Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
Peter Param wrote: This is a new installation using openssl0.98j and freeradius 2.1.3. I get this error when running in debug mode: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback You have two different versions of OpenSSL installed. One knows about that function, and the other doesn't. You've used the first to build the server, but the second is found when it runs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP HowTo
I've put a mini PEAP howto on the Wiki: http://wiki.freeradius.org/PEAP_HowTo It should cover most of the common questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP Configurations on a single freeradius daemon
Yes, but will that allow me to choose an ldap configuration per NAS in clients.conf? If I list both of these in the authorize block, won't that return a successful result for both NAS if either one of the filters matches? Thx. Nils t...@kalik.net wrote: I'm looking for the best way of configuring freeradius (either version 1.1.3 or version 2.1.1) with two separate LDAP configurations. Create multiple ldap instances: ldap wifi { .. } ldap vpn { .. } That works for any module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP HowTo
Le Wednesday 11 March 2009 09:04:37 Alan DeKok, vous avez écrit : I've put a mini PEAP howto on the Wiki: http://wiki.freeradius.org/PEAP_HowTo Great idea ! When I see the facility of the document, I realy don't understand, how I was wrong such a long time ! :) by ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [How To] Freeradius 2.14 (PEAP – MSCHAP)
On Tue, Mar 10, 2009 at 7:57 PM, LEOSI rad...@pronetis.fr wrote: For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius 2.14, I wrote a simple how-to. I hope it could help someone. :) Thanks for the how-to. Sorry if this is such a basic question, but what are the advantages of using freeradius for this purpose (PEAP/MSCHAP) compared to using Microsoft's IAS/NPS? Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP Configurations on a single freeradius daemon
Yes, but will that allow me to choose an ldap configuration per NAS in clients.conf? If I list both of these in the authorize block, won't that return a successful result for both NAS if either one of the filters matches? It would. So use unlang to choose which ldap instance will be used for which NAS-IP-Address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [How To] Freeradius 2.14 ( PEAP – MSCHAP)
Hi, For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius 2.14, I wrote a simple how-to. I hope it could help someone. :) Thanks for the how-to. Sorry if this is such a basic question, but what are the advantages of using freeradius for this purpose (PEAP/MSCHAP) compared to using Microsoft's IAS/NPS? apart from flexibility, capabilities and logging (you can use FR for more than just PEAP and EAP-TLS, the server functionality is extensible with new features added very frequently, live debugging and tracing of packets, live low-level 'console' access) ? I'd add in much much better attribute handling/filtering, much more powerful and configurable proxying or both auth and accouting packets. also add in better statistics, better RFC obeyance. the only other product in the same sort of ball-park is RADIATOR if, however, you have no need to have visibility, dont need to proxy, have a system where PEAP (or EAP-TLS) is the only method of authentication, have your users in AD (rather than in flat file, SQL, unix, OTP, etc) and you want to spend money too - then IAS. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary.rfc4818 not included by default
Hello, I wonder if there's any particular reason why dictionary.rfc4818 isn't included in the default dictionary? I just stumbled across this while trying to use FreeRADIUS provide a DHCPv6 server with the prefix to be delegated. The same seems to be the case for rfc4849 and rfc5090: bj...@canardo:/usr/local/src/git/freeradius$ grep rfc share/dictionary $INCLUDE dictionary.rfc2865 $INCLUDE dictionary.rfc2866 $INCLUDE dictionary.rfc2867 $INCLUDE dictionary.rfc2868 $INCLUDE dictionary.rfc2869 $INCLUDE dictionary.rfc3162 $INCLUDE dictionary.rfc3576 $INCLUDE dictionary.rfc3580 $INCLUDE dictionary.rfc4072 $INCLUDE dictionary.rfc4372 $INCLUDE dictionary.rfc4675 $INCLUDE dictionary.rfc4679 $INCLUDE dictionary.rfc5176 bj...@canardo:/usr/local/src/git/freeradius$ ls -l share/dictionary.rfc* -rw-r--r-- 2 bjorn src 4109 2008-09-05 15:55 share/dictionary.rfc2865 -rw-r--r-- 2 bjorn src 1891 2008-09-05 15:55 share/dictionary.rfc2866 -rw-r--r-- 2 bjorn src 461 2008-09-05 15:55 share/dictionary.rfc2867 -rw-r--r-- 2 bjorn src 1607 2008-09-05 15:55 share/dictionary.rfc2868 -rw-r--r-- 2 bjorn src 1117 2008-09-05 15:55 share/dictionary.rfc2869 -rw-r--r-- 2 bjorn src 358 2008-09-05 15:55 share/dictionary.rfc3162 -rw-r--r-- 2 bjorn src 928 2008-09-05 15:55 share/dictionary.rfc3576 -rw-r--r-- 2 bjorn src 408 2008-09-05 15:55 share/dictionary.rfc3580 -rw-r--r-- 2 bjorn src 145 2008-09-05 15:55 share/dictionary.rfc4072 -rw-r--r-- 2 bjorn src 154 2008-09-05 15:55 share/dictionary.rfc4372 -rw-r--r-- 2 bjorn src 672 2008-09-05 15:55 share/dictionary.rfc4675 -rw-r--r-- 2 bjorn src 1922 2008-09-05 15:55 share/dictionary.rfc4679 -rw-r--r-- 2 bjorn src 319 2008-09-05 15:55 share/dictionary.rfc4818 -rw-r--r-- 2 bjorn src 150 2008-09-05 15:55 share/dictionary.rfc4849 -rw-r--r-- 2 bjorn src 886 2008-09-05 15:55 share/dictionary.rfc5090 -rw-r--r-- 2 bjorn src 220 2008-09-05 15:55 share/dictionary.rfc5176 Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary.rfc4818 not included by default
Bjørn Mork wrote: Hello, I wonder if there's any particular reason why dictionary.rfc4818 isn't included in the default dictionary? I just stumbled across this while trying to use FreeRADIUS provide a DHCPv6 server with the prefix to be delegated. Just an oversight. I'll go fix it. The same seems to be the case for rfc4849 and rfc5090: RFC 5090 won't be included until the server supports the new digest methods. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [How To] Freeradius 2.14 (PEAP -- MSCHAP)
Fajar A. Nugraha wrote: Sorry if this is such a basic question, but what are the advantages of using freeradius for this purpose (PEAP/MSCHAP) compared to using Microsoft's IAS/NPS? Microsoft's IAS works well with Microsoft machines, and is well integrated with Active Directory. That's about the *only* reason to use it. It's intended to do one thing: get Microsoft machines on the net, by authenticating via AD. *Anything* else is not in its list of features. If you want a RADIUS server with features, use FreeRADIUS. It is less tightly integrated with Active Directory (but Samba helps), and Microsoft occasionally breaks their clients so that they don't work with 3rd party RADIUS servers. If you compare performance, features, database integration, ease of management, debugging, etc. FreeRADIUS is better in every possible way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD Integration Doc
I was also bitten by the bug where ntlm_auth returns a bad NT_KEY. It took me a few hours of searching the mailing lists before I stumbled across this thread: http://marc.info/?l=freeradius-usersm=123455952011812w=2 If there were a warning or mention of the issue on the how-to page, it would help users who are just starting to integrate their radius server with AD. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I would have edited the page myself, but it doesn't look like it's a public wiki. Thanks to the radius guys for a great piece of software. -- Robert G Colantuoni CIT - Operational Support Services University at Buffalo r...@buffalo.edu 716.645.3552 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suse rpm in 2.1.4
autoreconf on suse does not seem to work and I commented it out in the specfile. otp.conf does not seem to exist any longer, /usr/sbin/raddebug must be applied. With these little modifications of the suse specfile 2.1.4 builds on suse 10.3. bugs.freeradius.org still seems to be unavailable, therefore I post the patch here. # diff -Nru freeradius.spec-org freeradius.spec --- freeradius.spec-org2009-03-11 13:29:53.0 +0100 +++ freeradius.spec2009-03-11 13:30:02.0 +0100 @@ -179,7 +179,7 @@ %build export CFLAGS=$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC #export CFLAGS=$CFLAGS -std=c99 -pedantic -autoreconf +#autoreconf %configure \ --libdir=%{_libdir}/freeradius \ @@ -332,7 +332,7 @@ %attr(640,-,radiusd) %config(noreplace) /etc/raddb/sql/oracle/msqlippool.txt %attr(640,-,radiusd) %config(noreplace) /etc/raddb/users %attr(640,-,radiusd) %config(noreplace) /etc/raddb/experimental.conf -%attr(640,-,radiusd) %config(noreplace) /etc/raddb/otp.conf +#%attr(640,-,radiusd) %config(noreplace) /etc/raddb/otp.conf %dir %attr(750,-,radiusd) /etc/raddb/certs /etc/raddb/certs/Makefile /etc/raddb/certs/README @@ -355,6 +355,7 @@ /usr/sbin/radrelay /usr/sbin/radwatch /usr/sbin/radmin +/usr/sbin/raddebug # man-pages %doc %{_mandir}/man1/* %doc %{_mandir}/man5/* Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Update a server-side attribute when you use the module: update control { Tmp-String-0 = ldap-student } then in post-auth: if (control:Tm-String-0 == ldap-student) { ... } I'm really grateful for all your help but it still doesn't work and after hours of experimenting, here's where I am: I add if (control:Tmp-String-0 == ldap-student) { update reply { Reply-Message := User is student } } To the end of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == ldap-student) (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 53 to 10.127.240.217 port 1645 Fair enough - The user is authenticated but Tmp-String-0 hasn't been assigned a string. I add update control { Tmp-String-0 = ldap-student } To the beginning of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[control] returns noop ++[exec] returns noop ++? if (control:Tmp-String-0 == ldap-student) ? Evaluating (control:Tmp-String-0 == ldap-student) - TRUE ++? if (control:Tmp-String-0 == ldap-student) - TRUE ++- entering if (control:Tmp-String-0 == ldap-student) {...} +++[reply] returns noop ++- if (control:Tmp-String-0 == ldap-student) returns noop Sending Access-Accept of id 101 to 10.127.240.217 port 1645 OK so far, so I move update control { Tmp-String-0 = ldap-student } To the authorise section thus: ldap_staff if (ok) { update reply { Reply-Message = ldap-staff } } else { ldap_student if (ok) { update control { Tmp-String-0 = ldap-student } } else { reject } } And I get: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == ldap-student) (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 129 to 10.127.240.217 port 1645 Towards the beginning of the debug output is: rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) - TRUE +++? if (ok) - TRUE +++- entering if (ok) {...} [control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop Does [control] returns ok mean the string was successfully assigned? If so, how do I find where it gets lost? A search for ldap-s through the file only produces two matches, one where the string is assigned and the other where it is tested. Similarly a search for Tmp-Str only finds two matches. History | grep vi shows I haven't accidentally edited another file. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap stuff (v 2.1.1)
Thanks that helped. Also thanks to whomever separated the error message rlm_ldap: object not found and rlm_ldap: got ambiguous search result... t...@kalik.net wrote: I've read that, I just can't seem to make it work, I'm missing something, but can't figure it out. instantiate { ldap NIE { server = ldap basedn = dc=lanl,dc=gov filter = ((departmentNumber=NIE-2)(uid=%{User-Name})) ... } Well, just list NIE in instatiate. Define ldap NIE instance in raddb/modules/ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
And I get: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == ldap-student) (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 129 to 10.127.240.217 port 1645 Towards the beginning of the debug output is: rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) - TRUE +++? if (ok) - TRUE +++- entering if (ok) {...} [control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop Can you post the whole debug, not just snipetts. Are these from the same or from different requests in the exchange? Perhaps you need use_tunneled_reply rather than this. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.1.4 is schizophrenic (Was: Version 2.1.4 has been released)
I saw that there is a new tar file for the new release so I downloaded it and tried to build it, alas it won't build because the new tar file is schizophrenic with multiple identities. The tar file is named 2.1.4. The tar root directory is named 2.1.4. But the file freeradius-server-2.1.4/VERSION declares 2.1.5. This mismatch between the name of the archive and the VERSION file causes build failures (aside from thwarting the expectations of RPM based build and it's spec file it seems to confuse libtool when it names libraries resulting in missing libraries). I noticed there was no freeradius-server-2.1.5.tar.bz2 file in the download area. It looks like what was to have been the contents of 2.1.5 got rolled up as a 2.1.4 distribution. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Can you post the whole debug, not just snipetts. Are these from the same or from different requests in the exchange? Perhaps you need use_tunneled_reply rather than this. Here's the complete debug (excluding the server start-up messages). There's rather a lot of it which is why I tried to post the bits relevant to what I'm trying (rather unsuccessfully :-) ) to understand. Leighton rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, length=148 User-Name = cmsxleig Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1B-54-DB-BB-01 Calling-Station-Id = 00-1B-63-B0-C9-E9 EAP-Message = 0x0203000d01636d73786c656967 Message-Authenticator = 0xbc90b1b0b5ceba80a6767ff94c59ed43 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = FastEthernet0/1 NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = cmsxleig, looking up realm NULL [suffix] Found realm NULL [suffix] Adding Stripped-User-Name = cmsxleig [suffix] Adding Realm = NULL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap_staff] performing user authorization for cmsxleig [ldap_staff]expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) - (sAMAccountName=cmsxleig) [ldap_staff]expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk - ou=staff, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) rlm_ldap: object not found or got ambiguous search result [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) - FALSE ++? if (ok) - FALSE ++- entering else else {...} [ldap_student] performing user authorization for cmsxleig [ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) - (sAMAccountName=cmsxleig) [ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk - ou=students, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) - TRUE +++? if (ok) - TRUE +++- entering if (ok) {...} [control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 36 to 10.127.240.217 port 1645 EAP-Message = 0x010400160410d7424da981434c0db858d196aa1331b4 Message-Authenticator = 0x State = 0x5de163455de567c927acd591e49a319b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, length=159 User-Name = cmsxleig Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1B-54-DB-BB-01 Calling-Station-Id = 00-1B-63-B0-C9-E9 EAP-Message = 0x020400060319 Message-Authenticator = 0x4dbcf0832938a2550152bfdcb815ec8c NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = FastEthernet0/1 State = 0x5de163455de567c927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap]
RE: Log says duplicate requests, CPU maxing out
OK.. did you modify ANY code to get it to build on the embedded system? No. We had to change our build scripts a bit but haven't touched any of the freeRADIUS code. As I said, one of the modules is likely blocking the server. Can you list the modules you're using? Here is the output from from 'radiusd -X' before any of the clients try to connect: (The log made it obvious that the $INCLUDE ${confdir}/modules/ directive in radiusd.conf is pulling in a bunch of modules that we don't need. I guess we need the 'mschap' and the 'inner-eap' module but nothing else. Are there other files in the '${confdir}/modules' that we need to include?) FreeRADIUS Version 2.1.3, for host arm-unknown-linux-gnu, built on Mar 5 2009 at 05:10:53 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/etc/raddb/radiusd.conf including configuration file /usr/etc/raddb/proxy.conf including configuration file /usr/etc/raddb/clients.conf including files in directory /usr/etc/raddb/modules/ including configuration file /usr/etc/raddb/modules/passwd including configuration file /usr/etc/raddb/modules/expiration including configuration file /usr/etc/raddb/modules/checkval including configuration file /usr/etc/raddb/modules/acct_unique including configuration file /usr/etc/raddb/modules/mac2vlan including configuration file /usr/etc/raddb/modules/echo including configuration file /usr/etc/raddb/modules/etc_group including configuration file /usr/etc/raddb/modules/perl including configuration file /usr/etc/raddb/modules/expr including configuration file /usr/etc/raddb/modules/krb5 including configuration file /usr/etc/raddb/modules/smbpasswd including configuration file /usr/etc/raddb/modules/exec including configuration file /usr/etc/raddb/modules/mschap including configuration file /usr/etc/raddb/modules/unix including configuration file /usr/etc/raddb/modules/linelog including configuration file /usr/etc/raddb/modules/pam including configuration file /usr/etc/raddb/modules/detail.example.com including configuration file /usr/etc/raddb/modules/policy including configuration file /usr/etc/raddb/modules/sql_log including configuration file /usr/etc/raddb/modules/always including configuration file /usr/etc/raddb/modules/logintime including configuration file /usr/etc/raddb/modules/chap including configuration file /usr/etc/raddb/modules/preprocess including configuration file /usr/etc/raddb/modules/attr_rewrite including configuration file /usr/etc/raddb/modules/inner-eap including configuration file /usr/etc/raddb/modules/wimax including configuration file /usr/etc/raddb/modules/mac2ip including configuration file /usr/etc/raddb/modules/radutmp including configuration file /usr/etc/raddb/modules/detail including configuration file /usr/etc/raddb/modules/ldap including configuration file /usr/etc/raddb/modules/detail.log including configuration file /usr/etc/raddb/modules/attr_filter including configuration file /usr/etc/raddb/modules/pap including configuration file /usr/etc/raddb/modules/ippool including configuration file /usr/etc/raddb/modules/realm including configuration file /usr/etc/raddb/modules/digest including configuration file /usr/etc/raddb/modules/counter including configuration file /usr/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/etc/raddb/modules/files including configuration file /usr/etc/raddb/modules/sradutmp including configuration file /usr/etc/raddb/eap.conf including configuration file /usr/etc/raddb/sql.conf including configuration file /usr/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/etc/raddb/sql/mysql/counter.conf including configuration file /usr/etc/raddb/policy.conf including files in directory /usr/etc/raddb/sites-enabled/ including configuration file /usr/etc/raddb/sites-enabled/default including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/etc/raddb/dictionary main { prefix = /usr localstatedir = /tmp logdir = /tmp libdir = /usr/lib radacctdir = /tmp/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /tmp/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other
Re: Version 2.1.4 is schizophrenic (Was: Version 2.1.4 has been released)
John Dennis wrote: I saw that there is a new tar file for the new release so I downloaded it and tried to build it, alas it won't build because the new tar file is schizophrenic with multiple identities. I was trying to fix things... The tar file is named 2.1.4. The tar root directory is named 2.1.4. But the file freeradius-server-2.1.4/VERSION declares 2.1.5. I'll fix that and re-spin it later today as 2.1.4. Next time, we can try it without the back forth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log says duplicate requests, CPU maxing out
Chhaya, Harshal wrote: No. We had to change our build scripts a bit but haven't touched any of the freeRADIUS code. Ok... can you say what platform you are running it on? As I said, one of the modules is likely blocking the server. Can you list the modules you're using? Here is the output from from 'radiusd -X' before any of the clients try to connect: (The log made it obvious that the $INCLUDE ${confdir}/modules/ directive in radiusd.conf is pulling in a bunch of modules that we don't need. I guess we need the 'mschap' and the 'inner-eap' module but nothing else. Are there other files in the '${confdir}/modules' that we need to include?) No. I'd suspect radutmp and/or radwtmp. Why are you using those? Do you need them? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suse rpm in 2.1.4
Norbert Wegener wrote: autoreconf on suse does not seem to work and I commented it out in the specfile. I have no idea why it doesn't work. In any case, the configure scripts that are shipped with the server *work*. Why use autoreconf? otp.conf does not seem to exist any longer, It's been moved to raddb/modules/otp /usr/sbin/raddebug must be applied. Yes. With these little modifications of the suse specfile 2.1.4 builds on suse 10.3. I'll commit the fixes later today. bugs.freeradius.org still seems to be unavailable, therefore I post the patch here. Ok. We're looking at getting another bug tracking system set up. It appears that bugs.freeradius.org is down permanently, likely with all of the bugs lost. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suse rpm in 2.1.4
If it's a help I've attached a unified diff for our spec file showing the changes I had to make going from 2.1.3 to 2.1.4 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ tmp.spec.patch Description: application/mbox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello All, I am using freeradius 2.1.1 on Suse 10 SP1. I am trying to integrate Freeradius with edirectory, but somehow, I am not able to achieve the desired result, the client just sits while trying to authenticate, I can see the Radius server reading the username and password, but still its not authenticating it. Kindly Help. I am attaching the debug from radius server here: rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=98, length=142 NAS-Port-Id = AP1/1 Calling-Station-Id = 00-1F-3B-70-5B-7F Called-Station-Id = 00-18-6E-30-70-C0:NYCC_TEST Service-Type = Framed-User EAP-Message = 0x0201000a016a6b617572 User-Name = jkaur NAS-Port = 22283 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 3Com NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe4060b16fe2c51beb980f9935f65bfc7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = jkaur, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for jkaur [ldap] expand: (uid=%u) - (uid=jkaur) [ldap] expand: ou=it,ou=cse,ou=no,o=nycc - ou=it,ou=cse,ou=no,o=nycc rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to FS-NWMASTER.NYCC.INTERNAL:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as cn=radadmin,o=nycc/f9s4b991 to FS-NWMASTER.NYCC.INTERNAL:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=it,ou=cse,ou=no,o=nycc, with filter (uid=jkaur) [ldap] checking if remote access for jkaur is allowed by dialupAccess [ldap] Added the eDirectory password rimpysaini in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user jkaur authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 98 to 130.1.254.174 port 20002 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x80cadc2980c8c54cf63317ea2469d24f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20002, id=99, length=142 NAS-Port-Id = AP1/1 Calling-Station-Id = 00-1F-3B-70-5B-7F Called-Station-Id = 00-18-6E-30-70-C0:NYCC_TEST Service-Type = Framed-User EAP-Message = 0x0202000a016a6b617572 User-Name = jkaur NAS-Port = 22283 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 3Com NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0x76041cb28fa2b04c02d0efce299c7d5c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = jkaur, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for jkaur [ldap] expand: (uid=%u) - (uid=jkaur) [ldap] expand: ou=it,ou=cse,ou=no,o=nycc - ou=it,ou=cse,ou=no,o=nycc rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=it,ou=cse,ou=no,o=nycc, with filter (uid=jkaur) [ldap] checking if remote access for jkaur is allowed by dialupAccess [ldap] Added the eDirectory password rimpysaini07 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user jkaur authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending
Re: Freeradius 2.1-1: failure modes
No luck. For some reason unlang does not catch SQL fail return code. Only if there is no failure I see it is evaluating return code it prints in debug mode ++? if (fail) ? Evaluating (fail) - FALSE But when SQL return really fails it does not evaluate this condition and nothing is printed in debug mode. I even tried without any if statements just to see how to force it not to respond,but the server always returns Access-Reject Tried to replace number 256 with Do-Not-Respond string and still no luck. update control { Response-Packet-Type = Do-Not-Respond } What could be the issue? Thanks again. aland wrote: leopold wrote: For my situation since radiusd keeps everything in DB and if ALL databases cannot be contacted the radiusd should not respond at all. Is there any way to force radiusd to drop request and not to respond with Access-Reject? Try something like this: authorize { ... redundant { sql1 sql2 } if (fail) { update control { Response-Packet-Type = 256 } reject } ... } That should tell the server don't respond. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-2.1-1%3A-failure-modes-tp22413666p22460041.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1-1: failure modes
leopold wrote: No luck. For some reason unlang does not catch SQL fail return code. OK... Only if there is no failure I see it is evaluating return code it prints in debug mode ++? if (fail) ? Evaluating (fail) - FALSE And you deleted the lines JUST ABOVE THAT which gave you the value of the return code. Why? But when SQL return really fails it does not evaluate this condition and nothing is printed in debug mode. No. The two-line output you included above shows that it *IS* evaluating the condition, but that for some reason it doesn't match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Authentication
Jaswinder Kaur wrote: I am using freeradius 2.1.1 on Suse 10 SP1. I am trying to integrate Freeradius with edirectory, but somehow, I am not able to achieve the desired result, the client just sits while trying to authenticate, I can see the Radius server reading the username and password, but still its not authenticating it. Kindly Help. I am attaching the debug from radius server here: This is explained in the FAQ, and in the comments in eap.conf. Please read the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to allow nas'es to serve only groups of clients?
Hi. I have two types of nases: 1) hotspots 2) vpn servers. I need vpn nases authorize only vpn users and hotspot nases authorize only hotspot users. How can i divide users into several groups and reject vpn accounts to login through hotspot and vice versa? I think i must use huntgroups and unlang, but not cleanly understand how. -- ISP CrIS, Softwarium - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1-1: failure modes
radius.conf - redundant redundant_sql { # sql1 sql2 fail - I tried to comment this line but it does not help } sites-enabled/default - authorize { ... redundant_sql if (fail) { update control { # Do-Not-Respond Response-Packet-Type = 256 } reject } elsif (notfound) { reject } } 1) Success scenario debug output rlm_sql (sql2): Released sql socket id: 8 +++[sql2] returns ok ++- group redundant_sql returns ok ++? if (fail) ? Evaluating (fail) - FALSE ++? if (fail) - FALSE ++? elsif (notfound) ? Evaluating (notfound) - FALSE ++? elsif (notfound) - FALSE ++[expiration] returns noop ++[logintime] returns noop 2) When I force DB down scenario rlm_sql_unixodbc: Connection failed rlm_sql (sql2): Failed to connect DB handle #5 rlm_sql (sql2): reconnect failed, database down? rlm_sql_getvpdata: database query error [sql2] SQL query error; rejecting user rlm_sql (sql2): Released sql socket id: 5 +++[sql2] returns fail +++[fail] returns fail ++- group redundant_sql returns fail Invalid user: [xyz] (from client port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - xyz attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds You see here it does not evaluate fail condition Alan DeKok-2 wrote: leopold wrote: No luck. For some reason unlang does not catch SQL fail return code. OK... Only if there is no failure I see it is evaluating return code it prints in debug mode ++? if (fail) ? Evaluating (fail) - FALSE And you deleted the lines JUST ABOVE THAT which gave you the value of the return code. Why? But when SQL return really fails it does not evaluate this condition and nothing is printed in debug mode. No. The two-line output you included above shows that it *IS* evaluating the condition, but that for some reason it doesn't match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-2.1-1%3A-failure-modes-tp22413666p22461816.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log says duplicate requests, CPU maxing out
Ok... can you say what platform you are running it on? It's an ARM running Montevista Linux. I'd suspect radutmp and/or radwtmp. Why are you using those? Do you need them? Nope. They were around because we didn't know enough to scrub the config files to remove unused modules. We have now removed references to these as well as all sql-related configs from radiusd.conf. We also moved out 'pam', 'sql-counter', 'detail.example.com', 'mac2vlan', 'krb5', 'sradutmp', 'wimax', 'perl' and 'ldap' from the 'modules' directory. And modified 'sites-available/inner-tunnel' and 'sites-available/default' to remove references to radutmp. The server seems faster but we still see some 'discarding duplicate request from client' messages in radius.log. The debug output for one such client is below: (chap/mschap/suffix returns noop. I don't know what that means.) Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=102, lengt h=296 Message-Authenticator = 0x6bf2d880bd907dd9b4e327b0ed7aff74 Service-Type = Framed-User User-Name = 00093701b104 Framed-MTU = 1488 State = 0x86e621af86e7383ccbec5f2181722704 Called-Station-Id = 001E2AECC893:TI-NAV-N-001E2AECC893 Calling-Station-Id = 00093701B104 NAS-Identifier = netgearecc892 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020100561980004c16030100470143030145994871a26e9f222a077054ef1e14a22356d029fe14610021edf5d98291fb941c0016000a0005000400640062006100600015000900140008000600030100 NAS-IP-Address = 192.168.0.232 NAS-Port = 14 NAS-Port-Id = STA port # 14 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00093701b104, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 86 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 76 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0047], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 102 to 192.168.0.232 port 1418 EAP-Message = 0x0102040019c00aad160301002a022603010aed4888c1cff2bdb0da7542f34c31902d463f1d17d047dfe83cdefd1600160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303330333135343031345a170d3130303330333135343031345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d594ca11035bb697ac3bea14f92ef0d99be18c91ece91b91b45f5c808d085b8aad053689568a31467824ce7780f857cb73d6f5135aa168909bef37632bfe EAP-Message = 0x122f1f84f886b92c864182ced13b7d6fe4954296e852df73db3a8993a2618bbc260154dd5940a3f8912843096b34afddff1458836918077190a78c5541fe624617140bdb41bfc66bd954521b3409fbabcbd74b26725daa8d9d82e6a3e28c617933a11f11fcdf3c49436a56aa9d6ef8fe7d8bb867c8d577520219558210c3e9bff4555dc6896f61e94fc404fa7287ebf7a128f969ac55a7b7ce3787e00ce21d7f718f4dffa93f60e0713f9ef723500f0c40bafb6bf23f236ea091479847914917d0130203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100764f73fbf1e2cddfcc EAP-Message =
Re: Log says duplicate requests, CPU maxing out
Hi, The debug output for one such client is below: (chap/mschap/suffix returns noop. I don't know what that means.) 'no operation' - they had nothing to do, didnt see anything to do or didnt need to do anything (in basic speak). if your system is configured for one or 2 types of known auth then you can remove these - if you are planning on doing anything with suffix (usually proxy) then you need suffix. if you are using chap or mschap then likewise. whats the CPU speed? Whats the benchmark on it for openssl operations? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bugs.freeradius.org unavailable?
Is it just me, or has bugs.freeradius.org died? I've tried from two different local ISPs without any luck. bj...@canardo:~$ telnet bugs.freeradius.org 80 Trying 64.24.234.95... telnet: Unable to connect to remote host: Connection timed out bj...@canardo:~$ traceroute bugs.freeradius.org traceroute to bugs.freeradius.org (64.24.234.95), 30 hops max, 40 byte packets 1 ti0036a380-l1.ti.telenor.net (88.88.0.180) 8.133 ms 10.113 ms 12.467 ms 2 ti0001d320-ge0-1-4-10.ti.telenor.net (146.172.83.41) 15.125 ms 17.632 ms 20.250 ms 3 ti0001c310-xe7-1-1.ti.telenor.net (146.172.98.145) 70.634 ms 71.198 ms 71.574 ms 4 ti3004c310-ae5-0.ti.telenor.net (146.172.100.53) 65.706 ms 68.951 ms 71.912 ms 5 ti3003c310-ae4-0.ti.telenor.net (146.172.100.46) 73.231 ms 75.950 ms 78.359 ms 6 ti9002b300-ae0-0.ti.telenor.net (146.172.105.38) 80.615 ms 75.509 ms 76.336 ms 7 xe-0-3-0.cr1.lhr1.uk.nlayer.net (195.66.224.37) 76.788 ms 76.429 ms 76.588 ms 8 xe-2-2-0.cr1.nyc3.us.nlayer.net (69.22.142.9) 140.652 ms 104.673 ms 105.095 ms 9 xe-2-1-0.cr2.ord1.us.nlayer.net (69.22.142.6) 125.930 ms 165.239 ms 165.139 ms 10 111.xe-3-3-0.cr2.ord1.us.scnet.net (216.246.88.146) 132.910 ms 134.031 ms 133.772 ms 11 v21.ar1.ord1.us.scnet.net (216.246.95.243) 135.433 ms 135.307 ms 135.239 ms 12 as6316.ge1-37.ar1.ord1.us.scnet.net (216.246.92.138) 136.447 ms 135.575 ms 135.738 ms 13 sch1-core1-s1-0.starnetusa.net (216.126.145.46) 137.034 ms 126.885 ms 127.757 ms 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 *^C bj...@canardo:~$ telnet -b 84.215.114.143 bugs.freeradius.org 80 Trying 64.24.234.95... telnet: Unable to connect to remote host: Connection timed out bj...@canardo:~$ traceroute -s 84.215.114.143 bugs.freeradius.org traceroute to bugs.freeradius.org (64.24.234.95), 30 hops max, 40 byte packets 1 10.234.0.1 (10.234.0.1) 91.665 ms 91.640 ms 92.866 ms 2 cm-84.208.4.126.getinternet.no (84.208.4.126) 92.968 ms 95.435 ms 95.529 ms 3 cm-84.208.26.1.getinternet.no (84.208.26.1) 95.505 ms 95.551 ms 95.544 ms 4 cm-84.208.26.6.getinternet.no (84.208.26.6) 92.866 ms 92.827 ms 95.060 ms 5 64.213.76.97 (64.213.76.97) 99.490 ms 100.178 ms 100.262 ms 6 xe-4-0-0.cr1.nyc2.us.nlayer.net (69.31.95.229) 202.685 ms 118.586 ms 118.625 ms 7 xe-4-2-0.cr1.ord1.us.nlayer.net (69.22.142.85) 159.379 ms 150.007 ms 150.088 ms 8 111.xe-3-3-0.cr1.ord1.us.scnet.net (216.246.88.162) 137.391 ms 138.172 ms 138.256 ms 9 v21.ar1.ord1.us.scnet.net (216.246.95.243) 138.306 ms 138.322 ms 138.260 ms 10 as6316.ge1-37.ar1.ord1.us.scnet.net (216.246.92.138) 138.349 ms 142.180 ms 142.210 ms 11 sch1-core1-s1-0.starnetusa.net (216.126.145.46) 142.238 ms 142.226 ms 142.263 ms 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 *^C The reason for wanting to access bugs.freeradius.org is a small dictionary patch I have. I assume the correct procedure still is opening a bug and attaching the patch? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2.1.4 on FreeBSD 7.0
Hello, I just would like to know if there are some hints for compiling the FreeRADIUS 2.1.4 on the FreeBSD 7.0, should I compile it with the GNU gmake? what tips can share with me on this? Thanks, Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log says duplicate requests, CPU maxing out
Sending Access-Challenge of id 102 to 192.168.0.232 port 1418 EAP-Message = 0x0102040019c00aad160301002a022603010aed4888c1cff2bdb0da7542f34c31902d463f1d17d047dfe83cdefd1600160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303330333135343031345a170d3130303330333135343031345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d594ca11035bb697ac3bea14f92ef0d99be18c91ece91b91b45f5c808d085b8aad053689568a31467824ce7780f857cb73d6f5135aa168909bef37632bfe EAP-Message = 0x122f1f84f886b92c864182ced13b7d6fe4954296e852df73db3a8993a2618bbc260154dd5940a3f8912843096b34afddff1458836918077190a78c5541fe624617140bdb41bfc66bd954521b3409fbabcbd74b26725daa8d9d82e6a3e28c617933a11f11fcdf3c49436a56aa9d6ef8fe7d8bb867c8d577520219558210c3e9bff4555dc6896f61e94fc404fa7287ebf7a128f969ac55a7b7ce3787e00ce21d7f718f4dffa93f60e0713f9ef723500f0c40bafb6bf23f236ea091479847914917d0130203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100764f73fbf1e2cddfcc EAP-Message = 0x284b9fea1ba135c65946f4e7a4ec44e45e8f3d16870048a1a55567ab5bf083fbd6d16a929ed4489238e24ecb66d97dbfa24998c1b661f68cb16f980cbccbc67984e6b807324fba5eee16a319d60390010c8259643b439fcc50c9fb30557c543b5633ee860777d8d3a0ba8a7f37010eaa7004e1e2257f7d028da6dc0adbd855586e6a4b2c0323e1df6337674a842e40c49eb01a77a13fc0eeda2687ba5beed8f093ba7e80f63376326737399ff4d28d18e56ccb42744ca8613e094bf56dc4d1a6a0de185928083aed0cd26da2f69d715da11a3d548794411efa1333dc5db9ae1e69208a357fefb7f79fa7cc959166e00efbb153eedf2cf70004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x State = 0x86e621af87e4383ccbec5f2181722704 Finished request 10. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=102, length=296 Sending duplicate reply to client test-net port 1418 - ID: 102 Sending Access-Challenge of id 102 to 192.168.0.232 port 1418 Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.0.232 port 1418, id=103, length=216 Ugh, your network is loosing packets. That challenge didn't reach the NAS so it resent the request. There is nothing wrong with your radius server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.4 on FreeBSD 7.0
Aldo Zavala a écrit : Hello, I just would like to know if there are some hints for compiling the FreeRADIUS 2.1.4 on the FreeBSD 7.0, should I compile it with the GNU gmake? what tips can share with me on this? Thanks, Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello, no special hint for compiling with FreeBSD, just use ./configure, gmake, gmake install. Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Here's the complete debug (excluding the server start-up messages). There's rather a lot of it which is why I tried to post the bits relevant to what I'm trying (rather unsuccessfully :-) ) to understand. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, length=148 .. [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) - FALSE ++? if (ok) - FALSE ++- entering else else {...} .. +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) - TRUE +++? if (ok) - TRUE +++- entering if (ok) {...} That is the unlang construction - in default virtual server. [control] returns ok I assume this is where you set temp attribute. +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- else else returns ok And then it goes on ... Sending Access-Challenge of id 36 to 10.127.240.217 port 1645 .. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, length=159 etc. And many requests later you ask about it: ++? if (control:Tmp-String-0 == ldap-student) (Attribute control:Tmp-String-0 was not found) .. and it's not there. Of course it's not, since it wasn't set during processing of that Access-Request but much earlier in the exchange. I would suggest that you move unlang statements to inner-tunnel virtual server. You can do update reply and set Reply-Message in authorize there (forget about temp attribute and changeing it in post-auth). Just enable use_tunneled_reply in peap section of eap.conf and Reply-Message will be passed on from inner tunnel into the final reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
Hi. I have two types of nases: 1) hotspots 2) vpn servers. I need vpn nases authorize only vpn users and hotspot nases authorize only hotspot users. How can i divide users into several groups and reject vpn accounts to login through hotspot and vice versa? I think i must use huntgroups and unlang, but not cleanly understand how. That depends on where do you keep your user details. If it's in sql you can have SQL-Groups, in Ldap you put them in Ldap-Groups etc. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
You have two different versions of OpenSSL installed. Thanks for that Alan. I've blown everything away and started from scratch and installed openssl 0.98j and used the following freeradius configuration: ./configure --bindir=/usr/bin \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --localstatedir=/var \ --libdir=/usr/lib \ --includedir=/usr/include \ --with-radacctdir=/var/log/freeradius/radacct \ --with-raddbdir=/etc/freeradius \ --with-openssl-includes=/usr/local/openssl/include \ --with-openssl-libraries=/usr/local/openssl/lib ...but I'm getting the following configuration errors even tho the libraries and includes (and header files mentioned) are in the right places. Can these errors be ignored? (a make file was successfully created) checking openssl/des.h presence... no configure: WARNING: openssl/des.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/des.h: proceeding with the compiler's result checking for openssl/des.h... yes checking openssl/hmac.h usability... yes checking openssl/hmac.h presence... no configure: WARNING: openssl/hmac.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/hmac.h: proceeding with the compiler's result checking for openssl/hmac.h... yes checking openssl/md4.h usability... yes checking openssl/md4.h presence... no configure: WARNING: openssl/md4.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/md4.h: proceeding with the compiler's result checking for openssl/md4.h... yes checking openssl/md5.h usability... yes checking openssl/md5.h presence... no configure: WARNING: openssl/md5.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/md5.h: proceeding with the compiler's result checking for openssl/md5.h... yes checking openssl/sha.h usability... yes checking openssl/sha.h presence... no configure: WARNING: openssl/sha.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/sha.h: proceeding with the compiler's result checking for openssl/sha.h... yes configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs. cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: No accounting Freeradius + EAP/PEAP/TLS
Hi Ivan, I used wireshark and didn't see anything referred about Account Packages. Only thing I see is Radius-Access Resquest, Access Challenges and Access Accept. Below are informations from my Zinwell G220 Plus, but away, o receibe an error as you see. Do you know what mean? Jan 1 18:55:16 wlan0: A wireless client is associated - 00:16:CF:B3:81:4E Jan 1 18:55:17 wlan0: WPA-TKIP RADIUS authentication in progress... Jan 1 18:55:27 wlan0: Authentication failled! (4-2: ERROR_NONEEQUL_REPLAYCOUNTER) Jan 1 18:55:28 wlan0: Open and authenticated Jan 1 18:56:47 wlan0: A wireless client is deauthenticated - 00:16:CF:B3:81:4E Jan 1 18:56:59 wlan0: A wireless client is associated - 00:16:CF:B3:81:4E Jan 1 18:56:59 wlan0: WPA-TKIP RADIUS authentication in progress... Jan 1 18:57:09 wlan0: Authentication failled! (4-2: ERROR_NONEEQUL_REPLAYCOUNTER) Jan 1 18:57:10 wlan0: Open and authenticated Here is my radius . rad_recv: Access-Request packet from host 192.168.1.20:1024, id=114, length=229 User-Name = leo NAS-IP-Address = 192.168.1.20 NAS-Port = 0 Called-Station-Id = 00059e887861 Calling-Station-Id = 0016cfb3814e NAS-Identifier = ZPlus AP NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020700501900170301002087c1a68cee5e03e609b11b139ced4a1e1aac47b5519ace27d5598fa118de8177170301002019b9c21c89dac32bc991955f2eef609c8b1080b69fcb1adff8c5573546fc6cb7 State = 0xfa58367a8e0b8dd7abe16b9498e1d636 Message-Authenticator = 0x3f71351c1f04c73b0a85847aa94352b8 Thanks So, I'm very newer with linux also freeradius. If you permit, how can I see if the NAS send the account package? I'm using a ZINWELL G220 Plus and TP LInk WA501G. First run freeradius in debug mode (radiusd -X). If you don't see accounting packets use wireshark. If wireshark can't see them check if you have enabled accounting on your AP. Ivan Kalik Kalik Informatika ISP _ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting manipulation
I have a working freeradius2 setup, in which I proxy accounting tickets to many home_servers using details file writing and detail listeners. For one of this home_server (let's call it HS1) I want to rewrite the Acct-(In|Out)put-Octets and Acct-(|n|Out)put-Gigawords with a value* taken from another home_server (let's call it HS2). I thought I could you use the perl module to do the math in the pre-proxy section of my HS1 Vhost, but i realised i have to ensure rewriting of attributes have to be done after and only after proxying accounting to HS2... Teh problem remains in the fact proxying to HS2 and proxing to HS1 are two separates virtualhosts... how can i ensure proxying to HS1 (and so attribute rewriting) will be done only after proxying to HS2? I am not a perl guru (either) is it possible to update attrbutes using rlm_perl? how? (the wiki dind't told me much about it) * Actually, the value should be the result of snmp or sql or else done on HS2... with math operation done on it to get the new Acct-(In|Out)put-Octets and Acct-(|n|Out)put-Gigawords values OMG i'm not sure it's very clear! begin:vcard fn:Alexandre Chapellon n:Chapellon;Alexandre org;quoted-printable:Mana;Syst=C3=A8me adr;quoted-printable:;;;Papeete;;;Polyn=C3=A9sie Fran=C3=A7aise email;internet:alexandre.chapel...@mana.pf title;quoted-printable:Administrateur syst=C3=A9mes et r=C3=A9seaux tel;work:479952 x-mozilla-html:FALSE url:http://www.mana.pf version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: No accounting Freeradius + EAP/PEAP/TLS
I used wireshark and didn't see anything referred about Account Packages. Only thing I see is Radius-Access Resquest, Access Challenges and Access Accept. So read Zinwell documentation about enabling accounting. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bugs.freeradius.org unavailable?
Bjørn Mork wrote: Is it just me, or has bugs.freeradius.org died? I've tried from two different local ISPs without any luck. It's down. We're looking into installing a new system. The reason for wanting to access bugs.freeradius.org is a small dictionary patch I have. I assume the correct procedure still is opening a bug and attaching the patch? Just send the patch to the mailing list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html