultimate Auth failures. > > How could one tackle with this issue? > > > > As Ivan described could "NAS retransmit timer" be increased to handle > > delayed responses? > > Yes. See your NAS documentation. Could Accouting-Responses be prioritized over New Auth-queries? Many Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant LDAP Servers
Jason Traeden wrote:
> I am running freeradius version 2.0.4 and using LDAP against Active
> Directory. When I have a single LDAP server setup my authentication works
> great. I am having trouble using the redundant ldap settings.
...
> authenticate {
...
> Auth-Type LDAP {
If many people are setting redundant LDAP modules *inside* of
Auth-Type LDAP, and *not* referencing the module elsewhere, that can be
done.
Try the attached patch. If it works, I'll commit it.
Alan DeKok.
Index: src/modules/rlm_ldap/rlm_ldap.c
===
RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v
retrieving revision 1.194
diff -u -r1.194 rlm_ldap.c
--- src/modules/rlm_ldap/rlm_ldap.c 17 Apr 2008 07:59:21 - 1.194
+++ src/modules/rlm_ldap/rlm_ldap.c 2 May 2008 15:49:06 -
@@ -456,6 +456,12 @@
*/
if (inst->set_auth_type) {
DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
+
+ /*
+ * No section of *my* name, but maybe there's an
+ * LDAP section...
+ */
+ if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP");
if (!dv) {
DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed in the \"authenticate\" section.", xlat_name);
inst->set_auth_type = 0;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
>Or is there a possibility to Prioritize "Accounting-Response" over new >Auth queries so that response delay could be minimized? > I would look into why it takes so long to process Accounting-Requests. Something is seriously wrong there. How long does it take to do an insert for a Start packet? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FS trying to authenticate accounting data
Jim L. wrote:
...
Sending proxied request internally to virtual server.
> server ImagineNet_Detail {
> auth: No authenticate method (Auth-Type) configuration found for the
Ugh. The code that does the internal proxying doesn't check for
auth/acct differences. Oops.
Try the attached patch. If it works, I'll commit it.
Alan DeKok.
Index: src/main/event.c
===
RCS file: /source/radiusd/src/main/event.c,v
retrieving revision 1.100
diff -u -r1.100 event.c
--- src/main/event.c 20 Apr 2008 15:00:06 - 1.100
+++ src/main/event.c 2 May 2008 15:37:25 -
@@ -1176,6 +1176,7 @@
static int proxy_to_virtual_server(REQUEST *request)
{
REQUEST *fake;
+ RAD_REQUEST_FUNP fun;
if (!request->home_server || !request->home_server->server) return 0;
@@ -1193,6 +1194,17 @@
fake->packet->vps = paircopy(request->proxy->vps);
fake->server = request->home_server->server;
+ if (request->proxy->code == PW_AUTHENTICATION_REQUEST) {
+ fun = rad_authenticate;
+
+ } else if (request->proxy->code == PW_ACCOUNTING_REQUEST) {
+ fun = rad_accounting;
+
+ } else {
+ DEBUG2("Unknown packet type %d", request->proxy->code);
+ return 0;
+ }
+
DEBUG2(">>> Sending proxied request internally to virtual server.");
radius_handle_request(fake, rad_authenticate);
DEBUG2("<<< Received proxied response from internal virtual server.");
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suggestion for modules directory
Jim L. wrote: > If the FreeRADIUS team monitors this list, Yes... > I have a small suggestion. > Along with the sites-available/sites-enabled directories, I would like > to suggest a similar configuration for the modules section. Given the number of modules out there... it's likely a good idea. > I have added > this to our servers and placed all of my custom module sections in > corresponding configuration files under the modules directory. As with > the sites directories, this allows me to make less modifications to > radiusd.conf. Also, I can easily split up the per-site module > configurations into separate module files. I do not know if something > like modules-available/modules-enabled is really necessary. Perhaps just > "$INCLUDE modules/" in under the modules section would be sufficient. Yup. We'll look into it for the next release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
rsg wrote: > However, I'm actually talking about retransmissions. Please Refer to > Accounting-Request IDs 142,134 and 236. They are retransmissions due > to delay in response. Accounting packets are not re-transmitted. The contents change, so they get allocated a new Id. > Auth process fails at the client end. Simply speaking, the client does > not get the Framed-IP-Address. > > This occurs, when the (NAS <=> AAA) response delay exceeds ~5 seconds. Fix your NAS. 5 seconds SHOULD be an acceptable timeout for the NAS. If the NAS is on the same LAN as the RADIUS server, 5 seconds is *way* too long for the RADIUS server to respond. > So according to RFC 5080: Is this an example of "Note that changing > the Request ID for a retransmission may have undesirable side > effects." ? No. > How could one tackle with this issue? > > As Ivan described could "NAS retransmit timer" be increased to handle > delayed responses? Yes. See your NAS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant LDAP Servers
I am running freeradius version 2.0.4 and using LDAP against Active
Directory. When I have a single LDAP server setup my authentication works
great. I am having trouble using the redundant ldap settings.
Here is some config data
ldap ad01 {
server = ocdc01.overstock.com
port = 389
identity = "CN=LDAP
Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com"
password = xx
basedn = OU=OSTK_Accounts,DC=overstock,DC=com
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
"
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter
="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec
tClass=top)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
#ldap_debug = 0x
}
ldap ad02 {
server = ocdc01.overstock.com
port = 389
identity = "CN=LDAP
Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com"
password = xx
basedn = OU=OSTK_Accounts,DC=overstock,DC=com
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
"
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter
="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec
tClass=top)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
#ldap_debug = 0x
}
instantiate {
exec
expr
expiration
logintime
ldap
ad01
ad02
}
authorize {
preprocess
redundant {
ad01 {
fail = 1
ok = return
}
ad02 {
fail = 1
ok = return
}
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
redundant {
ad01 {
fail = 1
ok = return
}
ad02 {
fail = 1
ok = return
}
}
}
}
DEFAULT Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
Auth-Type := Accept,
Foundry-Privilege-Level = 0,
Foundry-Command-String = *,
Foundry-Command-Exception-Flag= 0,
Foundry-INM-Privilege = 15,
Fall-Through = No
DEFAULT ad01-Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
Auth-Type := Accept,
Foundry-Privilege-Level = 0,
Foundry-Command-String = *,
Foundry-Command-Exception-Flag= 0,
Foundry-INM-Privilege = 15,
Fall-Through = No
DEFAULT ad02-Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
Auth-Type := Accept,
Foundry-Privilege-Level = 0,
Foundry-Command-String = *,
Foundry-Command-Exception-Flag= 0,
Foundry-INM-Privilege = 15,
Fall-Through = No
Here is some debug info
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ad02-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ad02-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ad02
rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in
the "authenticate" section.
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ad01-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ad01-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ad01
rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in
the "authenticate" section.
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Thanks
Jason
--
Jason Traeden
Network Engineer
Overstock.com
6350 South 3000 East
Salt Lake City, UT 84121
[EMAIL PROTECTED]
Desk 801-947-3889
Cell 801-699-1379
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: Discard duplicate requests if received within a specified period
Or is there a possibility to Prioritize "Accounting-Response" over new Auth queries so that response delay could be minimized? On Fri, May 2, 2008 at 4:34 PM, rsg <[EMAIL PROTECTED]> wrote: > Hi, Many thanks for the reference and explanations. > > Here's what I see. The following flows correspond to a single > transaction. Duplicate Packets are marked based on the id. > > However, I'm actually talking about retransmissions. Please Refer to > Accounting-Request IDs 142,134 and 236. They are retransmissions due > to delay in response. > > -- > NAS - 10.10.10.17; AAA Server 1.1.1.4 > > > # SRC DSTRADIUS > 1 10.10.10.17 1.1.1.4Access-Request(1) (id=185, l=135 > 2 10.10.10.17 1.1.1.4Access-Request(1) (id=185, l=135), > Duplicate Request ID:185 > 3 1.1.1.4 10.10.10.17Access-Accept(2) (id=185, l=38) > > 4 10.10.10.17 1.1.1.4Accounting-Request(4) (id=142, l=215) > 5 10.10.10.17 1.1.1.4Accounting-Request(4) (id=142, > l=215), Duplicate Request ID:142 > 6 10.10.10.17 1.1.1.4Accounting-Request(4) (id=142, > l=215), Duplicate Request ID:142 > 7 10.10.10.17 1.1.1.4Accounting-Request(4) (id=134, l=257) > 8 10.10.10.17 1.1.1.4Accounting-Request(4) (id=134, > l=257), Duplicate Request ID:134 > 9 10.10.10.17 1.1.1.4Accounting-Request(4) (id=134, l=257) > 10 10.10.10.17 1.1.1.4Accounting-Request(4) (id=236, l=257) > 11 10.10.10.17 1.1.1.4Accounting-Request(4) (id=236, > l=257), Duplicate Request ID:236 > 12 1.1.1.4 10.10.10.17Accounting-Response(5) (id=142, l=20) > 13 10.10.10.17 1.1.1.4Accounting-Request(4) (id=236, l=257) > 14 1.1.1.4 10.10.10.17Accounting-Response(5) (id=134, l=20) > 15 1.1.1.4 10.10.10.17Accounting-Response(5) (id=236, l=20) > > > Auth process fails at the client end. Simply speaking, the client does > not get the Framed-IP-Address. > > This occurs, when the (NAS <=> AAA) response delay exceeds ~5 seconds. > > So according to RFC 5080: Is this an example of "Note that changing > the Request ID for a retransmission may have undesirable side > effects." ? > > How could one tackle with this issue? > > As Ivan described could "NAS retransmit timer" be increased to handle > delayed responses? > > Thanks, > > > > > > > > If duplicate requests are identified (based on the identifier), > > > > > On Fri, May 2, 2008 at 3:47 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > > Ivan Kalik wrote: > > > They are discarded. Standard setting on most radius clients is to resend > > > the request after 2 seconds without reply. And for most of them it can > > > be configured. > > > > RFC 5080 also specifies a better way to handle retransmits, than the > > old "try T times, with delay of D seconds between each try". > > > > Of course, FreeRADIUS implements it. :) > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suggestion for modules directory
If the FreeRADIUS team monitors this list, I have a small suggestion. Along with the sites-available/sites-enabled directories, I would like to suggest a similar configuration for the modules section. I have added this to our servers and placed all of my custom module sections in corresponding configuration files under the modules directory. As with the sites directories, this allows me to make less modifications to radiusd.conf. Also, I can easily split up the per-site module configurations into separate module files. I do not know if something like modules-available/modules-enabled is really necessary. Perhaps just "$INCLUDE modules/" in under the modules section would be sufficient. Thanks, Jim Lohiser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recommendations for manging user password
Alan.. Thx for the reply.. after some chatting with the developers.. We already have an Oracle instance in place for the User /Passwd.. If we can use Oracle to talk "PAP" to FirePass this puts all the user management back on the already set up Oracle instance.. I will post back.. Much Thanks Charles On Fri, May 2, 2008 at 4:31 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > thekat wrote: > > FirePass uses PAP for authentication.. however I have authenticated > using > > both local and PAP. > > > > > > "charlie" Auth-Type := Local, User-Password == "hello" > > Don't set Auth-Type. Use Cleartext-Password, not User-Password. See > the FAQ. > > > I will have about 75 users and need to set up password aging.. > > Using system (non-shell) accounts with IDs in /etc/password could be an > > option > > I did read the "Expired" thread and I can write a script to update that > > field if necessary.. > > > > My Goal > > --- let the user know their password has expired > > That is an issue for the web page. You need to tell them *before* the > password has expired. > > > --- let them change it themselves.. > > You'll need a separate script for this. > > > --- age the password for 90 days > > --- I really don't want a MySQL database ( I don't know MySQL but could > > learn if I have to) > > You can use system accounts for this. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FS trying to authenticate accounting data
Hello group.
I am running FreeRADIUS 2.0.4 and I am attempting to setup a configuration
based on the "robust-proxy-accounting" site example. In short, I could not
get it to work. To attempt to debug the problem, I pared down the
configuration so the only part that was active was the part that it supposed
to send the accounting data to a detail file. However, even that small piece
does not work. The errors I am getting in the debug logs are
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
However, the configuration to log the data the detail file is only setup for
accounting, not authentication. This leaves me confused as to why FS is
attempting to do authentication. The relevant parts of the configuration
that are active during the test and the debug log is listed below. Any
assistance would be appreciated.
Thank you,
Jim Lohiser
-- radiusd.conf
# Single detail file for accounting failover.
detail detail.imaginenet {
detailfile = "${radacctdir}/imaginenet/detail-%Y%m%d"
}
--
# Dummy server to spool accounting data.
home_server ImagineNet_Detail {
# Added 'type' value to attempt to force accounting only.
# Does not fix problem.
type = acct
virtual_server = ImagineNet_Detail
}
server ImagineNet_Detail {
accounting {
detail.imaginenet
}
}
home_server_pool ImagineNet_Acct {
type = load-balance
home_server = ImagineNet_Detail
# Turned this off during to debug. Does not fix problem.
#virtual_server = ImagineNet
}
realm imaginenet.net {
auth_pool = ImagineNet_Auth
acct_pool = ImagineNet_Acct
nostrip
}
## Full Debug
rad_recv: Accounting-Request packet from host 192.168.0.10 port 51144,
id=81, length=57
User-Name = "[EMAIL PROTECTED]"
Acct-Status-Type = Start
Acct-Session-Id = "9584"
+- entering group preacct
expand: %{User-Name} -> [EMAIL PROTECTED]
expand: %{User-Name} -> [EMAIL PROTECTED]
expand: %{User-Name} -> [EMAIL PROTECTED]
++[preprocess] returns ok
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.10,NAS-IP-Address =
192.168.0.10,Acct-Session-Id = "9584",User-Name = "[EMAIL PROTECTED]"'
rlm_acct_unique: Acct-Unique-Session-ID = "dc24a5ecb36b1652".
++[acct_unique] returns ok
rlm_realm: Looking up realm "imaginenet.net" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "imaginenet.net"
rlm_realm: Adding Realm = "imaginenet.net"
rlm_realm: Proxying request from user jlohiser to realm imaginenet.net
rlm_realm: Preparing to proxy accounting request to realm
"imaginenet.net"
++[suffix] returns updated
++[files] returns noop
+- entering group accounting
expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.0.10/detail-20080502
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.0.10/detail-20080502
expand: %t -> Fri May 2 02:33:03 2008
++[detail] returns ok
expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
expand: %{User-Name} -> [EMAIL PROTECTED]
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
expand: %{User-Name} -> [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
+- entering group pre-proxy
preproxy_users: Matched entry DEFAULT at line 35
expand: %{Client-IP-Address} -> 192.168.0.10
++[files] returns ok
Sending proxied request internally to virtual server.
server ImagineNet_Detail {
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/]
(from client fw1.cle1.oh.imaginenet.net port 0 via TLS tunnel)
} # server ImagineNet_Detail
Going to the next request
<<< Received proxied response from internal virtual server.
Login incorrect (Home Server says so): [EMAIL PROTECTED]/User-Password attribute>] (from client fw1.cle1.oh.imaginenet.net port 0)
Sending Access-Reject of id 81 to 192.168.0.10 port 51144
Finished request 0.
Cleaning up request 0 ID 81 with timestamp +22
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
Hi, Many thanks for the reference and explanations. Here's what I see. The following flows correspond to a single transaction. Duplicate Packets are marked based on the id. However, I'm actually talking about retransmissions. Please Refer to Accounting-Request IDs 142,134 and 236. They are retransmissions due to delay in response. -- NAS - 10.10.10.17; AAA Server 1.1.1.4 # SRC DSTRADIUS 1 10.10.10.17 1.1.1.4Access-Request(1) (id=185, l=135 2 10.10.10.17 1.1.1.4Access-Request(1) (id=185, l=135), Duplicate Request ID:185 3 1.1.1.4 10.10.10.17Access-Accept(2) (id=185, l=38) 4 10.10.10.17 1.1.1.4Accounting-Request(4) (id=142, l=215) 5 10.10.10.17 1.1.1.4Accounting-Request(4) (id=142, l=215), Duplicate Request ID:142 6 10.10.10.17 1.1.1.4Accounting-Request(4) (id=142, l=215), Duplicate Request ID:142 7 10.10.10.17 1.1.1.4Accounting-Request(4) (id=134, l=257) 8 10.10.10.17 1.1.1.4Accounting-Request(4) (id=134, l=257), Duplicate Request ID:134 9 10.10.10.17 1.1.1.4Accounting-Request(4) (id=134, l=257) 10 10.10.10.17 1.1.1.4Accounting-Request(4) (id=236, l=257) 11 10.10.10.17 1.1.1.4Accounting-Request(4) (id=236, l=257), Duplicate Request ID:236 12 1.1.1.4 10.10.10.17Accounting-Response(5) (id=142, l=20) 13 10.10.10.17 1.1.1.4Accounting-Request(4) (id=236, l=257) 14 1.1.1.4 10.10.10.17Accounting-Response(5) (id=134, l=20) 15 1.1.1.4 10.10.10.17Accounting-Response(5) (id=236, l=20) Auth process fails at the client end. Simply speaking, the client does not get the Framed-IP-Address. This occurs, when the (NAS <=> AAA) response delay exceeds ~5 seconds. So according to RFC 5080: Is this an example of "Note that changing the Request ID for a retransmission may have undesirable side effects." ? How could one tackle with this issue? As Ivan described could "NAS retransmit timer" be increased to handle delayed responses? Thanks, If duplicate requests are identified (based on the identifier), On Fri, May 2, 2008 at 3:47 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Ivan Kalik wrote: > > They are discarded. Standard setting on most radius clients is to resend > > the request after 2 seconds without reply. And for most of them it can > > be configured. > > RFC 5080 also specifies a better way to handle retransmits, than the > old "try T times, with delay of D seconds between each try". > > Of course, FreeRADIUS implements it. :) > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
Ivan Kalik wrote: > They are discarded. Standard setting on most radius clients is to resend > the request after 2 seconds without reply. And for most of them it can > be configured. RFC 5080 also specifies a better way to handle retransmits, than the old "try T times, with delay of D seconds between each try". Of course, FreeRADIUS implements it. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
They are discarded. Standard setting on most radius clients is to resend the request after 2 seconds without reply. And for most of them it can be configured. Ivan Kalik Kalik Informatika ISP Dana 2/5/2008, "rsg" <[EMAIL PROTECTED]> piše: >Hi, > >Since RADIUS is UDP based this seems to be quite sensitive to the >delay in response from AAA to NAS and merely depends on the processing >delay of the AAA/SQL in Authorization. > >Has anyone tried performing load tests? Could you tell me how >duplicate requests are handled? > > > > >On Wed, Apr 30, 2008 at 4:02 PM, rsg <[EMAIL PROTECTED]> wrote: >> Hi, >> >> I would like to discard duplicate Auth requests based on certain >> attributes other than the NAS-IP-Address (e.g. Calling-Station-Id, >> Pool-Name). >> >> For example if there are two requests originating from 2 NASes which >> corresponds to a particular client, I would like to discard the second >> request if it is received during a threshold time value (eg. 15 >> seconds) >> >> Specially I find that when using SQL for authorization this situation >> occurs as it takes a while to perform authorization using SQL. >> >> >> Thanks for your guidance, >> >> rg >> >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Discard duplicate requests if received within a specified period
rsg wrote: > Has anyone tried performing load tests? Yes. Lots. > Could you tell me how duplicate requests are handled? As per RFC 5080, which I co-authored. FreeRADIUS has been handling duplicate requests this way since the start. Some commercial servers started doing this only after RFC 5080 was published. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: Discard duplicate requests if received within a specified period
Hi, Since RADIUS is UDP based this seems to be quite sensitive to the delay in response from AAA to NAS and merely depends on the processing delay of the AAA/SQL in Authorization. Has anyone tried performing load tests? Could you tell me how duplicate requests are handled? On Wed, Apr 30, 2008 at 4:02 PM, rsg <[EMAIL PROTECTED]> wrote: > Hi, > > I would like to discard duplicate Auth requests based on certain > attributes other than the NAS-IP-Address (e.g. Calling-Station-Id, > Pool-Name). > > For example if there are two requests originating from 2 NASes which > corresponds to a particular client, I would like to discard the second > request if it is received during a threshold time value (eg. 15 > seconds) > > Specially I find that when using SQL for authorization this situation > occurs as it takes a while to perform authorization using SQL. > > > Thanks for your guidance, > > rg > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.0.4 and peap
Ivan Kalik escribió: You have experlty deleted all the relevant information from the debug and your configuration. Post the complete debug. I solved the problem commenting the line virtual_server = "inner-tunnel" in the peap section of eap.conf -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Departamento de Ingeniería y Tecnología de Computadores Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://webs.um.es/manuelsc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.0.4 and peap
You have experlty deleted all the relevant information from the debug and
your configuration. Post the complete debug.
Ivan Kalik
Kalik Informatika ISP
Dana 2/5/2008, "Manuel Sánchez Cuenca" <[EMAIL PROTECTED]> piše:
>Hello all,
>
>I have installed freeradius 2.0.4 and now I'm trying to configure peap.
>
>When I try to connect using a Windows XP laptop, the server rejects the
>user.
>
>The log shows this information:
>
> rlm_eap: processing type mschapv2
>+- entering group MS-CHAP
> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for lolo with NT-Password
> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject
> rlm_eap: Freeing handler
>++[eap] returns reject
>auth: Failed to validate the user.
>Login incorrect: [lolo/] (from client dame-ap port
>0 via TLS tunnel)
> PEAP: Tunneled authentication was rejected.
>
>
>The configuration files are the following:
>
>* eap.conf
>
>eap {
> default_eap_type = peap
> . . .
> tls {
>private_key_password = srvpwd
>private_key_file = ${certdir}/server.pem
>certificate_file = ${certdir}/server.pem
>CA_file = ${cadir}/ca.pem
>. . .
> }
> peap {
>default_eap_type = mschapv2
>copy_request_to_tunnel = no
>use_tunneled_reply = no
>virtual_server = "inner-tunnel"
>}
>mschapv2 {
>}
>
>
>* users
> lolo Cleartext-Password := "password"
>
>* sites-enabled/default
> authorize {
> eap {
> ok = return
> }
> ...
> }
> authenticate {
> eap
> ...
> }
> ...
>
>Can anybody help me?
>
>Thanks in advance.
>
>--
>-
>Manuel Sanchez Cuenca
>Departamento de Ingenieria de la Informacion y las Comunicaciones
>Departamento de Ingeniería y Tecnología de Computadores
>Facultad de Informatica. Universidad de Murcia
>Campus de Espinardo - 30080 Murcia (SPAIN)
>Tel.: +34-968-364644Fax: +34-968-364151
>email: [EMAIL PROTECTED] | [EMAIL PROTECTED]
>url: http://webs.um.es/manuelsc
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.0.4 and peap
Hello all,
I have installed freeradius 2.0.4 and now I'm trying to configure peap.
When I try to connect using a Windows XP laptop, the server rejects the
user.
The log shows this information:
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for lolo with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [lolo/] (from client dame-ap port
0 via TLS tunnel)
PEAP: Tunneled authentication was rejected.
The configuration files are the following:
* eap.conf
eap {
default_eap_type = peap
. . .
tls {
private_key_password = srvpwd
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
. . .
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
* users
lolo Cleartext-Password := "password"
* sites-enabled/default
authorize {
eap {
ok = return
}
...
}
authenticate {
eap
...
}
...
Can anybody help me?
Thanks in advance.
--
-
Manuel Sanchez Cuenca
Departamento de Ingenieria de la Informacion y las Comunicaciones
Departamento de Ingeniería y Tecnología de Computadores
Facultad de Informatica. Universidad de Murcia
Campus de Espinardo - 30080 Murcia (SPAIN)
Tel.: +34-968-364644Fax: +34-968-364151
email: [EMAIL PROTECTED] | [EMAIL PROTECTED]
url: http://webs.um.es/manuelsc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
>May it be the problem from the radius client, or is it the problem in my >perl code. >I can't rectify the problem, I am confusing where should I emphasized > >Here is the new output when it is run in radiusd -X after rejecting da >user. > >rad_recv: Access-Request packet from host 192.168.1.227 port 32847, id=182, >length=252 >User-Name = "[EMAIL PROTECTED]" >X-Ascend-Netware-timeout = 1785686126 >X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 >X-Ascend-Receive-Secret = >0x34383161663338653534346236663063383862343865393864346639313036626264363230306536 >X-Ascend-IP-Pool-Definition = "sip:192.168.1.227" >X-Ascend-IPX-Peer-Mode = 0x5245474953544552 >Digest-Response = "1e926599fa0777bef89010421e3e1c41" >Service-Type = IAPP-Register >X-Ascend-PW-Lifetime = 1785686126 >Cisco-AVPair = "call-id= >[EMAIL PROTECTED]" >NAS-IP-Address = 127.0.0.1 >NAS-Port = 5060 Your radius client is not sending Digest-Attributes. It's sending Ascend VSAs. Read your NAS documentation how to set up digest authentication if you want that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : Re : EAP-TLS/PEAP problem
Ok, i am sorry! all i had to do is "yast install make" or something like that to be able to run the command... ah... Linux !! MBA OYONE Joël Lot. El Firdaous Bât GH20, Porte A 204, Appt 8 2 Oulfa Casablanca - Maroc Tél. : +212 69 25 85 70 - Message d'origine De : Joel MBA OYONE <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Vendredi, 2 Mai 2008, 9h50mn 05s Objet : Re : Re : EAP-TLS/PEAP problem Hello list, I've just installed SUSE 10.3 and freeradius 2.0.2.2-3 to easily setup my prevoious prob with eap. right now, when i run "radiusd -W" i encounter this error message: === /etc/raddb/certs/bootstrap: line 15: make: command not found Exec-Program output: Exec-Program: returned: 127 rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[252]: Failed to find module "eap". /etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section. } } Errors initializing modules == reading the readme file in certs/ directory, i understood that the script bootstrap should create the certificates and some other stuffs, and the should be renamed or destroyed. - that i see is: the script didn't create nothing and could not be run. could you please help me to fix it? ( my final goes is to use eap-tls / eap-peap to athenticate wireless clients, and like i said before, i am really newbie on linux. thanx for help) MBA OYONE Joël Lot. El Firdaous Bât GH20, Porte A 204, Appt 8 2 Oulfa Casablanca - Maroc Tél. : +212 69 25 85 70 - Message d'origine De : Ivan Kalik <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Mercredi, 30 Avril 2008, 11h39mn 36s Objet : Re: Re : EAP-TLS/PEAP problem http://www.freeradius.org/download.html Find the OS version that you have and download the latest freeradius version rpm. Ivan Kalik Kalik Informatika ISP Dana 30/4/2008, "Joel MBA OYONE" <[EMAIL PROTECTED]> piše: >Well, as i am very very newbie on Linux. iuse to work on win2000/2003 before. > i chose the easyway to install freeradius; the "yum" commaand gave me that >version. >if the latest version is easy to install manually on fedora and is able to >work on a hp proliant ml-370 g5, i take it. >Why not the latest version. It will create and install the certificates >for you. Even if you don't want to install it you can download it and >use it to create certificates. > >Ivan Kalik >Kalik Informatika ISP > > >Dana 30/4/2008, "Joel MBA OYONE" <[EMAIL PROTECTED]> piĹĄe: > >>Hello list. >>I am sorry about my poor english skills but hope iĂ could be understood >>anyway. >>I use freeradius 1.1-7 on fedora 8 (installed with yum command).Ă right now, >>my users in the "/etc/raddb/users" file are able to authenticate without no >>problem. >>iĂ intend to use eap-tls and eap-peap to authenticate my users. to do so, i >>read this tutorial: >>http://www.wi-fiplanet.com/tutorials/article.php/3557251Ă (two sheets) which >>is very helpfull. >>but on the second part of the tuto,Ă i encounter a problem with the >>extensions part: >>- it is said to create a file named "extensions" (my case >>/etc/pki/tls/extensions) and to copy that lines into: >>[ xpclient_ext] >>extendedKeyUsage = 1.3.6.1.5.5.7.3.2 >>[ xpserver_ext ] >>extendedKeyUsage = 1.3.6.1.5.5.7.3.1 >>and then to modify my previous certificate like that: >># openssl ca -out master_cert.pem -extensions xpserver -infiles ./masterreqpem >># openssl ca -out client_cert.pem -extensions xpserver -infiles >>./clientreqpem >>when i do this, the system give me an error message: >>[EMAIL PROTECTED] ensiasCA]# pwd >>/etc/pki/CA/ensiasCA >>[EMAIL PROTECTED] ensiasCA]# openssl ca -out certs/ensias_cert.pem >>-extensions xpserver_ext -infiles certs/radiusserverreq.pem >>Using configuration from /etc/pki/tls/openssl.cnf >>Enter pass phrase for /etc/pki/CA/ensiasCA/private/cakey.pem: >>Error Loading extension section xpserver_ext >>4230:error:0E06D06C:configuration file routines:NCONF_get_string:no >>value:conf_lib.c:329:group=CA_default name=email_in_dn >>[EMAIL PROTECTED] ensiasCA]# >> >>i suppose i have problem creating extensions >>there's a long time i try to fix it (and some many before), and right now, i >>come and ask your help to fix it. >>thanx for helping >> >>Ă >>MBA OYONE JoÄŤl >>Lot.. El Firdaous >>BÄËt GH20, Porte A 204, Appt 8 >>2 Oulfa >>Casablanca - Maroc >>Ă >>TÄĹ l. : +212 69 25 85 70 >> >>__ >>Do You Yahoo!? >>En finir avec le spam? Yahoo! Mail vous offre la meilleure protection >>possible contre les messages non sollicitÄĹ s >>http://mail.yahoo.fr Yahoo! Mail >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > >__ >Do You Yahoo!? >En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible >contre les messages non sollicitĂŠs >h
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
>Send a request with Digest-Attributes.
hi Kalik,
I've tried to called using Digest-Attributes in my perl code
like this
$dUserName= $RAD_REQUEST{'Digest-User-Name'};
$dRealm= $RAD_REQUEST{'Digest-Realm'};
$dMethod = $RAD_REQUEST{'Digest-Method'};
$dUri= $RAD_REQUEST{'Digest-URI'};
$dNonce=$RAD_REQUEST{'Digest-Nonce'};
$dResponse=$RAD_REQUEST{'Digest-Response'};
but still it doesn't get the values..except 'Digest-Response'
May it be the problem from the radius client, or is it the problem in my
perl code.
I can't rectify the problem, I am confusing where should I emphasized
Here is the new output when it is run in radiusd -X after rejecting da
user.
rad_recv: Access-Request packet from host 192.168.1.227 port 32847, id=182,
length=252
User-Name = "[EMAIL PROTECTED]"
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
X-Ascend-Receive-Secret =
0x34383161663338653534346236663063383862343865393864346639313036626264363230306536
X-Ascend-IP-Pool-Definition = "sip:192.168.1.227"
X-Ascend-IPX-Peer-Mode = 0x5245474953544552
Digest-Response = "1e926599fa0777bef89010421e3e1c41"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 1785686126
Cisco-AVPair = "call-id=
[EMAIL PROTECTED]"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x9ede730 asigned new request. Handled so far: 1
found interpetator at address 0x9ede730
rlm_perl: ###
rlm_perl: RAD_REQUEST: Digest-Response = 1e926599fa0777bef89010421e3e1c41
rlm_perl: RAD_REQUEST: X-Ascend-Receive-Secret =
0x34383161663338653534346236663063383862343865393864346639313036626264363230306536
rlm_perl: RAD_REQUEST: X-Ascend-IPX-Peer-Mode = 0x5245474953544552
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: X-Ascend-Netware-timeout = 1785686126
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: X-Ascend-IP-Pool-Definition = sip:192.168.1.227
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: X-Ascend-PW-Lifetime = 1785686126
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
rlm_perl: ###
rlm_perl: Added pair Digest-Response = 1e926599fa0777bef89010421e3e1c41
rlm_perl: Added pair X-Ascend-Receive-Secret =
0x34383161663338653534346236663063383862343865393864346639313036626264363230306536
rlm_perl: Added pair X-Ascend-IPX-Peer-Mode = 0x5245474953544552
rlm_perl: Added pair Service-Type = IAPP-Register
rlm_perl: Added pair X-Ascend-Netware-timeout = 1785686126
rlm_perl: Added pair Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: Added pair X-Ascend-IP-Pool-Definition = sip:192.168.1.227
rlm_perl: Added pair User-Name = [EMAIL PROTECTED]
rlm_perl: Added pair X-Ascend-PW-Lifetime = 1785686126
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9ede730
++[perl] returns reject
Invalid user: [EMAIL PROTECTED]/] (from client
192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 32848, id=183,
length=252
User-Name = "[EMAIL PROTECTED]"
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
X-Ascend-Receive-Secret =
0x34383161663338653534346236663063383862343865393864346639313036626264363230306536
X-Ascend-IP-Pool-Definition = "sip:192.168.1.227"
X-Ascend-IPX-Peer-Mode = 0x5245474953544552
Digest-Response = "1e926599fa0777bef89010421e3e1c41"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 1785686126
Cisco-AVPair = "call-id=
[EMAIL PROTECTED]"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0xa119d28 asigned new request. Handled so far: 1
found interpetator at address 0xa119d28
rlm_perl: ###
rlm_perl: RAD_REQUEST: Digest-Response = 1e926599fa0777bef89010421e3e1c41
rlm_perl: RAD_REQUEST: X-Ascend-Receive-Secret =
0x3438316166333865353434623666306338386234386539386434663931303662626436
Re: EAP/TLS on windows XP clients?
>I can successfully access and connect to the FreeRadius server with Linux >clients using ca.pem and client.pem. > >- Where is the ca.der imported/or placed in Windows XP Professional? > Trusted root CA store. >- Dose the commonName within the cerficate files (client.p12) name need to >match the Windows XP computer name? If you are doing machine authentication it should match computer name, if you are doing user authentication it should match username. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS on windows XP clients?
Hello, Thanks for response! I can successfully access and connect to the FreeRadius server with Linux clients using ca.pem and client.pem. - Where is the ca.der imported/or placed in Windows XP Professional? - Dose the commonName within the cerficate files (client.p12) name need to match the Windows XP computer name? Thanks for help, Best regards Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alan DeKok Sent: den 2 maj 2008 10:21 To: FreeRadius users mailing list Subject: SPAM-LOW: Re: EAP/TLS on windows XP clients? Johan Nyman wrote: What certificates are needed on Windows XP clients to make a successful > connection? http://www.freeradius.org/doc/EAPTLS.pdf In 2.0,x, you'll need "ca.der" and "client.p12" You may need to go into the "raddb/certs" directory, and do "make ca.der". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : EAP-TLS/PEAP problem
Hello list, I've just installed SUSE 10.3 and freeradius 2.0.2.2-3 to easily setup my prevoious prob with eap. right now, when i run "radiusd -W" i encounter this error message: === /etc/raddb/certs/bootstrap: line 15: make: command not found Exec-Program output: Exec-Program: returned: 127 rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[252]: Failed to find module "eap". /etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section. } } Errors initializing modules == reading the readme file in certs/ directory, i understood that the script bootstrap should create the certificates and some other stuffs, and the should be renamed or destroyed. - that i see is: the script didn't create nothing and could not be run. could you please help me to fix it? ( my final goes is to use eap-tls / eap-peap to athenticate wireless clients, and like i said before, i am really newbie on linux. thanx for help) MBA OYONE Joël Lot. El Firdaous Bât GH20, Porte A 204, Appt 8 2 Oulfa Casablanca - Maroc Tél. : +212 69 25 85 70 - Message d'origine De : Ivan Kalik <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Mercredi, 30 Avril 2008, 11h39mn 36s Objet : Re: Re : EAP-TLS/PEAP problem http://www.freeradius.org/download.html Find the OS version that you have and download the latest freeradius version rpm. Ivan Kalik Kalik Informatika ISP Dana 30/4/2008, "Joel MBA OYONE" <[EMAIL PROTECTED]> piše: >Well, as i am very very newbie on Linux. iuse to work on win2000/2003 before. > i chose the easyway to install freeradius; the "yum" commaand gave me that >version. >if the latest version is easy to install manually on fedora and is able to >work on a hp proliant ml-370 g5, i take it. >Why not the latest version. It will create and install the certificates >for you. Even if you don't want to install it you can download it and >use it to create certificates. > >Ivan Kalik >Kalik Informatika ISP > > >Dana 30/4/2008, "Joel MBA OYONE" <[EMAIL PROTECTED]> piĹĄe: > >>Hello list. >>I am sorry about my poor english skills but hope iĂ could be understood >>anyway. >>I use freeradius 1.1-7 on fedora 8 (installed with yum command).Ă right now, >>my users in the "/etc/raddb/users" file are able to authenticate without no >>problem. >>iĂ intend to use eap-tls and eap-peap to authenticate my users. to do so, i >>read this tutorial: >>http://www.wi-fiplanet.com/tutorials/article.php/3557251Ă (two sheets) which >>is very helpfull. >>but on the second part of the tuto,Ă i encounter a problem with the >>extensions part: >>- it is said to create a file named "extensions" (my case >>/etc/pki/tls/extensions) and to copy that lines into: >>[ xpclient_ext] >>extendedKeyUsage = 1.3.6.1.5.5.7.3.2 >>[ xpserver_ext ] >>extendedKeyUsage = 1.3.6.1.5.5.7.3.1 >>and then to modify my previous certificate like that: >># openssl ca -out master_cert.pem -extensions xpserver -infiles ./masterreqpem >># openssl ca -out client_cert.pem -extensions xpserver -infiles >>./clientreqpem >>when i do this, the system give me an error message: >>[EMAIL PROTECTED] ensiasCA]# pwd >>/etc/pki/CA/ensiasCA >>[EMAIL PROTECTED] ensiasCA]# openssl ca -out certs/ensias_cert.pem >>-extensions xpserver_ext -infiles certs/radiusserverreq.pem >>Using configuration from /etc/pki/tls/openssl.cnf >>Enter pass phrase for /etc/pki/CA/ensiasCA/private/cakey.pem: >>Error Loading extension section xpserver_ext >>4230:error:0E06D06C:configuration file routines:NCONF_get_string:no >>value:conf_lib.c:329:group=CA_default name=email_in_dn >>[EMAIL PROTECTED] ensiasCA]# >> >>i suppose i have problem creating extensions >>there's a long time i try to fix it (and some many before), and right now, i >>come and ask your help to fix it. >>thanx for helping >> >>Ă >>MBA OYONE JoÄŤl >>Lot.. El Firdaous >>BÄËt GH20, Porte A 204, Appt 8 >>2 Oulfa >>Casablanca - Maroc >>Ă >>TÄĹ l. : +212 69 25 85 70 >> >>__ >>Do You Yahoo!? >>En finir avec le spam? Yahoo! Mail vous offre la meilleure protection >>possible contre les messages non sollicitÄĹ s >>http://mail.yahoo.fr Yahoo! Mail >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > >__ >Do You Yahoo!? >En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible >contre les messages non sollicitĂŠs >http://mail.yahoo.fr Yahoo! Mail > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail - List info/subscri
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
> I've tried $RAD_CHECK but still i didn't get the values of >these attributes >'Digest-User-name', >'Digest-Realm', >'Digest-Method', >'Digest-Uri', >'Digest-Nonce', >'Digest-Response', >I've found a digest module in radiusd.conf but actually don't have any idea >how to handle the module. Please tell me how to get the value of these >attributes. > Send a request with Digest-Attributes. > >rad_recv: Access-Request packet from host 127.0.0.1 port 32795, id=73, >length=59 >User-Name = "johnson" >User-Password = "johnson" >NAS-IP-Address = 127.0.0.1 >NAS-Port = 0 This is an ordinary pap request. You will never get digest attributes out of it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recommendations for manging user password
thekat wrote: > FirePass uses PAP for authentication.. however I have authenticated using > both local and PAP. > > > "charlie" Auth-Type := Local, User-Password == "hello" Don't set Auth-Type. Use Cleartext-Password, not User-Password. See the FAQ. > I will have about 75 users and need to set up password aging.. > Using system (non-shell) accounts with IDs in /etc/password could be an > option > I did read the "Expired" thread and I can write a script to update that > field if necessary.. > > My Goal > --- let the user know their password has expired That is an issue for the web page. You need to tell them *before* the password has expired. > --- let them change it themselves.. You'll need a separate script for this. > --- age the password for 90 days > --- I really don't want a MySQL database ( I don't know MySQL but could > learn if I have to) You can use system accounts for this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting packets
Tim Lightfoot wrote: > Please see below output from radiusd -X - the line that seems to vary > between successful and failed attempts is ++[unix] returns fail (its > ++[unix] returns noop when successful). The server doesn't have permission to write to the radwtmp file. If you don't need the radwtmp file, delete the "unix" module from the "accounting" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_radutmp: Logout for NAS localhost port 3, but no Login record
Hello Fedora Core 5 freeradius-1.1.7.tar.gz /var/log/radius/radius.log Thu May 1 05:53:35 2008 : Error: rlm_radutmp: Logout for NAS localhost port 3, but no Login record Thu May 1 05:53:37 2008 : Error: rlm_radutmp: Logout for NAS localhost port 13, but no Login record Thu May 1 06:19:45 2008 : Info: rlm_sqlippool: ip=[172.16.1.2] len=10 Thu May 1 06:23:19 2008 : Info: rlm_sqlippool: ip=[172.16.2.1] len=10 Thu May 1 06:23:52 2008 : Info: rlm_sqlippool: ip=[172.16.2.15] len=11 Thu May 1 06:24:15 2008 : Info: rlm_sqlippool: ip=[172.16.2.18] len=11 Thu May 1 06:46:20 2008 : Info: rlm_sqlippool: ip=[172.16.2.1] len=10 Thu May 1 06:49:58 2008 : Info: rlm_sqlippool: ip=[172.16.2.7] len=10 Thu May 1 07:10:33 2008 : Error: rlm_radutmp: Logout for NAS localhost port 15, but no Login record Thu May 1 07:32:56 2008 : Error: rlm_radutmp: Logout for NAS localhost port 6, but no Login record Thu May 1 07:35:40 2008 : Error: rlm_radutmp: Logout for NAS localhost port 1, but no Login record Thu May 1 08:03:33 2008 : Error: rlm_radutmp: Logout for NAS localhost port 10, but no Login record Thu May 1 08:14:10 2008 : Error: rlm_radutmp: Logout for NAS localhost port 8, but no Login record Thu May 1 08:46:54 2008 : Info: rlm_sqlippool: ip=[172.16.2.19] len=11 Thu May 1 09:10:02 2008 : Info: rlm_sqlippool: ip=[172.16.1.2] len=10 Thu May 1 09:11:05 2008 : Info: rlm_sqlippool: ip=[172.16.1.8] len=10 Thu May 1 09:11:44 2008 : Info: rlm_sqlippool: ip=[172.16.1.9] len=10 Thu May 1 09:22:00 2008 : Info: rlm_sqlippool: ip=[172.16.2.15] len=11 Thu May 1 09:22:33 2008 : Info: rlm_sqlippool: ip=[172.16.2.4] len=10 Thu May 1 09:37:14 2008 : Info: rlm_sqlippool: ip=[172.16.2.19] len=11 Thu May 1 09:55:46 2008 : Info: rlm_sqlippool: ip=[172.16.2.9] len=10 Thu May 1 10:10:48 2008 : Info: rlm_sqlippool: ip=[172.16.2.13] len=11 Thu May 1 10:59:31 2008 : Error: Invalid operator for item Expiration: reverting to '==' Thu May 1 10:59:31 2008 : Info: rlm_sqlippool: ip=[172.16.2.6] len=10 Thu May 1 11:16:17 2008 : Info: rlm_sqlippool: ip=[172.16.2.3] len=10 Thu May 1 11:21:35 2008 : Error: rlm_radutmp: Logout for NAS localhost port 16, but no Login record Thu May 1 11:24:37 2008 : Info: rlm_sqlippool: ip=[172.16.2.9] len=10 Thu May 1 11:26:33 2008 : Info: rlm_sqlippool: ip=[172.16.2.19] len=11 Thu May 1 11:38:15 2008 : Info: rlm_sqlippool: ip=[172.16.2.9] len=10 Thu May 1 11:39:46 2008 : Info: rlm_sqlippool: ip=[172.16.2.16] len=11 Thu May 1 11:48:10 2008 : Info: rlm_sqlippool: ip=[172.16.2.8] len=10 Thu May 1 11:56:14 2008 : Info: rlm_sqlippool: ip=[172.16.2.18] len=11 Thu May 1 12:30:39 2008 : Info: rlm_sqlippool: ip=[172.16.1.13] len=11 Thu May 1 13:05:56 2008 : Info: rlm_sqlippool: ip=[172.16.2.5] len=10 Thu May 1 13:08:26 2008 : Info: rlm_sqlippool: ip=[172.16.2.3] len=10 Thu May 1 13:09:47 2008 : Info: rlm_sqlippool: ip=[172.16.2.9] len=10 Thu May 1 13:20:23 2008 : Info: rlm_sqlippool: ip=[172.16.2.17] len=11 Thu May 1 13:55:59 2008 : Info: rlm_sqlippool: ip=[172.16.2.18] len=11 Thu May 1 14:09:19 2008 : Info: rlm_sqlippool: ip=[172.16.2.3] len=10 Thu May 1 14:09:47 2008 : Info: rlm_sqlippool: ip=[172.16.2.1] len=10 Thu May 1 14:24:28 2008 : Error: rlm_radutmp: Logout for NAS localhost port 0, but no Login record Thu May 1 14:28:16 2008 : Error: rlm_radutmp: Logout for NAS localhost port 17, but no Login record Thu May 1 14:29:15 2008 : Error: rlm_radutmp: Logout for NAS localhost port 7, but no Login record Thu May 1 14:30:05 2008 : Error: rlm_radutmp: Logout for NAS localhost port 11, but no Login record Thu May 1 14:30:17 2008 : Error: rlm_radutmp: Logout for NAS localhost port 2, but no Login record Thu May 1 14:33:03 2008 : Info: rlm_sqlippool: ip=[172.16.1.1] len=10 180도 달라진 야후! 메일 - 여러 개의 메시지를 동시에 확인? 새로운 야후! 메일의 탭으로 가능해집니다. http://kr.content.mail.yahoo.com/cgland - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate accounting packets
Freeradius 2.0.3
FreeBSD 6.3
I have a problem where accounting packets are not getting acknowledged
by Freeradius.
I have been using the NTRadPing testing tool and have determined that if
the Accounting Start packet contains a NAS-Port attribute, the packet
will timeout.
If I remove the NAS-Port attribute from the Accounting Start packet I
get an instant response.
Please see below output from radiusd -X - the line that seems to vary
between successful and failed attempts is ++[unix] returns fail (its
++[unix] returns noop when successful).
Ready to process requests.
User-Name = "[EMAIL PROTECTED]"
Acct-Status-Type = Start
Acct-Session-Id = "2476"
NAS-IP-Address = 10.0.1.110
NAS-Port = 1073
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 1073,Client-IP-Address =
10.0.1.110,NAS-IP-Address = 10.0.1.110,Acct-Session-Id =
"2476",User-Name = "[EMAIL PROTECTED]"'
rlm_acct_unique: Acct-Unique-Session-ID = "22a2bff7af67d3ea".
++[acct_unique] returns ok
rlm_realm: Looking up realm "test.net.uk" for User-Name =
"[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> "
rlm_realm: Found realm "test.net.uk"
rlm_realm: Proxying request from user 80001 to realm test.net.uk
rlm_realm: Adding Realm = "test.net.uk"
rlm_realm: Accounting realm is LOCAL.
++[suffix] returns noop
acct_users: Matched entry DEFAULT at line 22
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: %{Stripped-User-Name:-%{User-Name}} -> [EMAIL PROTECTED]
++[files] returns ok
+- entering group accounting
expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/10.0.1.110/detail-20080502
rlm_detail: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radacct/10.0.1.110/detail-20080502
expand: %t -> Fri May 2 09:06:38 2008
++[detail] returns ok
++[unix] returns fail
Finished request 1.
Many thanks
Tim
Any opinions expressed in this email are those of the individual and not
necessarily those of Sota Solutions Limited. It is intended only for the
person(s) to whom it is addressed and may contain privileged and/or
confidential information. Accordingly, the copying, dissemination,
distribution, or use of this message to any other person may constitute
a breach of Civil or Criminal Law. Please notify the sender immediately
if you have received this email by mistake and delete it from your
system.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
>No, there is a digest module in default radiusd.conf that should decode
>the attributes. Post radiusd -X for request with Digest-Attributes.
>Those attributes you want are not in the request - have you tried
>$RAD_CHECK.
hi Kalik,
I've tried $RAD_CHECK but still i didn't get the values of
these attributes
'Digest-User-name',
'Digest-Realm',
'Digest-Method',
'Digest-Uri',
'Digest-Nonce',
'Digest-Response',
I've found a digest module in radiusd.conf but actually don't have any idea
how to handle the module. Please tell me how to get the value of these
attributes.
Here is the full output when the radius is run in debugging mode:
[EMAIL PROTECTED] raddb]# radiusd -X
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008
at 21:42:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 192.168.1.227 {
require_message_authenticator = no
secret = "johnson"
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = "/usr/local/etc/raddb/myperltemp.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating ea
Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: > I used ca.der and client.p12 to be installed to Windows XP SP2 client. I > followed the instructions at the http://freeradius.org/doc/EAPTLS.pdf. > But at the end of the installation, where the client certificate > installation is tested at page 16, I have a different Windows message; > it says " Windows does not have enough information to verify this > certificate". I followed all the instructions there without any problem. > Am I missing anything? No idea... it's a Windows thing. I suggest googling for it... > Are those the right certificates that copied to the Windows machine? Why > are there so many certificates created and we are just using 2? There are multiple steps to creating certificates, and multiple forms of those certificates. All the intermediary files are left in the directory for future reference. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS on windows XP clients?
Johan Nyman wrote: What certificates are needed on Windows XP clients to make a successful > connection? http://www.freeradius.org/doc/EAPTLS.pdf In 2.0,x, you'll need "ca.der" and "client.p12" You may need to go into the "raddb/certs" directory, and do "make ca.der". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS on windows XP clients?
Hello, What certificates are needed on Windows XP clients to make a successful connection? The client.p12? and more? Thanks, Best regards, Johan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
