Re: dealing with 'corrupt' detail file
a.l.m.bu...@lboro.ac.uk wrote: > okay. so i've been preaching that people use eg > the buffered-sql virtual machine rather than do accounting > DB entries 'live' - therefore giving the admin better > FR performance with slower DBs etc... Yup. > however, I've been approached today by someone who has a > rather large detail file (few gigs) Bad. Bad, bad, bad. They should be writing detail files per day, or per hour. If they're using a version of the server from the last 6 months, it supports file globbing, which helps with this. > that has 'corrupt' > records in it... eg entries with no Acct-Status-Type > set (broken NAS, duff RADIUS server or possibly > attrbute filtering along the path)... But... that can happen no matter what the NAS. This needs to be handled in any case. > anyway, my first > though was edit the accouting stanza of buffered-sql > so that it looks like > > if(Acct-Status-Type){ > sql > } > > instead of just calling sql and borking over the > lack of Accounting status in the packet. > > but, of course, whilst this stop the bork, it also > stops the ingestion of the detail file as it sticks > at that point, doesnt flush that entry and move on... > so...can anyone info me the magic or steps to bypass > this entry in the detail file so it can continue > working on it? the code itself seems to need to go > through something before flushing the packet.. Easy. The accounting section has to be told "it's OK to continue": if (broken nas) { ok } else { sql } Or maybe better: sql if (noop || invalid) { ok } The module returns FAIL if it can't write to SQL, OK if it succeeded. It returns INVALID if there's no Acct-Status-Type, and NOOP for unknown Acct-Status-Type or zero session length. > which reminds me...any best practice from the > FR community regarding the detail file and > the aforementioned protection from duff NAS etc Write small detail files, and handle failure codes from SQL as above. > (I've already got, on my list, use Calling-Station-Id > instead of NAS-Port for the unique function as many > NAS use the same port for every accounting packet :-|) Create a patch, and send it to the list via git format-patch. "Best practices" really need to go into the server configuration. Anything else is too frustrating for the end users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap or pap
jon jon wrote: > Hi, > I have pap authentication working just fine. I want to change auth type > to chap. I am using the radius book that is very outdated. Why? Why not just follow the documentation, FAQ, etc. that is included with the server? > Don't really > understand why can't chap to work. I looked in the default file and chap > auth-type is not commented out, so I am assuming that if pap > authentication didn't work then chap would be the next auth type radius > would try right. that is why they put pap at the bottom of the file to > let the other auth types a try first. I am using mysql backend server > with username and cleartext := passwords. Can anyone point me the right > direction or tell me to read more:P Don't read the RADIUS book. It's useless. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-compiling modules
Rupert Finnigan wrote: > Hi All, > > I'm *attempting* to recompile the rlm_mschap module with a quick mod to > hopefully fix my host authentication domain extraction problems. > > Is this as simple as running make, and copying the resulting files to > "/usr/lib" (on my system atleast)?? And if so, is it just the two files > I need to copy, the .la and the .so? If this eventually works I'll > rebuild my rpms, but I'm looking for a quick way of finding out if this > does actually behave as expected. > > Sorry if this is a bit of an obvious question - I've never really done > much C before. First you must run the configure script from the top level before you run make. It's best to run configure with the exact same arguments the RPM build would use. The easiest way to accomplish this is by running rpmbuild and preserving the build tree (I think you'll have to comment out the %clean section of the spec file first). Then modify the code and run make in the directory. You'll only need the .so, not the .la. Be careful about the destination directory, it's probably not /usr/lib, more likely /usr/lib/freeradius, but it depends on the system, could be /usr/share/lib/freeradius or /usr/local/lib/freeradius. You can figure this out by looking for the original .so (the locate command helps) or if you're using an RPM based install, as it sounds like you are then do a: % rpm -ql freeradius | grep rlm_mschap that will print out the file location. HTH, John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re-compiling modules
Hi All, I'm *attempting* to recompile the rlm_mschap module with a quick mod to hopefully fix my host authentication domain extraction problems. Is this as simple as running make, and copying the resulting files to "/usr/lib" (on my system atleast)?? And if so, is it just the two files I need to copy, the .la and the .so? If this eventually works I'll rebuild my rpms, but I'm looking for a quick way of finding out if this does actually behave as expected. Sorry if this is a bit of an obvious question - I've never really done much C before. Many Thanks, Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth, universal principal name, multi-domain active directory, howto?
Hi Adam, I've been experimenting with something very similar recently. ntlm_auth can handle authentication in one of the follow: 1. --username = "NetBIOS Domain Name"\"Username", no --domain parameter specified 2. --username = "Username", --domain = "NetBOIS Domain Name" 3. --username = "Username", --domain = "FQDN of domain". In your case, the problem is it doesn't know which actual domain the user is in, based on the UPN. So, my thoughts are you've got two options: 1. Make the users login using a principal of usern...@fqdn, so someu...@dept1.company.net and use some logic to "split" the username into the two sections using the @ as a delimiter. Maybe attr_rewrite module would be good for this. 2. Configure some form of way to lookup the users "real" domain from AD (probably via LDAP, or maybe there's a samba related tool for this?) and then pass that to ntlm_auth, either in the newer FQDN style, or the legacy NetBIOS style. Unfortunately, I'm not too hot on the various logic options available in FR, as I'm only really just starting playing in Unlang. Hopefully someone else will be able to help with providing a working logic config, once you've decided with method best suits your requirements. Cheers, Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth, universal principal name, multi-domain active directory, howto?
New to freeradius & samba - and first post here. Rather long post so to cut to the heart of the question: Can freeradius be configured to authenticate users against an AD Forest (multi-domain) using universal principal name (UPN) and if so...how? I'm posting here because our only need for samba is freeradius integration to AD - but if I need to go to the Samba community just let me know. The ultimate goal is to have the majority of remote access users authenticate using their universal principal names (UPN) from AD. The path of that authentication however is not direct. RA Appliance --> Freeradius (Proxy) --> Freeradius --> AD There are some instances where we need users to authenticate from a repository other than AD, so Freeradius has been configured against both MySQL (primarily to hold NAS information & accounting info, but could potentially host users) and Openldap. The MySql & Openldap configs are working just fine. We don't really care if we use Samba - integration via LDAP would be fine, but it appears that their is an issue with sending the password in the clear if LDAP is used. If this is inaccurate please let me know. Everything "appears" configured correctly. In fact authentication using the "exec ntlm_auth" configuration referenced in http://deployingradius.com/documents/configuration/active_directory.html works if the username and domain are specified. Once we tried to use the UPN (without domain name) it does not. Going back to the command line for ntlm_auth tests resulted in the following. Using a user account found in DEPT1.COMPANY.NET child domain ntlm_auth --username=user WORKS ntlm_auth --username=user --domain=DEPT1 WORKS ntlm_auth --username=u...@company.net DOES NOT WORK Using a user account found in DEPT2.COMPANY.NET child domain ntlm_auth --username=user DOES NOT WORK ntlm_auth --username=user --domain=DEPT2 WORKS ntlm_auth --username=u...@company.net DOES NOT WORK All of the DOES NOT WORK result in the same error. NT_STATUS_NO_SUCH_USER: No such user (0xc064) tcpdumps of the ntlm_auth traffic validate that all requests are being sent to one of the domain controllers within DEPT1.COMPANY.NET The internal freeradius host is in the child domain DEPT1.COMPANY.NET based on policy. If moving the server to COMPANY.NET is required that could be considered, however preference is to leave it in DEPT1.COMPANY.NET. Linux Host RHEL 5.2 Freeradius 2.1.6 Samba 3.3.4 Active Directory Multi-Domain Model Native Mode Win2003 Root Domain - company.net Child Domain - dept1.company.net Child Domain - dept2.company.net .. Child Domain - dept9.company.net For the sake of testing we are currently only configured for the root, child domains dept1 and dept2. We do not have admin_server entries because all of the examples reference port 749 which is not running on any of the domain controllers or global catalogs. I am including sanitized copies of the krb5.conf and smb.conf because they seem pertinent to the question. If any of the freeradius config files, nsswitch or some other information is needed just let me know. Thanks Adam krb5.conf - [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DEPT1.COMPANY.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] COMPANY.NET = { kdc = gc01.company.net:88 kdc = gc02.company.net:88 kdc = gc03.company.net:88 } DEPT1.COMPANY.NET = { kdc = dept1-dc01.dept1.company.net:88 kdc = dept1-dc02.dept1.company.net:88 kdc = dept1-dc03.dept1.company.net:88 } DEPT2.COMPANY.NET = { kdc = dept2-dc01.dept2.company.net:88 kdc = dept2-dc02.dept2.company.net:88 kdc = dept3-gc01.dept2.company.net:88 } [domain_realm] .company.net = COMPANY.NET .dept1.company.net = DEPT1.COMPANY.NET .dept2.company.net = DEPT2.COMPANY.NET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } smb.conf -- [global] workgroup = DEPT1 netbios name = AAA-Server realm = DEPT1.COMPANY.NET security = ADS template shell = /bin/bash idmap uid = 500-1000 idmap gid = 500-1000 winbind nested groups = Yes winbind enum users = yes winbind enum groups = yes server string = AAA [homes] comment = Home Directories browseable = no writable = yes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chap or pap
Hi, I have pap authentication working just fine. I want to change auth type to chap. I am using the radius book that is very outdated. Don't really understand why can't chap to work. I looked in the default file and chap auth-type is not commented out, so I am assuming that if pap authentication didn't work then chap would be the next auth type radius would try right. that is why they put pap at the bottom of the file to let the other auth types a try first. I am using mysql backend server with username and cleartext := passwords. Can anyone point me the right direction or tell me to read more:P jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dealing with 'corrupt' detail file
hi, okay. so i've been preaching that people use eg the buffered-sql virtual machine rather than do accounting DB entries 'live' - therefore giving the admin better FR performance with slower DBs etc... however, I've been approached today by someone who has a rather large detail file (few gigs) that has 'corrupt' records in it... eg entries with no Acct-Status-Type set (broken NAS, duff RADIUS server or possibly attrbute filtering along the path)...anyway, my first though was edit the accouting stanza of buffered-sql so that it looks like if(Acct-Status-Type){ sql } instead of just calling sql and borking over the lack of Accounting status in the packet. but, of course, whilst this stop the bork, it also stops the ingestion of the detail file as it sticks at that point, doesnt flush that entry and move on... so...can anyone info me the magic or steps to bypass this entry in the detail file so it can continue working on it? the code itself seems to need to go through something before flushing the packet.. ..i expect to then be told there are other broken records too - but i hope a simple solution can deal with all sorts then I can get them to ensure that the call to detail is protected in the first place so NULL records etc dont even go in. which reminds me...any best practice from the FR community regarding the detail file and the aforementioned protection from duff NAS etc (I've already got, on my list, use Calling-Station-Id instead of NAS-Port for the unique function as many NAS use the same port for every accounting packet :-|) thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
Arran Cudbard-Bell wrote: > Thanks, i'll poke Alan and see if he wants to include it. $ git format-patch :) > It'd be nice > to have a generic > hashing module for string expansions and not have to do some much unlang > hackyness, > useful for CUI too. update reply { User-Name := "%{md5:foo}" } It's already there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
[snip] Thanks a bundle for that, I was about to whack my head against the screen here and type "man unlang". ;) If you're still getting duplicates, check that the NAS is actually sending the value of the Class attribute. Vendors are notoriously bad for ignoring the RFC in this area. Yeah, never mind that we are talking to proxy servers upstream which in turn may talk to other proxy servers (nobody knows) which ultimately talk to the NAS (BRAS) in question. You might have more luck concatenating the random string with the User-Name and sending that in the Access-Accept. Then stripping it out again when you receive accounting requests. post-auth { update reply { User-Name := "%{User-Name}:%{Acct-Unique-ID}" } ... } -- preacct { ... if(User-Name =~ /([^:]+)(:([[:alnum:]]*))?/){ update request { Acct-Session-ID := "%{Acct-Session-ID}%{3}" User-Name := "%{1}" } } } It's a more commonly used feature so is more likely to work :) I have seen those quickly recycled Acct-Session-Id's only with one location it seems, other people with twice the connects never had their IDs re-used in the same sample period. So my bet is that this particular NAS will also happily ignore the Class attribute. ^o^ Yey for standards *sigh*. But nevertheless, a very useful configuration snippet that would do well in a future sample configuration. Thanks, i'll poke Alan and see if he wants to include it. It'd be nice to have a generic hashing module for string expansions and not have to do some much unlang hackyness, useful for CUI too. Thanks again for the quick and comprehensive response No problem. Best of luck ! Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
Replying to myselferm, never mind...I must have a fairly old raddb/radiusd.conf...I found this by googling: db_dir = $(raddbdir) <<== It should be: db_dir = ${raddbdir} (brackets are wrong) On Wed, 3 Jun 2009, u...@3.am wrote: On Wed, 3 Jun 2009, Alan DeKok wrote: Because you don't have the GDBM libraries or header files. Ok, I installed those, and while I was at it, installed the latest radiusd. The first error I got involved the "experimental" raddb/sites-available/control-socket which was included in the old radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd started and worked as it did before. However, when I uncomment my ippool statement, I now get this: Module: Linked to module rlm_ippool Module: Instantiating users_pool ippool users_pool { session-db = "$(raddbdir)/db.ippool" ip-index = "$(raddbdir)/db.ipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 172.16.1.2 range-stop = 172.16.1.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or directory /usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module "users_pool" /usr/etc/raddb/sites-enabled/default[337]: Failed to find module "users_pool". /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. Errors initializing modules - If I understand correctly, if I am running radiusd as root, shouldn't it simply create the db. files itself when started? I tried a "touch raddb/db.ippool" but it changed nothing. Again, thanks for your patience... James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
On Wed, 3 Jun 2009, Alan DeKok wrote: Because you don't have the GDBM libraries or header files. Ok, I installed those, and while I was at it, installed the latest radiusd. The first error I got involved the "experimental" raddb/sites-available/control-socket which was included in the old radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd started and worked as it did before. However, when I uncomment my ippool statement, I now get this: Module: Linked to module rlm_ippool Module: Instantiating users_pool ippool users_pool { session-db = "$(raddbdir)/db.ippool" ip-index = "$(raddbdir)/db.ipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 172.16.1.2 range-stop = 172.16.1.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or directory /usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module "users_pool" /usr/etc/raddb/sites-enabled/default[337]: Failed to find module "users_pool". /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. Errors initializing modules - If I understand correctly, if I am running radiusd as root, shouldn't it simply create the db. files itself when started? I tried a "touch raddb/db.ippool" but it changed nothing. Again, thanks for your patience... James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkval module
Hi François Thank you it worked out thanks a lot :-) Regards, Amr el-Saeed Senior Systems Engineer 94 Tahrir St., Maghraby Plaza, Dokki, Giza 12311, Egypt T: +20 (2) 33 32 0700 | Ext: 1107 F: +20 (2) 33 32 0800 | E: amr.elsa...@tedata.net www.tedata.net François Mehault wrote: Hi I think you have to do like this : checkval checkNasPortId { item-name = NAS-Port-Id check-name = NAS-Port-Id data-type = string notfound-reject = yes } checkval checkNasPortType { item-name = NAS-Port-Type check-name = NAS-Port-Type data-type = string notfound-reject = yes } and in your /site-available/default you load checkNasPortId & checkNasPortType instead of checkval #checkval checkNasPortId checkNasPortType I hope I help you François De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Amr el-Saeed Envoyé : mercredi 3 juin 2009 15:36 À : FreeRadius users mailing list Objet : checkval module Hi every one I am using freeradius 1.1.7 i am configuring checkval to check for Nas-Port-Type , i need to make it checks for Nas-Port-Id also . this is the radius.conf checkval sections checkval { item-name = NAS-Port-Id check-name = NAS-Port-Id item-name = NAS-Port-Type check-name = NAS-Port-Type data-type = string notfound-reject = yes } but actually it process the first entry only which is NAS-Port-Id and ignore the second one which is NAS-Port-Type . Is that possible to make the radius to check both items ?? thanks Amr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: checkval module
Hi I think you have to do like this : checkval checkNasPortId { item-name = NAS-Port-Id check-name = NAS-Port-Id data-type = string notfound-reject = yes } checkval checkNasPortType { item-name = NAS-Port-Type check-name = NAS-Port-Type data-type = string notfound-reject = yes } and in your /site-available/default you load checkNasPortId & checkNasPortType instead of checkval #checkval checkNasPortId checkNasPortType I hope I help you François De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Amr el-Saeed Envoyé : mercredi 3 juin 2009 15:36 À : FreeRadius users mailing list Objet : checkval module Hi every one I am using freeradius 1.1.7 i am configuring checkval to check for Nas-Port-Type , i need to make it checks for Nas-Port-Id also . this is the radius.conf checkval sections checkval { item-name = NAS-Port-Id check-name = NAS-Port-Id item-name = NAS-Port-Type check-name = NAS-Port-Type data-type = string notfound-reject = yes } but actually it process the first entry only which is NAS-Port-Id and ignore the second one which is NAS-Port-Type . Is that possible to make the radius to check both items ?? thanks Amr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkval module
Hi every one I am using freeradius 1.1.7 i am configuring checkval to check for Nas-Port-Type , i need to make it checks for Nas-Port-Id also . this is the radius.conf checkval sections checkval { item-name = NAS-Port-Id check-name = NAS-Port-Id item-name = NAS-Port-Type check-name = NAS-Port-Type data-type = string notfound-reject = yes } but actually it process the first entry only which is NAS-Port-Id and ignore the second one which is NAS-Port-Type . Is that possible to make the radius to check both items ?? thanks Amr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hiding passwords
Hi, > Is there a way to tell freeradius not to include passwords in the log when > debugging? many ways - which log are you seeing the password in? it *WILL ALWAYS* log any plain passwords when in full debug mode.. thats the idea of full debug mode alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "detail" log files
Alan DeKok wrote: > Steve Bertrand wrote: >> Can someone swing the clue bat at me, and provide me with information on >> where I should look to find out how to disable detail log files for >> specific NASs only? > > $ man unlang > >> I need to keep the detail files for legacy purposes, but only for >> specific NASs, and I'd like to disable the rest of them from logging there. >> >> Is this possible? > > It's trivial. > > accounting { > ... > > if (Packet-Src-IP-Address != 1.2.3.4) { > detail > } > ... > } Beautiful. Thanks Alan! Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hiding passwords
Is there a way to tell freeradius not to include passwords in the log when debugging? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering in sites-enabled default file
Hi, > if("%{User-Name}" =~ /?([...@]+)@?([-[:alnum:]._]*)?$/) { > > update request { > >Realm := "%{2}" > > } > The staff login id is: > > ps...@worc.ac.uk > > Whereas the student login is in the format: > > psdn1...@worc.ac.uk > > Would it be possible to filter on the format of the userid? The student id > has `_02 on it. yes, easily... eg if("%{User-Name}" =~ /_02@/) { update request { Realm := "student" } } it can be made scalable and more pretty but this would suffice for this question alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Filtering in sites-enabled default file
Hello, I was wandering if anyone can help me. I am trying to set up freeradius 2.1.x In the authorized section of default, we have the following coding: if("%{User-Name}" =~ /?([...@]+)@?([-[:alnum:]._]*)?$/) { update request { Realm := "%{2}" } if(!"%{2}" || ("%{2}" == "worc.ac.uk") || ("%{2}" == "worcester.ac.uk") ){ update request { Realm := "worc" } } } else{ update request { Stripped-User-Name := "anonymous" Realm := 'local' } } switch "%{Realm}" { case "worc" { update control { Proxy-To-Realm := "worc" } update request { Realm := "worc" } # Don't do any proxy stuff here, request will be handled later. } case { update control { Proxy-To-Realm := "jrs" } update request { Realm := "jrs" } } } This should check the extension to the user name, if it is worc or Worcester it will use the realm "worc", if it is anonymous, use the "local" realm. Otherwise use the "jrs" realm. Which works fine. There is a problem, as our users are split into 2 separate section, staff & students. Above works fine for staff, as the realm "worc" handles this authentication. But we do need to filter the students & place these in another realm, "student". The staff login id is: ps...@worc.ac.uk Whereas the student login is in the format: psdn1...@worc.ac.uk Would it be possible to filter on the format of the userid? The student id has `_02 on it. Regards, Nick. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop alive requests in a dead realm
Santiago Balaguer García wrote: > I am using freeradius 2.1.3 for my AAA servers. I have a little problem > when a third-patner RADIUS is dead. My problem is my freeradius send the > following status packect every > 2-5 seconds. > > Sending Access-Request of id 77 to 200.160.126.23 port 1812 > User-Name := "" > User-Password := "" > Service-Type := Authenticate-Only > Message-Authenticator := 0x > NAS-Identifier := "Status Check. Are you alive?" > Waking up in 1.0 seconds. > Cleaning up request 3 ID 151 with timestamp +723 > Waking up in 2.9 seconds. > > I want to avoid this test because my partner tell me that I send too > many trafic ('operator' is the realm name). ... > realm operator { > type= radius > authhost= 200.160.126.23 :1812 > accthost= 200.160.126.23 :1813 > secret = my_secret You should use the new syntax to define home servers. Also, you may want to grab a recent copy of the source from http://git.freeradius.org/pre/. It fixes a bug where it would send Status-Server messages, even if "status_check = none". Or, you can use the new syntax for home_servers to set "check_interval = 120", which should cut down on the traffic a lot. And if you want a stable RADIUS system, you *should* enable status-server checks. It lets the proxy use the partners server as soon as it's up, rather than trying it while it's still down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is it possible one certificate for only user
Hello; I have been using freeradius with CA, eap. I am also using OPENSLL certificates My question is that how to use only one certificate for only one user. How to configure my raddb.conf, eap.conf, users for only one user. Best regards, begin:vcard fn:Abdullah Dizdar n:Dizdar;Abdullah email;internet:abdullah.diz...@gmail.com version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Help
Hi, Following up from this, I think I've discovered what the real problem here is. I think there's a problem with the MS-CHAP module The module looks in the username to find "host/" at the beginning, and if it does then handles it differently. Whilst it sets the "username" section correctly, it doesn't set the "domain" section properly. ntlm_auth can handle both netbios and FQDN versions of a domain. For machine Auth, the mschap module works on the assumption that the first "DN=" bit of the FQDN is always the same as the netbios name - which in many situations it is, but not all the time. It should work on the logic of: "OK, I found a host/ at the beginning, so everything after the /host but before the first '.' + a '$' is the username of the machine, and *everything* after the first '.' is the domain name, not everything between the first and second periods is the domain name. My C programming isn't too hot, and so I'm not sure how to correct this logic - even though I think I've found it in source for rlm_mschap. Many Thanks, Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop alive requests in a dead realm
Hi, I am using freeradius 2.1.3 for my AAA servers. I have a little problem when a third-patner RADIUS is dead. My problem is my freeradius send the following status packect every 2-5 seconds. Sending Access-Request of id 77 to 200.160.126.23 port 1812 User-Name := "" User-Password := "" Service-Type := Authenticate-Only Message-Authenticator := 0x NAS-Identifier := "Status Check. Are you alive?" Waking up in 1.0 seconds. Cleaning up request 3 ID 151 with timestamp +723 Waking up in 2.9 seconds. I want to avoid this test because my partner tell me that I send too many trafic ('operator' is the realm name). proxy.conf file -- proxy server { default_fallback = yes } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = no response_window = 20 zombie_period = 40 revive_interval = 120 status_check = none check_interval = 30 num_answers_to_alive = 3 } home_server virtual.example.com { virtual_server = virtual.example.com } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm operator { type= radius authhost= 200.160.126.23 :1812 accthost= 200.160.126.23 :1813 secret = my_secret strip } _ ¿Quieres ver los mejores videos de MSN? Enciende Messenger TV http://messengertv.msn.com/mkt/es-es/default.htm- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
Hello, On Wed, 03 Jun 2009 08:24:53 +0100 Arran Cudbard-Bell wrote: [more uniqueness for accounting packets] > Example policy for this would be something like : > [snip] Thanks a bundle for that, I was about to whack my head against the screen here and type "man unlang". ;) > > If you're still getting duplicates, check that the NAS is actually > sending the value of the Class attribute. Vendors are notoriously bad > for ignoring the RFC in this area. > Yeah, never mind that we are talking to proxy servers upstream which in turn may talk to other proxy servers (nobody knows) which ultimately talk to the NAS (BRAS) in question. I have seen those quickly recycled Acct-Session-Id's only with one location it seems, other people with twice the connects never had their IDs re-used in the same sample period. So my bet is that this particular NAS will also happily ignore the Class attribute. ^o^ But nevertheless, a very useful configuration snippet that would do well in a future sample configuration. Thanks again for the quick and comprehensive response, Christian -- Christian BalzerNetwork/Systems EngineerNOC ch...@gol.com Global OnLine Japan/Fusion Network Services http://www.gol.com/ https://secure3.gol.com/mod-pl/ols/index.cgi/?intr_id=F-2ECXvzcr6656 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
On 3/6/09 07:53, Arran Cudbard-Bell wrote: If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB, will the failure to insert an accounting record confuse the freerad sql module and will those failures percolate up towards the radius protocol level and thus result in the NAS keep on sending that accounting packet? Yes. The SQL module will return fail on any errors. This will override the priority of most other modules, and cause the accounting stanza to return fail. The RADIUS server will then ignore the Accounting request, and the NAS will think the RADIUS server is dead. You should be able to add additional 'uniqueness' with the 'Class' attribute. RFC behavior is identical to User-Name. You set it in the Access-Accept packet, then the NAS includes its value in all future Accounting-Requests. Example policy for this would be something like : populate_class { # Hashing module only accepts dictionary attributes update request { Tmp-String-0 := "%t" } # # Insert random string into the class attribute # acct_class_unique.accounting update reply { Class := "%{request:Acct-Unique-Session-Id}}" } } and acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port, Class" } acct_unique acct_class_unique { key = "User-Name, Tmp-String-0, NAS-IP-Address, Client-IP-Address, NAS-Port" } For the module configuration. If you're still getting duplicates, check that the NAS is actually sending the value of the Class attribute. Vendors are notoriously bad for ignoring the RFC in this area. Regards, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB, will the failure to insert an accounting record confuse the freerad sql module and will those failures percolate up towards the radius protocol level and thus result in the NAS keep on sending that accounting packet? Yes. The SQL module will return fail on any errors. This will override the priority of most other modules, and cause the accounting stanza to return fail. The RADIUS server will then ignore the Accounting request, and the NAS will think the RADIUS server is dead. You should be able to add additional 'uniqueness' with the 'Class' attribute. RFC behavior is identical to User-Name. You set it in the Access-Accept packet, then the NAS includes its value in all future Accounting-Requests. You can use another instance of the hashing module to generate the initial class value. Include something like system time in the list of attributes to make sure it never repeats. Then just add 'Class' into the list of attributes used to generate acctuniqueid. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html