new to freeradius, securing LAN
Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs ... so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. many thanks in advance *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Session-Id special characters changed to hex
Thanks alot. Apologies, should have read the documentation more carefully. Regards, Sajeewa Warnakulasuriya Systems Development Manager ispONE is a wholesale ISP built to help internet access resellers and independent ISPs to compete in the Australian marketplace through ONE Brand, ONE Provider, ONE Solution. Level 14 520 Collins Street Melbourne 3000 VIC Phone: 1300 663 400 Fax: 1300 665 400 E-Mail: sajee...@ispone.com.au Web:http://www.ispone.com.au/ On Wed, 27 May 2009, Alan DeKok wrote: Sajeewa Warnakulasuriya wrote: I'm having some issues with the acct-session-id, where special characters for instance [] being converted to it's hex equivalent. See the "safe-characters" configuration in the SQL module. For example below, the Acct-Session-Id = "301[]426932183" when inserted into the accounting table it is inserted as 301=5B=5D426932183. Hmm... not many NASes send "[]" in Acct-Session-Id, for precisely this reason. What NAS is it? Why is it sending those attributes? I have noticed the same happens with the sql-group. Please advise how I could insert the data as received without conversion. Read the SQL configuration. This *is* documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-request proxied, but accounting-request not proxied
> rlm_chap: Setting 'Auth-Type := CHAP' ... > rad_recv: Accounting-Request packet from host 172.17.7.214:32786, id=7, > length=735 > Received Accounting-Request packet from 172.17.7.214 with invalid > signature! > (Shared secret is incorrect.) Dropping packet without response. > Finished request 3 > > > The shared key configured is one per node in both the radius and the PDSN; > so it is difficult for me to understand this behavior. Is there any > configuration missing? No. > Is it possible that the freeradius server is not checking shared key when > sending the access-request message to it’s destination and checking the > key > while processing the accounting-request? No. You are doing chap authentication so there is nothing for wrong shared secret to mess up. It is wrong for authentication too. Send a pap request and see what happens. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS first test with PostgreSQL?
Hi, > I need to add a couple of USER/PW into the PostgreSQL tables to test. > > How do I do that? however you like > Is there a GUI to add UID/PW? theres a basic GUI supplied as part of freeradius source - dialup_admin there is also DaloRADIUS - the author of that tool is on this list. > Are UID/PW added manually? if you really want to. you can use psql directly on the command line. we have a set of PERL CGI scripts which deal with creating and removing accounts that have to be in the database rather than in our usual authentication store - these are using DBD:Pg etc to talk to postgres and deal with the data > Where can read about it? (Please donotjust point to the manual. I have well, to be honest, this isnt a FreeRADIUS question this is now all postgresql/SQL stuff - how you enter/remove data etc from the database is down to your chosen ways, policies etc ...usually people start with the more simple/common MySQL as their first SQL steps so its quite refreshing to see someone taking on postgresql at this stage :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-request proxied, but accounting-request not proxied
Hi, > Waking up in 2 seconds... > rad_recv: Accounting-Request packet from host 172.17.7.214:32786, id=7, > length=735 > Received Accounting-Request packet from 172.17.7.214 with invalid signature! > (Shared secret is incorrect.) Dropping packet without response. > Finished request 3 examine the configuration on 172.17.7.214 - freeRADIUS has no reason to lie alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reading material!
Hi, > 1. Is there any written description of all the tables, columns, etc. > What they are? What data goes in them? How & when they are created? > > 2. PostgreSQL/freeRADIUS: Where are the accounting tables? Where can I > read about them? How are they created? in the source code tarball you'll find all the bits you need in /raddb/sql/postgresql eg schema.sql names/purpose etc can be examined by reading the .sql and reading the configuration files to see what/why/how (eg the sections of config dealing with SQL accounting) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access proxied, Accounting not proxied
Hi all,
I am trying to use a FreeRadius server as a proxy server using the realm.
Apparently my configuration is working for the Access-Request messages, but
not for the Accounting-request messages.
The proxy.conf is very simple:
realm test.com {
type= radius
authhost= NNN.NNN.NN5.7:1812
accthost= NNN.NNN.NN5.7:1813
secret = **
ldflag = round_robin
nostrip
}
With this configuration, the access request messages are sent to the proper
server, as you can see in the next radiusd –X output:
We receive the message from the PDSN:
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.17.7.214:32786, id=6,
length=337
Calling-Station-Id = "310008172268681"
User-Name = "8177899...@test.com"
NAS-IP-Address = 172.17.7.214
NAS-Identifier = "bws"
The radius sent it to the proper server:
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat:
'/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '/' in User-Name = "8177899...@test.com", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "IPASS" returns noop for request 2
rlm_realm: Looking up realm "test.com" for User-Name
="8177899...@test.com"
rlm_realm: Found realm "test.com"
rlm_realm: Proxying request from user 8177899857 to realm test.com
rlm_realm: Adding Realm = "test.com"
rlm_realm: Preparing to proxy authentication request to realm "test.com"
modcall[authorize]: module "suffix" returns updated for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
radius_xlat: '8177899...@test.com'
rlm_sql (sql): sql_set_user escaped user --> '8177899...@test.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '8177899...@test.com' ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'8177899...@test.com' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY usergroup.priority, radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '8177899...@test.com' ORDER BY
id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'8177899...@test.com' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY usergroup.priority, radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 2
radius_xlat:
'/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528
modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 2
modcall: leaving group pre-proxy (returns ok) for request 2
Sending Access-Request of id 1 to NNN.NNN.NN5.7 port 1812
Calling-Station-Id = "310008172268681"
User-Name = "8177899...@test.com"
NAS-IP-Address = 172.17.7.214
The problem arises, when the same PDSN ask for an Accounting-Request and the
server. The server replies that the shared-key is not correct.
Waking up in 2 seconds...
rad_recv: Accounting-Request packet from host 172.17.7.214:32786, id=7,
length=735
Received Accounting-Request packet from 172.17.7.214 with invalid signature!
(Shared secret is incorrect.) Dropping packet without response.
Finished request 3
The shared key configured is one per node in both the radius and the PDSN;
so it is difficult
Access-request proxied, but accounting-request not proxied
Hi all,
I am trying to use a FreeRadius server as a proxy server using the realm.
Apparently my configuration is working for the Access-Request messages, but
not for the Accounting-request messages.
The proxy.conf is very simple:
realm test.com {
type= radius
authhost= NNN.NNN.NN5.7:1812
accthost= NNN.NNN.NN5.7:1813
secret = **
ldflag = round_robin
nostrip
}
With this configuration, the access request messages are sent to the proper
server, as you can see in the next radiusd –X output:
We receive the message from the PDSN:
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.17.7.214:32786, id=6,
length=337
Calling-Station-Id = "310008172268681"
User-Name = "8177899...@test.com"
NAS-IP-Address = 172.17.7.214
NAS-Identifier = "bws"
The radius sent it to the proper server:
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat:
'/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '/' in User-Name = "8177899...@test.com", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "IPASS" returns noop for request 2
rlm_realm: Looking up realm "test.com" for User-Name
="8177899...@test.com"
rlm_realm: Found realm "test.com"
rlm_realm: Proxying request from user 8177899857 to realm test.com
rlm_realm: Adding Realm = "test.com"
rlm_realm: Preparing to proxy authentication request to realm "test.com"
modcall[authorize]: module "suffix" returns updated for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
radius_xlat: '8177899...@test.com'
rlm_sql (sql): sql_set_user escaped user --> '8177899...@test.com'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '8177899...@test.com' ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'8177899...@test.com' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY usergroup.priority, radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '8177899...@test.com' ORDER BY
id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'8177899...@test.com' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY usergroup.priority, radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 2
radius_xlat:
'/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528'
rlm_detail:
/usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528
modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 2
modcall: leaving group pre-proxy (returns ok) for request 2
Sending Access-Request of id 1 to NNN.NNN.NN5.7 port 1812
Calling-Station-Id = "310008172268681"
User-Name = "8177899...@test.com"
NAS-IP-Address = 172.17.7.214
The problem arises, when the same PDSN ask for an Accounting-Request and the
server. The server replies that the shared-key is not correct.
Waking up in 2 seconds...
rad_recv: Accounting-Request packet from host 172.17.7.214:32786, id=7,
length=735
Received Accounting-Request packet from 172.17.7.214 with invalid signature!
(Shared secret is incorrect.) Dropping packet without response.
Finished request 3
The shared key configured is one per node in both the radius and the PDSN;
so it is difficult for me
Reading material!
1. Is there any written description of all the tables, columns, etc. What they are? What data goes in them? How & when they are created? 2. PostgreSQL/freeRADIUS: Where are the accounting tables? Where can I read about them? How are they created? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rc
don't forget to enter full path to radiusd. Just like Ivan wrote... You can check this with # locate radiusd or # whereis radiusd Ivan Kalik wrote: Does freeradius come with a rc. startup file.Im am using slackware version 12.1. No, but there is nothing to it. Just add radiusd (probably /usr/local/sbin/radiusd) to startup script (probably /etc/rc.d/rc.local). It should be after mysql or ldap if you are using them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS first test with PostgreSQL?
> I need to add a couple of USER/PW into the PostgreSQL tables to test. > > How do I do that? > Is there a GUI to add UID/PW? > Are UID/PW added manually? > Where can read about it? http://wiki.freeradius.org/SQL_HOWTO#Populating_SQL You have dialup admin included with the server. daloRadius is a good external GUI. http://freeradius.org/dialupadmin.html http://www.daloradius.com/ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS first test with PostgreSQL?
I am ready to test my first freeRADIUS server with PostgreSQK backend. He is my setup: freeRADIUS Server: -CentOS 5.3 -freeRADIUS V# 2.1.6 (RPM install) -PostgreSQL V# 8.3.7 (RPM install) - Client eth0: Connect to the Internet eth1: Connected to the backend server thru a hub Backend Server: -CentOS 5.3 -PostgreSQL V# 8.3.7 (RPM install) - Server eth0: Connects to freeRADIUSserver via a hub. Both servers talk. I have = First I configured the necessary files (without backend SQL) and tested the RADIUS server in debug mode: radtest testid testpw localhost 0 testing123 -and- NTRadPing Test was a SUCCESS!!! = Now I have configured so that freeRADIUS uses the backend for sql data/tables. I have created the radius database & radius role. I have created RADIUS tables from schema.sql text file. = Now I need HELP. I need to add a couple of USER/PW into the PostgreSQL tables to test. How do I do that? Is there a GUI to add UID/PW? Are UID/PW added manually? Where can read about it? (Please donotjust point to the manual. I have read them all. At least mention Chapter #) What else should I know? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not doing Peap/ttls
> Help please and sorry for the long post. Quick description of the problem: > New build Freeradius 2.1.4/5 on solaris x86 vmware. Client is a laptop > running windows XP through a cisco switch configured for 802.1x. > Will not do peap. Reconfigure the switch to use a different freeradius > server (2.1.3 on sparc solaris) and it works fine. > Output of raduisd -X on the non-working server below. Hm, is your (non-working) radius server multihomed? Is switch sending packets to one IP and getting them back from another. Clients will ignore packets from unknown servers just like servers ignore packets from unknown clients. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rc
> Does freeradius come with a rc. startup file.Im am using slackware version > 12.1. No, but there is nothing to it. Just add radiusd (probably /usr/local/sbin/radiusd) to startup script (probably /etc/rc.d/rc.local). It should be after mysql or ldap if you are using them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_raw not included in compile
Hi all, I am trying to use the rlm_raw module to test a piece of code. I downloaded freeradius-2.1.7-pre Googling for the rlm_raw module found the module for me on a message somewhere in 2005. I extracted it from the message and dropped it in the modules folder. It does not seem to compile though. (i.e. it's not included) I'm compiling freeradius for debian. simple dpkg-buildpackage. It compiles cleanly, but the rlm_raw modules is not included in the package. (it doesn't exist in /usr/lib/freeradius after installation) Inspecting the rlm_raw folder also shows no .o file, which I assume means the module is ignored. How can I convince dpkg-buildpackage to include/compile rlm_raw. or am I totally on the wrong track here? Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about session resumption and reply attributes
On 21/5/09 15:05, Alan DeKok wrote: Arran Cudbard-Bell wrote: Yes, so have it tell the outer server... Insert the (attached) snippet into the authorize section of the inner server. $ git format-patch ? It's on my to do list. You may find things getting jiggled around to a more sane naming scheme though. :) I believe the User-Name attribute in outer.reply is cached, and available for use on session resumption. Yes. Once you've got the policies moved to post-auth, then any scripts or lookups used for authorisation will only be run once, so far greater efficiency with complex policies. Rejects are still handled properly even within the Post-Auth section (jumps to Post-Auth-Type reject). Documentation suggestions are always welcome. That too. I think leading by example is a better option though. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: firewall
> Does your freeradius server have to have a rc.firewall? No. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: next
>> now...have you edited sql.conf and the underlying config files >> eg ql/mysql/dialup.conf? >> > I edited sql.conf file but I didn't do anything to the dialup.conf file, > why > should I have, more reading now! > There is no dire need. There are things you need to edit if you want to use Stripped-User-Name or Simultaneous-Use. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP SP2 and SP3 EAP problem followup
Ivan, Thank you very much your support. I will test other card and latest firmware. Today, I installed newest version driver for my Lenovo Thinkpad X60, Intel 3945abg card. I will test it tomorrow, get back to you. Balgaa - Original Message - From: "Ivan Kalik" To: "Balgansuren Batsukh" ; "FreeRadius users mailing list" Sent: Thursday, May 28, 2009 7:25 PM Subject: Re: Windows XP SP2 and SP3 EAP problem followup BTW, I read Freeradius config there several type of authentication. 1.EAP with PEAP/MSCHAPv2 username/password 2.EAP with TLS. I little confuse configuration difference between above two type. Both are configured in the default configuration. Just don't change anything. EAP-TLS will use eap module in default virtual server. PEAP will use eap in default virtual server to establish outer tunnel and then inner-tunnel virtual server to do inner tunnel (EAP-MSCHAPv2) authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: next
On Thu, May 28, 2009 at 2:04 AM, wrote: > Hi, > > > So far I haved followed instructions in the admin.sql file and the used > the > > command: > > mysql -uroot -prootpass radius < schema.sql > > which creates a database called radius, that I am suppose to fill with > some > > dummy data, is this right so far? I also uncommented the line- $INCLUDE > > sql.conf, in the radius.conf file. > > My mysql server is on the same machine as my freeradius server. Is there > a > > certain line I should see now when I fire up my radius server in debug > mode, > > saying it is using mysql to authenticate clients? > > you've populated SQL with radius table, you've enabled sql.conf to be > read by uncommenting it.. > yes did that > > now...have you edited sql.conf and the underlying config files > eg ql/mysql/dialup.conf? > I edited sql.conf file but I didn't do anything to the dialup.conf file, why should I have, more reading now! > > finally, to use SQL for client AAA you need to uncomment the > required lines in the server (virtual servers in 2.x) - eg within > the authorise and authenicate sections (for example) > did this had to read the radiusd.conf file to figure that one out. so as of right now I used the schema.sql to set up a empty database and made up some users in there in radcheck. I start my radius server in debugging mode and mysql server is now being used to authenticate users. I did a radtest with my users in mysql database and got an access accept message which is good. I also used ntraping to test and that was successful. This server right now is not in production, it is just for testing. Right now I am trying where to go next. should I try using chap instead of pap? Now that you asked if I edited the dialup.conf file I will do a littel reading. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
firewall
Does your freeradius server have to have a rc.firewall? If so does freeradius come with a script for one? jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rc
Does freeradius come with a rc. startup file.Im am using slackware version 12.1. thanks jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP SP2 and SP3 EAP problem followup
> BTW, I read Freeradius config there several type of authentication. > > 1.EAP with PEAP/MSCHAPv2 username/password > 2.EAP with TLS. > > I little confuse configuration difference between above two type. Both are configured in the default configuration. Just don't change anything. EAP-TLS will use eap module in default virtual server. PEAP will use eap in default virtual server to establish outer tunnel and then inner-tunnel virtual server to do inner tunnel (EAP-MSCHAPv2) authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP SP2 and SP3 EAP problem followup
Thank you, I will try it again. BTW, I read Freeradius config there several type of authentication. 1.EAP with PEAP/MSCHAPv2 username/password 2.EAP with TLS. I little confuse configuration difference between above two type. Can you give me little more picture for it? Balgaa - Original Message - From: "Ivan Kalik" To: "Balgansuren Batsukh" ; "FreeRadius users mailing list" Sent: Thursday, May 28, 2009 6:26 PM Subject: Re: Windows XP SP2 and SP3 EAP problem followup I run Freeradius with radiusd -X then captured logging information and sent in previous email. Is it possible to get some point from this logging information or need other way? I will try other card for testing. You have established this: Linksys card + laptop + freeradius = working Intel card + same laptop + same radius server = not working Fixing problems with Intel firmware/supplicant is of not what we do here. Call Intel and see if they can help you to fix this. We can help you if you have a problem with freeradius setup. Since it works with Linksys, that is obviously not a problem. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP SP2 and SP3 EAP problem followup
> I run Freeradius with radiusd -X then captured logging information and > sent > in previous email. > > Is it possible to get some point from this logging information or need > other > way? > > I will try other card for testing. You have established this: Linksys card + laptop + freeradius = working Intel card + same laptop + same radius server = not working Fixing problems with Intel firmware/supplicant is of not what we do here. Call Intel and see if they can help you to fix this. We can help you if you have a problem with freeradius setup. Since it works with Linksys, that is obviously not a problem. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP SP2 and SP3 EAP problem followup
I run Freeradius with radiusd -X then captured logging information and sent in previous email. Is it possible to get some point from this logging information or need other way? I will try other card for testing. Balgaa - Original Message - From: "Ivan Kalik" To: "Balgansuren Batsukh" ; "FreeRadius users mailing list" Sent: Thursday, May 28, 2009 4:42 PM Subject: Re: Windows XP SP2 and SP3 EAP problem followup You don't see a pattern - Lynksys works, Intel - doesn't. You can put your effort into debugging Intel's problems and solving this for them. Or you can buy a card that works. Take your pick. Ivan Kalik Kalik Informatika ISP Other notebook type is Toshiba with Intel 21xx/22xx b/g card. Balgaa - Original Message - From: "Ivan Kalik" To: "Balgansuren Batsukh" ; "FreeRadius users mailing list" Sent: Thursday, May 28, 2009 1:34 AM Subject: Re: Windows XP SP2 and SP3 EAP problem followup Yes, that's correct from other vendor. You said that you have a Linksys card that works and Intel that doesn't_ What's this third one? Have you tried it on a laptop on which Linksys works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting responce question.
Hi,
I've already tried to answer a similar question some time ago (and I'm
probably not the only one) but anyways...
The cause of the problems probably is some delay or packet loss or
something like that. Notice the Acct-Delay-Time value increasing as
the NAS retries to send the "lost" accounting packet (although - at
least in my case - it wasn't lost but just its processing was
delayed). I've experienced such issues with Cisco VoIP routers - the
router's log is flooded with RADIUS Server DEAD - and then ... ALIVE
messages and in the FR log you can see the retries with the values of
Acct-Delay-Time increasing. The main cause of the problem may be
different, so you'll have to check it in your case. In my case it was
caused by the thread pool settings not being appropriate for the load.
In this case the CPU usage stays low but it's not used because you
cannot achieve good concurrency and request have to await each other
to finish. So find the main cause for your problems and eliminate it.
The other thing is that most NASs have options to configure the RADIUS
timeout, dead, retransmit etc times. E.g.for Cisco you could try
"radius-server retransmit 0".
On 28.05.2009, at 10:53, lamersons wrote:
Hello there, i have posted here few times and got very helpfull
answers, so i
desided to try my luck once more.
Im using FreeRADIUS Version 2.0.4(slackware+postgre) on powerfull
x86 server
with alot of RAM, connected with gigabit to NAS. Load is about
5-15record/sec
Once in a while we get double accounting records. I started to take
traces
at NAS side and saw that sometimes AAA doesnt responce to accounting
record,
NAS thinks that AAA didnt get it and sends it one more time. But AAA
gets
the first one even if it doesnt responce to request, therefore we
get double
record.(debug info is below)
I have made debug trace at AAA side. Is it somehow possible to see
from that
trace that AAA did respond and that is NASes(or network) problem
that it
did not recieve responce ?(debug info is below)
p.s.
---
I sent information to NAS vendor:
Dear,
Yesterday at 02:27:38 PDSN sent the "Accounting request start"
message and then PDSN sent the same Accounting request start massage
at
02:27:43 (see in traces of PI interface).
Thanks
Best regards,
They answered me:
• The AAA can’t start the new accounting session, until it stops the
first
one, so the AAA doesn’t reply to the Accounting Request Start.
• The PDSN wait for TIMEOUT which is 5 seconds, and resend the
Accounting
message again.
• When the PDSN resend the Accounting message, the AAA replies to it.
---
### First start record : request 11309
Acct-Status-Type = Start
User-Name = "tria...@triatel.lv"
Calling-Station-Id = "247033715823092"
Framed-IP-Address = 192.168.172.128
NAS-IP-Address = 192.168.145.1
Event-Timestamp = "Jul 18 2008 02:27:39 EEST"
Acct-Session-Id = "000\000"
NAS-Port-Type = Virtual
NAS-Port = 1813
Acct-Delay-Time = 0
Service-Type = Framed-User
Acct-Authentic = RADIUS
3GPP2-ESN =
"\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
3GPP2-Attr-116 = 0x
3GPP2-Correlation-Id = "17934924"
3GPP2-Service-Reference-Id = 0x0104000102040001
3GPP2-Home-Agent-IP-Address = 0.0.0.0
3GPP2-PCF-IP-Address = 129.11.17.230
3GPP2-BSID = "2A2100021102"
3GPP2-User-Id = 0
3GPP2-Forward-FCH-Mux-Option = 0
3GPP2-Reverse-FCH-Mux-Option = 0
3GPP2-Service-Option = 59
3GPP2-Forward-Traffic-Type = 0
3GPP2-Reverse-Traffic-Type = 0
3GPP2-FCH-Frame-Size = 0
3GPP2-Forward-FCH-RC = 0
3GPP2-Reverse-FCH-RC = 0
3GPP2-IP-Technology = 1
3GPP2-Compulsory-Tunnel-Indicator = 0
3GPP2-DCCH-Frame-Size = 0
3GPP2-Attr-78 = 0x
3GPP2-Forward-PDCH-RC = 0
3GPP2-Forward-DCCH-Mux-Option = 0
3GPP2-Reverse-DCCH-Mux-Option = 0
3GPP2-Forward-DCCH-RC = 0
3GPP2-Reverse-DHHC-RC = 0
3GPP2-Attr-114 = 0x
3GPP2-IP-QoS = 10
3GPP2-Airlink-Priority = 0
+- entering group preacct
rlm_realm: Looking up realm "triatel.lv" for User-Name =
"tria...@triatel.lv"
rlm_realm: No such realm "triatel.lv"
++[suffix] returns noop
+- entering group accounting
rlm_acct_unique: Hashing '3GPP2-Correlation-Id = "17934924",Acct-
Session-Id
= "000\000",Calling-Station-Id = "247033715823092"'
rlm_acct_unique: Acct-Unique-Session-ID = "33187f91caa26b34".
++[acct_unique] returns ok
expand: %{User-Name} -> tria...@triatel.lv
rlm_sql (sql): sql_set_user escaped user --> 'tria...@triatel.lv'
expand: INSERT into radacct (AcctSessionId, AcctUniqueId,
CallingStati
Re: Accounting responce question.
lamersons wrote: > Im using FreeRADIUS Version 2.0.4(slackware+postgre) on powerfull x86 server > with alot of RAM, connected with gigabit to NAS. Load is about > 5-15record/sec That machine is overkill, but it should work. > Once in a while we get double accounting records. I started to take traces > at NAS side and saw that sometimes AAA doesnt responce to accounting record, Are you sure that the AAA is *sending* responses? Maybe the packets are being lost elsewhere in the network. > NAS thinks that AAA didnt get it and sends it one more time. But AAA gets > the first one even if it doesnt responce to request, therefore we get double > record.(debug info is below) Duplicate accounting records are *always* possible, even if everything is working perfectly. Your solution needs to be able to handle these. > I have made debug trace at AAA side. Is it somehow possible to see from that > trace that AAA did respond and that is NASes(or network) problem that it > did not recieve responce ?(debug info is below) Hmm... the debug output does *not* show the server sending a response. That's odd. When using "radiusd -X", it *should* print out something like "sending response ..." Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP SP2 and SP3 EAP problem followup
You don't see a pattern - Lynksys works, Intel - doesn't. You can put your effort into debugging Intel's problems and solving this for them. Or you can buy a card that works. Take your pick. Ivan Kalik Kalik Informatika ISP > Other notebook type is Toshiba with Intel 21xx/22xx b/g card. > > Balgaa > > - Original Message - > From: "Ivan Kalik" > To: "Balgansuren Batsukh" ; "FreeRadius users mailing > list" > Sent: Thursday, May 28, 2009 1:34 AM > Subject: Re: Windows XP SP2 and SP3 EAP problem followup > > >> Yes, that's correct from other vendor. > > You said that you have a Linksys card that works and Intel that doesn't. > What's this third one? Have you tried it on a laptop on which Linksys > works? > > Ivan Kalik > Kalik Informatika ISP > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting responce question.
Hello there, i have posted here few times and got very helpfull answers, so i
desided to try my luck once more.
Im using FreeRADIUS Version 2.0.4(slackware+postgre) on powerfull x86 server
with alot of RAM, connected with gigabit to NAS. Load is about
5-15record/sec
Once in a while we get double accounting records. I started to take traces
at NAS side and saw that sometimes AAA doesnt responce to accounting record,
NAS thinks that AAA didnt get it and sends it one more time. But AAA gets
the first one even if it doesnt responce to request, therefore we get double
record.(debug info is below)
I have made debug trace at AAA side. Is it somehow possible to see from that
trace that AAA did respond and that is NASes(or network) problem that it
did not recieve responce ?(debug info is below)
p.s. ---
I sent information to NAS vendor:
Dear,
Yesterday at 02:27:38 PDSN sent the "Accounting request start"
message and then PDSN sent the same Accounting request start massage at
02:27:43 (see in traces of PI interface).
Thanks
Best regards,
They answered me:
• The AAA can’t start the new accounting session, until it stops the first
one, so the AAA doesn’t reply to the Accounting Request Start.
• The PDSN wait for TIMEOUT which is 5 seconds, and resend the Accounting
message again.
• When the PDSN resend the Accounting message, the AAA replies to it.
---
### First start record : request 11309
Acct-Status-Type = Start
User-Name = "tria...@triatel.lv"
Calling-Station-Id = "247033715823092"
Framed-IP-Address = 192.168.172.128
NAS-IP-Address = 192.168.145.1
Event-Timestamp = "Jul 18 2008 02:27:39 EEST"
Acct-Session-Id = "000\000"
NAS-Port-Type = Virtual
NAS-Port = 1813
Acct-Delay-Time = 0
Service-Type = Framed-User
Acct-Authentic = RADIUS
3GPP2-ESN =
"\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
3GPP2-Attr-116 = 0x
3GPP2-Correlation-Id = "17934924"
3GPP2-Service-Reference-Id = 0x0104000102040001
3GPP2-Home-Agent-IP-Address = 0.0.0.0
3GPP2-PCF-IP-Address = 129.11.17.230
3GPP2-BSID = "2A2100021102"
3GPP2-User-Id = 0
3GPP2-Forward-FCH-Mux-Option = 0
3GPP2-Reverse-FCH-Mux-Option = 0
3GPP2-Service-Option = 59
3GPP2-Forward-Traffic-Type = 0
3GPP2-Reverse-Traffic-Type = 0
3GPP2-FCH-Frame-Size = 0
3GPP2-Forward-FCH-RC = 0
3GPP2-Reverse-FCH-RC = 0
3GPP2-IP-Technology = 1
3GPP2-Compulsory-Tunnel-Indicator = 0
3GPP2-DCCH-Frame-Size = 0
3GPP2-Attr-78 = 0x
3GPP2-Forward-PDCH-RC = 0
3GPP2-Forward-DCCH-Mux-Option = 0
3GPP2-Reverse-DCCH-Mux-Option = 0
3GPP2-Forward-DCCH-RC = 0
3GPP2-Reverse-DHHC-RC = 0
3GPP2-Attr-114 = 0x
3GPP2-IP-QoS = 10
3GPP2-Airlink-Priority = 0
+- entering group preacct
rlm_realm: Looking up realm "triatel.lv" for User-Name =
"tria...@triatel.lv"
rlm_realm: No such realm "triatel.lv"
++[suffix] returns noop
+- entering group accounting
rlm_acct_unique: Hashing '3GPP2-Correlation-Id = "17934924",Acct-Session-Id
= "000\000",Calling-Station-Id = "247033715823092"'
rlm_acct_unique: Acct-Unique-Session-ID = "33187f91caa26b34".
++[acct_unique] returns ok
expand: %{User-Name} -> tria...@triatel.lv
rlm_sql (sql): sql_set_user escaped user --> 'tria...@triatel.lv'
expand: INSERT into radacct (AcctSessionId, AcctUniqueId,
CallingStationId, AcctStartTime, AcctStopTime, CDMAActiveTime,
AcctInputOctets, AcctOutputOctets, FramedIPAddress, UserName,
ReleaseIndicator, CDMABadPPPFrameCount, CDMACorrelationId, AcctSessionTime,
NASIPAddress) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{Calling-Station-Id}', '%{Event-Timestamp}', NULL,'0', '0', '0',
'%{Framed-IP-Address}', trim('%{SQL-User-Name}'), '0', '0',
'%{3GPP2-Correlation-Id}', '0', '%{NAS-IP-Address}') -> INSERT into radacct
(AcctSessionId, AcctUniqueId, CallingStationId, AcctStartTime, AcctStopTime,
CDMAActiveTime, AcctInputOctets, AcctOutputOctets, FramedIPAddress,
UserName, ReleaseIndicator, CDMABadPPPFrameCount, CDMACorrelationId,
AcctSessionTime, NASIPAddress) values('000', '33187f91caa26b34',
'247033715823092', 'Jul 18 2008 02:27:39 EEST', NULL,'0', '0', '0',
'192.168.172.128', trim('tria...@triatel.lv'), '0', '0', '17934924', '0',
'192.168.145.1')
rlm_sql (sql): Reserving sql socket id: 18
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 18
++[sql] returns ok
Finished request 11309.
Cleaning up request 11309 ID 18 with timestamp +769
Going to the next request
###
Re: next
Hi, > So far I haved followed instructions in the admin.sql file and the used the > command: > mysql -uroot -prootpass radius < schema.sql > which creates a database called radius, that I am suppose to fill with some > dummy data, is this right so far? I also uncommented the line- $INCLUDE > sql.conf, in the radius.conf file. > My mysql server is on the same machine as my freeradius server. Is there a > certain line I should see now when I fire up my radius server in debug mode, > saying it is using mysql to authenticate clients? you've populated SQL with radius table, you've enabled sql.conf to be read by uncommenting it.. now...have you edited sql.conf and the underlying config files eg ql/mysql/dialup.conf? finally, to use SQL for client AAA you need to uncomment the required lines in the server (virtual servers in 2.x) - eg within the authorise and authenicate sections (for example) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
