Re: DISABLE THREAD_TLS
Ming-Ching Tiew wrote: > What is the performance impact of disabling THREAD_TLS but > USE_PTHREAD_FOR_TLS instead ? You're likely running on an embedded system (because you're using ulibc rather than glibc). So performance is the least of your worries. If you plan on having the system do EAP, it will spend 90% of its CPU time doing cryptographic calculations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "detail" log files
Steve Bertrand wrote: > Can someone swing the clue bat at me, and provide me with information on > where I should look to find out how to disable detail log files for > specific NASs only? $ man unlang > I need to keep the detail files for legacy purposes, but only for > specific NASs, and I'd like to disable the rest of them from logging there. > > Is this possible? It's trivial. accounting { ... if (Packet-Src-IP-Address != 1.2.3.4) { detail } ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
u...@3.am wrote: > Now I get this running debug mode: > > } > /usr/etc/raddb/radiusd.conf[1824]: Failed to link to module > 'rlm_ippool': rlm_ippool.so: cannot open shared object file: No such > file or directory Because you don't have the GDBM libraries or header files. > /usr/etc/raddb/sites-enabled/default[337]: Failed to find module > "users_pool". > /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting > section. > } > } > Errors initializing modules > > ...and indeed, that file exists nowhere on the server. Was it a part of > freeradius-server-2.0.4 ? Yes. But we don't re-implement a DBM database. We rely on a library for that, and you don't have the library or header files installed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with Ldap Windows Server 2003
Hari Novferdianto wrote: > Hi, > How configuring freeradius with ldap windows server 2003 ? > I do in my freeradius, when I installed it is > ./configure --prefix=/usr/local/freeradius --with-modules="rlm-ldap" That isn't enough. You need to have the local LDAP libraries && header files on your system. FreeRADIUS does *not* implement the LDAP protocol. > Until I'm configured in radiusd.conf > It's Still > radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: > cannot open shared object file: No such file or directory > radiusd.conf[1956] Unknown module "ldap". > radiusd.conf[1956] Failed to parse "ldap" entry. The module doesn't exist because it wasn't built. It wasn't built because the things it needs (see above) don't exist. Install the LDAP libraries && development header files on your system, and then re-build FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
On Tue, 2009-06-02 at 16:27 -0400, John Dennis wrote: > It looks like this was a packaging bug in the spec file. You are indeed > correct /etc/raddb/sites-available/* should have been %config(noreplace). > > I'm in the process of pushing out a new set of packages with your > suggested fix. Thank you for reporting this. This is fantastic! I won't have to maintain my own freeradius package for CentOS 5. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.21-170.2.56.fc10.x86_64 x86_64 GNU/Linux 00:29:20 up 10 days, 1:39, 2 users, load average: 0.09, 0.22, 0.24 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windows2003+freeradius+ad
Hello, I install freeradius on WIN2003,i want use AD as user database, how to config radiusd.conf? LDAP or NTLM_Auth? I can not find NTLM_Auth on windows 2003 , LDAP=AD? thanks ! miao 2009-06-03 miaowang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate SQL records versus unique constraints
Hello, First of, been using freeradius for 5-6 years now and we are happy campers thanks to it. Freeradius 2.04 (Debian Lenny package), but I don't think this is very version specific. Configuration is set for direct (sql, not sql_log) logging of accounting records into mysql. We've got a number of what can only be described as "maniac" customers which fire off new sessions every minute or 2 and one of these has managed to create over 2000 "identical" sessions, as far as actsessionid and the default generation of acctuniqueid are concerned. It seems that the NAS in question is prone to recycle actsessionids under the onslaught of this user (within days at times). We are talking to the upstream access provider about this, but I don't think much of anything will come out of it. In this setting the default key generation for the acctuniqueid of: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" did little to stop the duplicates, since only the Acct-Session-Id is variable (when not re-used by the NAS), the rest are more or less static. We changed the Client-IP-Address to Framed-IP-Address in the key generation as this gives a much, much smaller chance of duplicates. But of course it does not guarantee uniqueness either. In the analysis of this event it became clear that the sql module will happily update any and all records that share the same acctuniqueid with a new stop and session time, even if these were not NULL or 0 respectively. Never mind that this whole scenario should not happen in the first place it seems that overwriting valid data in an already "complete" accounting record would be big no-no. Could anybody comment on this? Given this behavior and the still existing (albeit vastly smaller) chance of future duplicate records making it into the database I have a question: If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB, will the failure to insert an accounting record confuse the freerad sql module and will those failures percolate up towards the radius protocol level and thus result in the NAS keep on sending that accounting packet? Regards, Christian -- Christian BalzerNetwork/Systems EngineerNOC ch...@gol.com Global OnLine Japan/Fusion Network Services http://www.gol.com/ https://secure3.gol.com/mod-pl/ols/index.cgi/?intr_id=F-2ECXvzcr6656 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DISABLE THREAD_TLS
--- On Tue, 6/2/09, Ming-Ching Tiew wrote: > > I am trying to compile freeradius on uclibc, it complains > of undefined symbol > __tls_get_addr. So I went to modify > src/include/autoconf.h, and commented > #define HAVE_THREAD_TLS 1, then the compilation was > successful. My question is > what do I missed from disabling THREAD_TLS ? Does it mean > performance impact ? > Will it mean freeradius will be slower, consuming more > memory or what ? > Apparently src/lib/log.c is the only source which uses HAVE_THREAD_TLS, and from the source I can see that once I disable HAVE_THREAD_TLS, in my case, the code will be USE_PTHREAD_FOR_TLS. Sorry this sounds like something for the developer folks but it remains as a user question:- What is the performance impact of disabling THREAD_TLS but USE_PTHREAD_FOR_TLS instead ? Thank you for your attention. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
On Tue, 2 Jun 2009, Alan DeKok wrote: u...@3.am wrote: I am trying to configure a server-side IP pool for select pptp users to bypass the NAS's internal pool. The documentation appears sparse, but this is what I've done so far: In raddb/radiusd.conf: ippool users_pool { The examples show it using "main_pool". The name doesn't matter, but it's a hint: $ grep main_pool raddb/sites-available/* You can re-name "main_pool" to "users_pool", if you want. You have to tell the server to allocate IP's in the post-auth section, and to manage them from the accounting section. Ok, I wasn't sure where the "post-auth section" even was...I had been looking in the radiusd.conf...thanks for the hint. I just added the following to the raddb/sites-available/default: accounting { # Return an address to the IP Pool when we see a stop record. # main_pool users_pool post-auth { # Get an address from the IP Pool. # main_pool users_pool Now I get this running debug mode: } /usr/etc/raddb/radiusd.conf[1824]: Failed to link to module 'rlm_ippool': rlm_ippool.so: cannot open shared object file: No such file or directory /usr/etc/raddb/sites-enabled/default[337]: Failed to find module "users_pool". /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. } } Errors initializing modules ...and indeed, that file exists nowhere on the server. Was it a part of freeradius-server-2.0.4 ? James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"detail" log files
Hi everyone, Can someone swing the clue bat at me, and provide me with information on where I should look to find out how to disable detail log files for specific NASs only? I need to keep the detail files for legacy purposes, but only for specific NASs, and I'd like to disable the rest of them from logging there. Is this possible? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring Freeradius with Ldap Windows Server 2003
Hi, How configuring freeradius with ldap windows server 2003 ? I do in my freeradius, when I installed it is ./configure --prefix=/usr/local/freeradius --with-modules="rlm-ldap" Until I'm configured in radiusd.conf It's Still radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory radiusd.conf[1956] Unknown module "ldap". radiusd.conf[1956] Failed to parse "ldap" entry. I'm confused now... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DISABLE THREAD_TLS
I am trying to compile freeradius on uclibc, it complains of undefined symbol __tls_get_addr. So I went to modify src/include/autoconf.h, and commented #define HAVE_THREAD_TLS 1, then the compilation was successful. My question is what do I missed from disabling THREAD_TLS ? Does it mean performance impact ? Will it mean freeradius will be slower, consuming more memory or what ? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
u...@3.am wrote: > I am trying to configure a server-side IP pool for select pptp users to > bypass the NAS's internal pool. The documentation appears sparse, but > this is what I've done so far: > > In raddb/radiusd.conf: > > ippool users_pool { The examples show it using "main_pool". The name doesn't matter, but it's a hint: $ grep main_pool raddb/sites-available/* You can re-name "main_pool" to "users_pool", if you want. You have to tell the server to allocate IP's in the post-auth section, and to manage them from the accounting section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippools and Pool-Name
Hi: I am trying to configure a server-side IP pool for select pptp users to bypass the NAS's internal pool. The documentation appears sparse, but this is what I've done so far: In raddb/radiusd.conf: ippool users_pool { range-start = 172.16.1.2 range-stop = 172.16.1.253 netmask = 255.255.255.0 cache-size = 251 session-db = ${db_dir}/db.ippool ip-index = ${db_dir}/db.ipindex override = yes } In raddb/users sometestuserPool-Name :="users_pool" Framed-Protocol == PPP, Framed-Compression = Van-Jacobson-TCP-IP However, "sometestuser" is simply allocated an IP from the NAS's internal pool, seemingly ignoring this. I also noticed that the files db.ippool and db.ipindex are not being created. Is there something else I'm missing? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Help
Hi, > Sounds good - I'll give this logic a go... Where best to place this bit of > Unlang? In the inner-tunnel Authorization stanza, before ms-chap? Would I > need to repeat in the Authentication MS-CHAP bit too, or does it get set at > the beginning of the "request session" and follow all the way though. > Suppose I could just get on and try it out! personally? I'd edit the mschap module (ie put it in there) and then name the module ie instead of mschap { at the top of the file, you put mschap yourname { and then, instead of 'mschap' in the inner-tunnel, you put 'yourname' - note, any call to mschap: in mschap or elsewhere would need to change to yourname: too. this way you can simply backup that module and swing it into place on whatever freeradius you like (recent version of course! ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
Fajar A. Nugraha wrote: > On Sun, May 17, 2009 at 11:33 PM, John Dennis wrote: >> However on tomorrow on Monday the 2.1.6 release is >> scheduled to go public from the FreeRADIUS project. Shortly thereafter I >> will have posted 2.1.6 SRPM and RPM's on koji (will probably show up by >> Tuesday). You may want to wait to pick up these RPM's instead of the 2.1.3. > > I just rebuilt 2.1.6 SRPM on RHEL5. I didnt' use packages from > http://people.redhat.com/jdennis/freeradius-rhel-centos since I > already have freeradius 2.1.3 installed as freeradius RPM, not > freeradius2. I was hoping that upgrading from 2.1.3 would require a > simple "rpm -Uvh". It didn't work :P > > After some troubleshooting, I found out that > /etc/raddb/sites-available/* is NOT marked as %config(noreplace). > Since sites-enabled only have symlinks to sites-available files, this > effectively means RPM upgrade wiped out my customization (the relevant > files I used was default and inner-tunnel) > > Is this intentional? Or perhaps I did something wrong? It looks like this was a packaging bug in the spec file. You are indeed correct /etc/raddb/sites-available/* should have been %config(noreplace). I'm in the process of pushing out a new set of packages with your suggested fix. Thank you for reporting this. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Help
Hi, 2009/6/2 > > ah! multiple remote domains - not in a forest of trust? > All in the same Forest & Tree, yes - but it still appears to be unhappy as it can't work out which the domain the $PCNAME$ machine lives in. > > > I can't really see anyway to resolve this, other than moddifing the > > ntlm_auth line based on some unlang logic to cut out the uk, us, and au > bit > > from the "X.mycompany.local" supplied domain name in the "host/" > username. > > Is this even possible though?? > > that could workhmm something along the lines of > > if (%{User-Name} =~ /.domain.wanted/({ > ntlm_auth blah blah --domain DOMAINWANTED > } > > etc etc so ntlm_auth gets fired off with the right stuff...no playing > with User-Name Sounds good - I'll give this logic a go... Where best to place this bit of Unlang? In the inner-tunnel Authorization stanza, before ms-chap? Would I need to repeat in the Authentication MS-CHAP bit too, or does it get set at the beginning of the "request session" and follow all the way though. Suppose I could just get on and try it out! Many thanks for your help. Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: firewall
Hi, > Is that because freeradius is kind of like apache, as in that only certain > ips' are allowed to hit the freeradius server? So it is pretty secure as > soon as you install it right? unless you have a firewall in place then anything could talk UDP to ports 1812, 1813 and 1814 - but then if their IP isnt known as a client...and their secrets dont match, the server rejects them that said, best practice says only open ports to systems you want talking to you - otherwise some fool could write a nice little program that constantly hammers your RADIUS UDP ports and DoS's you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Help
Hi, > If I follow the logic as supplied by Neil, and remove the "--domain" option > then this works fine for all users in all domains, and machines in same > domain that winbind was joined to, but not machines from remote domains. If ah! multiple remote domains - not in a forest of trust? > I can't really see anyway to resolve this, other than moddifing the > ntlm_auth line based on some unlang logic to cut out the uk, us, and au bit > from the "X.mycompany.local" supplied domain name in the "host/" username. > Is this even possible though?? that could workhmm something along the lines of if (%{User-Name} =~ /.domain.wanted/({ ntlm_auth blah blah --domain DOMAINWANTED } etc etc so ntlm_auth gets fired off with the right stuff...no playing with User-Name alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Help
Hi, 2009/6/2 > why? with recent versions of FreeRADIUS this just works(tm) with no > rewriting needed > - just ensure that the ntlm_auth line has the correct arguments and > you have the ntdomain stuff turned on . > > I've tried, and can't make the default work. I've got three domains with users and machines in them. The default ntlm_auth line is fine for users, but it doesn't work for machines. If I leave --username=%{mschap:User-Name:-None} and --domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} (obviously, default domain is moddified) in place then for users it's fine - the username and domain are filled in based on the details supplied by the MS supplicant. Machines fail though - even for machines that are in the "default domain". If I follow the logic as supplied by Neil, and remove the "--domain" option then this works fine for all users in all domains, and machines in same domain that winbind was joined to, but not machines from remote domains. If I leave the "--domain" option in, then as the "host/" username doesn't contain the netbios version of the domain then "%{mschap:NT-Domain} " is unknown and the default domain is filled in, and this seems to break all machine authentication... External Program returns "Logon failure". I can't really see anyway to resolve this, other than moddifing the ntlm_auth line based on some unlang logic to cut out the uk, us, and au bit from the "X.mycompany.local" supplied domain name in the "host/" username. Is this even possible though?? Am I overlooking something here? Thanks, Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NTLM Auth Help
> why? with recent versions of FreeRADIUS this just works(tm) with no > rewriting needed > - just ensure that the ntlm_auth line has the correct arguments and > you have the ntdomain stuff turned on . > > we used to have all kinds of hacky stuff in our config...almost all > of it is now wiped away with a small spattering of unlang here > and there for utility How recent (probably newer than I'm running I'm guessing)? Also, are you saying that it "just works" by passing "host/hostname.domain.name" to ntlm_auth or that the newer versions have built-in unlang to mangle the name for you? Thanks Alan.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang to switch between ldaps
Alan DeKok escribió: > .. >> I want to switch between them based on the NAS-IP-Address of the >> arriving >> request, so I've used unlang in the authorize section: > > ... of the file raddb/sites-enabled/inner-tunnel. Exactly, but the path is /etc/freeradius/sites-enabled/inner-tunnel, because i'm using Linux Debian 5.0 (Lenny). > >> POST of the debug mode of freeradius: > > Which shows it's *not* copying the request to the tunnel. See eap.conf. Yes, definitly it shows that, so, in order to fix that, i've added the following line to the sections ttls and peap in the file eap.conf: copy_request_to_tunnel = yes So, I provide support to EAP-TTLS and PEAP-MSCHAPv2 on the wireless network. > > ... >> PEAP: Sending tunneled request >> EAP-Message = 0x0206001501646965676f406363632e7562612e6172 >> FreeRADIUS-Proxied-To = 127.0.0.1 >> User-Name = "di...@ccc.uba.ar" > > See? No NAS-IP-Address. Yes, I see! And lot of thanks.. > Alan DeKok. > -- Diego Martín Capello Administrador RedUBA Centro de Comunicación Científica Universidad de Buenos Aires - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Help
Hi, > We pass hostname$ to ntlm_auth by rewriting the User-Name attribute as > follows: > > > > attr_rewrite machine_UserName { > >attribute = User-Name > >searchin = packet > >searchfor = "^host/(.*).domain.name" > >replacewith = "%{1}$" > >ignore_case = yes > >new_attribute = no > >max_matches = 1 > >append = no > > } > > > > To change from host/hostname.domain.name to hostname$. Then, include > machine_UserName in the authorize and authenticate sections before > mschap. why? with recent versions of FreeRADIUS this just works(tm) with no rewriting needed - just ensure that the ntlm_auth line has the correct arguments and you have the ntdomain stuff turned on . we used to have all kinds of hacky stuff in our config...almost all of it is now wiped away with a small spattering of unlang here and there for utility alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: firewall
Is that because freeradius is kind of like apache, as in that only certain ips' are allowed to hit the freeradius server? So it is pretty secure as soon as you install it right? thanks jon On Thu, May 28, 2009 at 10:58 AM, Ivan Kalik wrote: > > Does your freeradius server have to have a rc.firewall? > > No. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant/failover modules
I've been reading the docs regarding failover and I'm not sure if the following is correct. It seems to process an extra query. group { redundant { ldap1-primary ldap1-failover } fail = 1 ok = return redundant { ldap2-primary ldap2-failover } } The intent is that if the user is not found in ldap1, then ldap2 is tried. Ldap2 should be skipped if ldap1 returns ok. In each block the failover should be tried if the primary doesnt respond. The failover works, but it seems that the ldap2 is tried even if ldap1 finds the user. Am I missing something? Regards, -John Doppke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS in the cloud?
Hi All. Has anyone had success with running FreeRADIUS in the cloud computing environment. If so, did you create your own cloud or use a vendor? Regards Stelio Gouveia -- Skyrove Software Engineer, Skyrove (Pty) Ltd Technology Top 100 Award Winner (2006) Mobile: +27 82 34 09 120 Tel: +27 861 ROVERS (0861 768 377) Fax: +27 86 6204077 Email & Gtalk: ste...@skyrove.com Web: www.skyrove.com This message contains confidential information. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang to switch between ldaps
Diego Martín Capello wrote: > Hello everyone, > I'm using freeradius 2.0.4 with a ldap server as a backend for > authentication of users to our wireless network. I've defined two ldap > "servers" in the radiusd.conf file: .. > I want to switch between them based on the NAS-IP-Address of the arriving > request, so I've used unlang in the authorize section: ... of the file raddb/sites-enabled/inner-tunnel. > POST of the debug mode of freeradius: Which shows it's *not* copying the request to the tunnel. See eap.conf. ... > PEAP: Sending tunneled request > EAP-Message = 0x0206001501646965676f406363632e7562612e6172 > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "di...@ccc.uba.ar" See? No NAS-IP-Address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang to switch between ldaps
Hello everyone, I'm using freeradius 2.0.4 with a ldap server as a backend for authentication of users to our wireless network. I've defined two ldap "servers" in the radiusd.conf file: . ldap ldap_uba { server = "ldap_server" basedn = "dc=uba,dc=ar" filter = "(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } ldap ldap_ccc { server = "ldap_server" basedn = "ou=CCC,dc=uba,dc=ar" filter = "(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } .. I want to switch between them based on the NAS-IP-Address of the arriving request, so I've used unlang in the authorize section: authorize { unix mschap eap { ok = return } files switch "%{NAS-IP-Address}" { case 192.168.168.11 { ldap_ccc } case { ldap_uba } } expiration logintime auth_log pap } Well, my problem is that freeradius doesn't assign or expand the NAS-IP-Address attribute with the correct value of the NAS IP which is requesting for authentication, could anyone help me with this little issue? POST of the debug mode of freeradius: rad_recv: Access-Request packet from host 192.168.168.11 port 1041, id=6, length=279 Message-Authenticator = 0x341f20c2e434d8cbd92d85defa321b38 Service-Type = Framed-User User-Name = "di...@ccc.uba.ar\000" Framed-MTU = 1488 State = 0x12b38bc817b592297c4cea524b70e440 Called-Station-Id = "00-13-46-7A-DB-63:REDI-UBA VLAN12" Calling-Station-Id = "00-02-72-78-90-5B" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206003b1900170301003091d34cda32a72417c4e5e093d71f2d82fc67e0f1f3dc1483aec15e433d54c5c950e88c2f64c3fd6d8ddf656af63496d1 NAS-IP-Address = 192.168.168.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "ccc.uba.ar" for User-Name = "di...@ccc.uba.ar" rlm_realm: No such realm "ccc.uba.ar" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 59 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - di...@ccc.uba.ar PEAP: Got tunneled EAP-Message EAP-Message = 0x0206001501646965676f406363632e7562612e6172 PEAP: Got tunneled identity of di...@ccc.uba.ar PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to di...@ccc.uba.ar PEAP: Sending tunneled request EAP-Message = 0x0206001501646965676f406363632e7562612e6172 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "di...@ccc.uba.ar" server inner-tunnel { +- entering group authorize ++[unix] returns notfound ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop expand: %{NAS-IP-Address} -> ++- entering switch %{NAS-IP-Address} +++- entering case rlm_ldap: - authorize rlm_ldap: performing user authorization for di...@ccc.uba.ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}})) -> (&(description=wireless)(mail=di...@ccc.uba.ar)) expand: dc=uba,dc=ar -> dc=uba,dc=ar rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.ccc.uba.ar:389, authentication 0 rlm_ldap: bind a
RE: NTLM Auth Help
We pass hostname$ to ntlm_auth by rewriting the User-Name attribute as follows: attr_rewrite machine_UserName { attribute = User-Name searchin = packet searchfor = "^host/(.*).domain.name" replacewith = "%{1}$" ignore_case = yes new_attribute = no max_matches = 1 append = no } To change from host/hostname.domain.name to hostname$. Then, include machine_UserName in the authorize and authenticate sections before mschap. From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freera dius.org] On Behalf Of Rupert Finnigan Sent: Monday, June 01, 2009 2:59 PM To: FreeRadius users mailing list Subject: NTLM Auth Help Hi All, Wander if someone can help me resolve a problem I'm experiencing I'm using FreeRADIUS to provide AAA for 802.1X for wireless in a number of sites. It doesn't need to be 100% up all the time, and so I've got one server back in our central site that handles all the requests over our site-to-site VPNs. The users are stored in either AD, or SQL. SQL is fine, and I've modified the queries to suit my environment. My real problem is with the AD I can get it to authenticate users no problems, but not machines. I've got three AD domains I have users in that I need to authenticate: WB-UK, WB-US & WB-AU. These are sub-domains of WB-ROOT, which has no users and is there simple to provide trusts etc. All my users can authenticate fine, as the ms-chap module fills in the nt-domain variable and all is good. However, host authentication fails... I need host authentication to facilitate password expiration messages and changes to keep everyone authenticating OK, and not getting locked out. I'm sure that someones dealt with this before, and so I'd be very grateful for feedback and help. What do I need to supply to ntlm_auth for a machine user name, the "host/machine.domain.local" style, or the "$machine$" style? And, is this a problem best solved by setting the ntlm_auth program variable based on unlang checks against an extracted realm? Or, is there another way to make this all behave? I've tryied using Alan's suggested line on the "how-to" on deployingradius.org, but the "if no nt-domain, use a manually entered default" bit seems to confuse host auth. Many thanks in advance for any help offered, Rupes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
Arran Cudbard-Bell wrote: > Currently attributes in outer.reply are not inserted if: > > 1) You're doing EAP-TTLS-MSCHAPv2 I set "use_tunneled_reply = yes", and I get the reply attributes copied from the inner tunnel to the outer tunnel. And if I do "update outer.reply" with an attribute, it works for me with EAP-TTLS-MSCHAPv2. > 2) The inner sever issued a reject Yes... that may be easy to fix. See ttls.c, look for 'case PW_AUTHENTICATION_REJECT:'. And copy the lines above 'if (t->use_tunneled_reply)...' to that 'case' statement. That should work... > These two cases need to be fixed for predictable behaviour. > > Did you get a chance to look at that patch I sent ? Later today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
refresh variable after exec module
Good morning, I back with the same problem. I've seeing past post for last week but I have any wrong because those solutions don't work for me. I have a script in exec module which set 2 values: Session-Timeout if everything is correct for each user and it calculate his remaining time to connect, and Reply-Message if there is any problem, to show this message to the user I've seen these values are cached before when mysql runs the queries to radcheck, radgroupchek, radreply, etc...in authtorize section and when I execute my script in post-auth module the new values aren't replaced and sent together with Access-Accept or Access-Reject I've done an update in post-auth section, like you said in last posts, in two different modes: first example: Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "%{reply:Reply-Message}" } sql reply_log } Second example: Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "pepe" } sql reply_log } I've set Reply-Message := "pepe" to try without a variable but unsuccessfully because I'm not sure if I've set the variable correctly but if I put the value of variable and this is not send neither it is because my value is not replaced by the before one, ok? why? Post-Auth section post-auth { # Get an address from the IP Pool. #main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf sql # # Instead of sending the query to the SQL server, # write it into a log file. # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # #ldap exec update outer.reply { Session-Timeout:="%{reply:Session-Timeout}" } # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { attr_filter.access_reject update outer.reply { Reply-Message := "pepe" } sql reply_log } } I try with "update reply" too. I don't understand the different between both modes. Can you say me where I can read the neccesary doc to find this difference? thanks in advance and I'm sorry to repeat this issue again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow "update radacct ..." query
Marinko Tarlac wrote: > After some investigation, I found that accounting start packets was > received before update packets and session was already in database > before the update happen. (AcctStartTime < MySQL time in slow query log) > Also, after few tests I have: > - 10 000 row updates which doesn't exist was done in avg. 4 seconds > (tested 3 times) > - 10 000 inserts in less then 9 seconds (avg. tested 3 times) Hmm... that would seem to indicate that MySQL is OK. >> Odds are that replaying it with the MySQL command-line client will be >> just as slow as you saw with FreeRADIUS. >> > I'll try this and that is the reason why I installed FR2.1.6. Thanks. That will help us track it down. If replaying the sqltrace file is very fast, then there's some kind of magic going on... Most people find MySQL sufficiently fast, so it's hard to understand why some people run into issues. > Another option is to update MySQL to latest available version 5.0.x (in > 5.0 generation) because there are some indication that 5.0.45 has some > bugs with cache and InnoDB storage engine... Maybe... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
On 2/6/09 10:01, Alan DeKok wrote: a.l.m.bu...@lboro.ac.uk wrote: does this fix mean that TTLS and PEAP get the inner identity copied correctly so there is no more need for update outer.reply { User-Name = "%{User-Name}" } That's still needed. The question is what do you want the server to do. Always over-ride the outer name with the inner one? If so, why is the outer one "anonymous", and the inner one "u...@realm"? I agree. Doing this by policy is a better idea than hardcoding behavior. We just need the policy to work correctly. Currently attributes in outer.reply are not inserted if: 1) You're doing EAP-TTLS-MSCHAPv2 2) The inner sever issued a reject These two cases need to be fixed for predictable behaviour. Did you get a chance to look at that patch I sent ? Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
Well, I read the documentation, but I don't succeed to fix my problem, and I don't know if the solution is in this documentation: I use the attribute redundant and we can read: " * redundant{...} and append{...} are just shortcuts. You could write group { sql1 { fail = 1 notfound = 2 noop = return ok = return updated = return reject = return userlock = return invalid = return handled = return } sql2 { fail = 1 notfound = 2 noop = return ok = return updated = return reject = return userlock = return invalid = return handled = return } } instead of redundant { sql1 sql2 } but the latter is just a whole lot easier to read." When I use redundant, I understand it's equivalent to have groups which are failable. My problem is I have failover between two ldaps, and if the first ldap is used, it works because I have: Sending Access-Accept of id 93 to 192.168.0.50 port 1812 Reply-Message = "Utilisateur: fmehault, group: Administrateur" Cisco-AVPair = "shell:priv-lvl=15" Service-Type = NAS-Prompt-User Finished request 0. And if the first failed, the second ldap is used, so we can say that it's works, but it fails because I have: Sending Access-Accept of id 94 to 192.168.0.50 port 1812 Finished request 0. It fails because the Access-Accept was built without Cisco-AVPair = "shell:priv-lvl=15" and Service-Type = NAS-Prompt-User. And I don't know why, I don't understand, Thanks Alan for your help, I will continue to read the failover documentation, maybe there is something that I missed, If someone has another lead .. Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de a.l.m.bu...@lboro.ac.uk Envoyé : vendredi 29 mai 2009 18:04 À : FreeRadius users mailing list Objet : Re: 1 freeradius with 2 openldap (multi master) Hi, > And now, if I start radiusd and slapd on server A and not on server B, it > works. And if I stop slapd on server A, and start slapd on server B, it > doesn't work. It's maybe a lead... this is documented http://wiki.freeradius.org/Fail-over you need the group to be failable etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stress test or performance test result
Hi, > Heavy duty crypto can affect speed but that's part of cryptography's charm. actually, this reminds me - the eap.conf calls 'DEFAULT' openssl crypto engine - this should give the possibility to use offloading crypto cards such as the Hifn (or even a VIA cX cpu with padlock engine. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
I set in copy_tunnel_reply to yes and I use the inner-tunnel user-name in my default / post-auth. And I still have the real user-name hidden. In default / post-auth : update reply{ User-Name := "%{request:User-Name}" Tunnel-Medium-Type = 6 Tunnel-Type = 13 Tunnel-Private-Group-Id = `/usr/local/etc/raddb/getVlan %{reply:User-Name}` } It will now work nicely with your fix. Thanks 2009/6/2 Alan DeKok : > a.l.m.bu...@lboro.ac.uk wrote: >> does this fix mean that TTLS and PEAP get the inner identity copied >> correctly so there is no more need for >> >> update outer.reply { >> User-Name = "%{User-Name}" >> } > > That's still needed. The question is what do you want the server to > do. Always over-ride the outer name with the inner one? If so, why is > the outer one "anonymous", and the inner one "u...@realm"? > > i.e. "anonymous" is being used to hide the inner name... which > promptly gets exposed with that rule. Is this a good idea? > > What else could be done to be secure, but also useful? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: supported encryption
Am 02.06.2009 um 11:09 schrieb Rakotomandimby Mihamina: Hi all, At the moment, our FreeRaduis(v1.x) is looking up users in a PGSQL database, with clear username and clear password in the fields. We would like to switch it to FreeRadius (v2.x) and by the way, crypt (SHA, just crypt(),...) the password in the Database. What encryption is supported by FreeRadius, so that I could just make the PGSQL query with the encrypted password? You can look at http://deployingradius.com/documents/protocols/ compatibility.html for which type of hashing can be used whit which type of authentication protocol. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
supported encryption
Hi all, At the moment, our FreeRaduis(v1.x) is looking up users in a PGSQL database, with clear username and clear password in the fields. We would like to switch it to FreeRadius (v2.x) and by the way, crypt (SHA, just crypt(),...) the password in the Database. What encryption is supported by FreeRadius, so that I could just make the PGSQL query with the encrypted password? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
a.l.m.bu...@lboro.ac.uk wrote: > does this fix mean that TTLS and PEAP get the inner identity copied > correctly so there is no more need for > > update outer.reply { > User-Name = "%{User-Name}" > } That's still needed. The question is what do you want the server to do. Always over-ride the outer name with the inner one? If so, why is the outer one "anonymous", and the inner one "u...@realm"? i.e. "anonymous" is being used to hide the inner name... which promptly gets exposed with that rule. Is this a good idea? What else could be done to be secure, but also useful? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
Hi, > Alan committed a fix to the git repository last night. It does a > straight copy of the value without parsing it, so should fix the issues > you've been seeing. does this fix mean that TTLS and PEAP get the inner identity copied correctly so there is no more need for update outer.reply { User-Name = "%{User-Name}" } shenanigans in the inner-tunnel EAP? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
ok, thank you for the news. Regards, 2009/6/2 Arran Cudbard-Bell : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Stun Box wrote: >> 2009/6/2 Alan DeKok : >>> Stun Box wrote: I'm using PEAP/Mschapv2 with Windows machines. I need the user-name of the inner-tunnel when the authentication ends to assign the vlan id. >>> ... But it seems it has not been escaped... My User-Name "DOMAIN/testx" becomes => "DOMAIN estxx" And if I try DOMAIN/user it works nicely... ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop expand: %{request:User-Name} -> ANKAMA\testx expand: %{reply:User-Name} -> ANKAMA estxx How can I escape this ? >>> You should be able to set it by hand from the inner tunnel: >>> >>> update outer.reply { >>> User-Name = "%{User-Name}" >>> } >> >> It does not work for me. The only way I succeed to get the innertunnel >> user-name is by setting the eap.conf / peap / use_tunneled_reply to >> yes. >> It does the same weird result with "DOMAIN\nuser" => DOMAIN nuserr >> >> Could the matter come from my configuration ? >> > Alan committed a fix to the git repository last night. It does a > straight copy of the value without parsing it, so should fix the issues > you've been seeing. > > See http://git.freeradius.org/ for instructions on how to retrieve code > from the git repository. > > > Regards, > Arran > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.9 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEUEARECAAYFAkok3FwACgkQcaklux5oVKIfUACdGZ+63/oxgPw/iN5tmBwNiR6x > yEIAliN7tJ2z7HXI9uN1zsXbFBWQPi0= > =PBVU > -END PGP SIGNATURE- > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stun Box wrote: > 2009/6/2 Alan DeKok : >> Stun Box wrote: >>> I'm using PEAP/Mschapv2 with Windows machines. I need the user-name of >>> the inner-tunnel when the authentication ends to assign the vlan id. >> ... >>> But it seems it has not been escaped... >>> My User-Name "DOMAIN/testx" becomes => "DOMAIN estxx" >>> And if I try DOMAIN/user it works nicely... >>> >>> >>> ++[eap] returns ok >>> +- entering group post-auth {...} >>> ++[exec] returns noop >>> expand: %{request:User-Name} -> ANKAMA\testx >>> expand: %{reply:User-Name} -> ANKAMAestxx >>> >>> How can I escape this ? >> You should be able to set it by hand from the inner tunnel: >> >>update outer.reply { >>User-Name = "%{User-Name}" >>} > > It does not work for me. The only way I succeed to get the innertunnel > user-name is by setting the eap.conf / peap / use_tunneled_reply to > yes. > It does the same weird result with "DOMAIN\nuser" => DOMAINnuserr > > Could the matter come from my configuration ? > Alan committed a fix to the git repository last night. It does a straight copy of the value without parsing it, so should fix the issues you've been seeing. See http://git.freeradius.org/ for instructions on how to retrieve code from the git repository. Regards, Arran -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkok3FwACgkQcaklux5oVKIfUACdGZ+63/oxgPw/iN5tmBwNiR6x yEIAliN7tJ2z7HXI9uN1zsXbFBWQPi0= =PBVU -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: InnerAttributes not escaped when transmitted to outter
2009/6/2 Alan DeKok : > Stun Box wrote: >> I'm using PEAP/Mschapv2 with Windows machines. I need the user-name of >> the inner-tunnel when the authentication ends to assign the vlan id. > ... >> But it seems it has not been escaped... >> My User-Name "DOMAIN/testx" becomes => "DOMAIN estxx" >> And if I try DOMAIN/user it works nicely... >> >> >> ++[eap] returns ok >> +- entering group post-auth {...} >> ++[exec] returns noop >> expand: %{request:User-Name} -> ANKAMA\testx >> expand: %{reply:User-Name} -> ANKAMA estxx >> >> How can I escape this ? > > You should be able to set it by hand from the inner tunnel: > > update outer.reply { > User-Name = "%{User-Name}" > } It does not work for me. The only way I succeed to get the innertunnel user-name is by setting the eap.conf / peap / use_tunneled_reply to yes. It does the same weird result with "DOMAIN\nuser" => DOMAINnuserr Could the matter come from my configuration ? > > I'll take a look to see if there's anything in the EAP module that > could affect this. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
On Tue, Jun 2, 2009 at 1:48 PM, Alan DeKok wrote: > Fajar A. Nugraha wrote: >> I just rebuilt 2.1.6 SRPM on RHEL5. > > Using which spec file? >From http://wiki.freeradius.org/Red_Hat_FAQ#Obtain_a_SRPM > >> After some troubleshooting, I found out that >> /etc/raddb/sites-available/* is NOT marked as %config(noreplace). >> Since sites-enabled only have symlinks to sites-available files, this >> effectively means RPM upgrade wiped out my customization (the relevant >> files I used was default and inner-tunnel) > > The spec file distributed with the server marks /etc/raddb/* as > config(noreplace). This might not be sufficient for sub-directories, > though. Thanks for the info. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html