Re: DHCP code in 2.0.4+
Karl Auer wrote: The fail-over protocol does not work. Full-stop. Unless you come up with some very clever definition of does not work, that's just plain wrong, Alan. It clearly *does* work, most of the time for most of the people, and has been doing so in enterprises large and small for many years. It does something. But it doesn't meet the goal of reliability. My issue is less with the protocol itself than with the belief that it *does* work. My experience with it has been less than positive. The fact that I haven't had a serious failure in the last eight years or so is a pretty good indicator to me that the protocol is robust *enough*. You've been lucky. See the RELNOTES that is included with ISC for a series of bug fixes to the protocol. Both the implementation and the protocol design have been changed substantially to avoid issues seen by real-live people in the field. That is true of any protocol you care to name. It's also an unanswerable non-argument. Does inspection of the DHCP failover protocol reveal a theoretical failure mode to you? Yes. A few quick tests demonstrated that failure. See earlier messages in this thread. Or is it that the ISC DHCP implementation that has exhibited failures? They've *admitted* failure. Publicly. --- FAILOVER: As of version 3.0.4, ISC has included a fix for an insidious bug in the failover implementation which, if left unchecked, could result in tying up all leases in transitional states (such as released, reset, or expired). The crux of the problem is the lack of retransmission of leases that rest in these states. The only way to solve this problem is to carry additional state on the lease data structures to indicate acknowledgement state. --- That doesn't inspire confidence. It's not just a bug, which even FreeRADIUS has had from time to time. The entire design of the protocol has mutated and changed based on discovery of something they missed... YEARS after the protocol was implemented. See also the massive changes in the protocol between 3.0 and 3.1. It's just like the duplicate detection cache implemented in FreeRADIUS nearly 10 years ago, and by myself in other servers before that. Yet it was only with the recent publication of RFC 5080 that some major commercial servers went Oh, that's a good idea..., and implemented it. Until they did, they were subject to a number of *known* problems. That's possible. That never occurred to me, because it is allegedly interoperable with ISC DHCP. I will ask! http://www.tolly.net/ts/2008/Nominum/DHCP2.2/Tolly208319NominumDHCP.pdf They might be inter-operable. The major performance difference between the two proves to me that the protocol between the Nominum servers is *not* the same as the ones used between ISC servers, or between ISC and Nominum. i.e. ISC claims to implement the protocol. If its performance is so much worse than Nomimum, then either (a), ISC didn't implement the protocol as spec'd, or (b) Nominum didn't. And much of the rest of the performance difference is due to ISC *not* using simple algorithms like dynamic hash tables. It's almost like ISC is *deliberately* bad, to make people go to Nominum. That's OK. It leaves a window of opportunity for me, to create a DHCP server that *isn't* deliberately bad. It almost always works. It works *by far* most of the time. Even with ISC DHCP. To the point where I have not ever seen it fail except due to bugs in an implementation. My experience is not all-encompassing - perhaps you have seen it fail when the protocol was properly implemented. Yes. Yes. Or rather, it's delays in the operation of the failover protocol as implemented in ISC DHCP. Or I believe it to be - feel free to educate me otherwise. I really don't know. I'm happy to say that both the protocol and the implementation are less than optimal. And I'll get money that Nominum is getting such high performance by doing the kind of optimizations I'm talking about. That could be. That is, their failover implementation may not follow the draft standard. However, if they were going to go non-standard, why not develop their own mechanism entirely? But I will ask them about this. I'm sure that they developed their own standard for communication between Nominum servers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with external authentication script
Stefan Kuegler wrote:
OK - that's what I forgot to say. The first two arguments (user and
password) come directly from the user. The next three arguments (secret,
pin and offset) are per-user-values. So I wanted to configure these
values in the 'users'-file (/etc/freeradius/users)
For example:
[...]
user1
Secret = 143a5c6fa125ac1f,
PIN = 1234,
Offset = 0
So... they are REPLY attributes. See man unlang for how to refer to
attributes in the reply list. %{Secret} isn't it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
On Tue, 2009-06-09 at 08:06 +0200, Alan DeKok wrote: It does something. But it doesn't meet the goal of reliability. Ah, now that's different. But again, it's reliable *enough*. It does leave a nice big hole for people like Nominum to prodyuce something that is *very* reliable. You've been lucky. Perhaps you've just been unlucky? It's just as good an argument. See the RELNOTES that is included with ISC for a series of bug fixes to the protocol. Both the implementation and the protocol design have been changed substantially to avoid issues seen by real-live people in the field. Good. That's to be expected and a good thing. Yes. A few quick tests demonstrated that failure. See earlier messages in this thread. Nope - tests do not show a theoretical failure. Careful argument shows theoretical failure. Tests can only show a failure in an implementation that *may indicate* a theoretical failure. I'd really like to see the discussion of a theoretical failure (i.e., a case where failure must occur if the protocol is implemented correctly). I'm not stating this as some sort of challenge, I genuinely would like to see that discussion. That doesn't inspire confidence. It's not just a bug, which even FreeRADIUS has had from time to time. The entire design of the protocol has mutated and changed based on discovery of something they missed... YEARS after the protocol was implemented. See also the massive changes in the protocol between 3.0 and 3.1. Um - that's normal. For any protocol! It's good. i.e. ISC claims to implement the protocol. If its performance is so much worse than Nomimum, then either (a), ISC didn't implement the protocol as spec'd, or (b) Nominum didn't. Hm. Or Nominum implemented it better... I really don't know. I'm happy to say that both the protocol and the implementation are less than optimal. Oh, we're in full agreement there. I'm sure that they developed their own standard for communication between Nominum servers. Watching it happen suggests very strongly that they are following the standard (such as it is) or something very similar. Whatever: Go for it, and I look forward to the new FreeDHCP server :-) Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
h3c:Framed-IP-Address cisco:'Calling-Station-Id'
hello: i have a h3c route and a cisco route,i want to set a user only can telnet to this two route from a PC with ip address 192.168.1.22,but h3c route use Framed-IP-Address = 192.168.1.22, CISCO use Calling-Station-Id = 192.168.1.22 how to set in mysql radcheck? 100, 'miaowang', 'Framed-IP-Address', '==', '192.168.1.21' 101, 'miaowang, 'Calling-Station-Id', '==', '192.168.1.21' the value upon is error ,how to config ? thanks ! miaowang Packet-Type = Access-Request Tue Jun 9 13:24:15 2009 NAS-IP-Address = 192.168.1.4 NAS-Port = 1 Cisco-NAS-Port = tty1 NAS-Port-Type = Virtual User-Name = miaowang Calling-Station-Id = 192.168.1.22 User-Password = 11 Client-IP-Address = 192.168.1.4 Packet-Type = Access-Request Fri Jun 5 09:48:31 2009 NAS-IP-Address = 192.168.1.15 NAS-Identifier = Quidway NAS-Port = 40961 NAS-Port-Type = Ethernet Framed-IP-Address = 192.168.1.22 User-Name = miaowang Calling-Station-Id = -- Service-Type = Login-User Login-IP-Host = 192.168.1.15 Framed-MTU = 1500 User-Password = 11 Client-IP-Address = 192.168.1.15 2009-06-09 miaowang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
Karl Auer wrote: Perhaps you've just been unlucky? It's just as good an argument. Well-designed systems don't require luck to work. That's my argument. See the RELNOTES that is included with ISC for a series of bug fixes to the protocol. Both the implementation and the protocol design have been changed substantially to avoid issues seen by real-live people in the field. Good. That's to be expected and a good thing. Umm no. It means they protocol was designed from an incomplete problem statement, and an incomplete knowledge of the system. That isn't good engineering practice. Yes. A few quick tests demonstrated that failure. See earlier messages in this thread. Nope - tests do not show a theoretical failure. See earlier messages in this thread. I (a) found a theoretical issue with the protocol, and (b) demonstrated it in a live system. It's a fundamental design flaw. There are designs which are definitely better. Database replication, for one. Yes, it doesn't implement the various states that the ISC protocol uses. However, those states are largely there because of implementation decisions, rather than theoretical analysis. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
Hi, It's not a good sign that we bicker about terminology. Suffice it to say whilst it was interesting that FreeRADIUS got DHCP support - certainly for those that want to ensure policy actually works - I never thought we'd get to have such fervent discussion about it :-) now, historical context - a lot of questions have been asked about eg freeRADIUS in 802.1X along the lines of 'authentication worked but client didnt get an address' - of course, FR never handed out addresses back then - it can now. however, the main question is when will FreeRADIUS have to have a new name? 8-) FRANAS ? (free radius, authentication and network access server) 8-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
a.l.m.bu...@lboro.ac.uk wrote: Hi, It's not a good sign that we bicker about terminology. Suffice it to say whilst it was interesting that FreeRADIUS got DHCP support - certainly for those that want to ensure policy actually works - I never thought we'd get to have such fervent discussion about it :-) now, historical context - a lot of questions have been asked about eg freeRADIUS in 802.1X along the lines of 'authentication worked but client didnt get an address' - of course, FR never handed out addresses back then - it can now. however, the main question is when will FreeRADIUS have to have a new name? 8-) FRANAS ? (free radius, authentication and network access server) 8-) You know I was thinking about this as well, it's not really a Network Access Server though (EAP terminology). It's hard... How many protocols does FR support now, VMPS, RADIUS (With WiMAX), EAP, DHCP. I'd suggest FreeNAC but I believe someone has already :P. FreeRNC - Free RADIUS and Network Control or FreeRaNCS (FRANCS) Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
a.l.m.bu...@lboro.ac.uk wrote: however, the main question is when will FreeRADIUS have to have a new name? 8-) It won't. The name is already well known. FRANAS ? (free radius, authentication and network access server) 8-) I'm all for having an *additional* name, web site, etc. That will help draw new people in without affecting the current mindshare. The problem is picking a name that is nice, but isn't already registered. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
Arran Cudbard-Bell wrote: It's hard... How many protocols does FR support now, VMPS, RADIUS (With WiMAX), EAP, DHCP. I'd suggest FreeNAC but I believe someone has already :P. ARP? Tacacs+ maybe to come. FreeRNC - Free RADIUS and Network Control or FreeRaNCS (FRANCS) I'd avoid the word free. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: h3c:Framed-IP-Address cisco:'Calling-Station-Id'
i have a h3c route and a cisco route,i want to set a user only can telnet to this two route from a PC with ip address 192.168.1.22,but h3c route use Framed-IP-Address = 192.168.1.22, CISCO use Calling-Station-Id = 192.168.1.22 how to set in mysql radcheck? 100, 'miaowang', 'Framed-IP-Address', '==', '192.168.1.21' 101, 'miaowang, 'Calling-Station-Id', '==', '192.168.1.21' the value upon is error ,how to config ? thanks ! miaowang Packet-Type = Access-Request Tue Jun 9 13:24:15 2009 NAS-IP-Address = 192.168.1.4 NAS-Port = 1 Cisco-NAS-Port = tty1 NAS-Port-Type = Virtual User-Name = miaowang Calling-Station-Id = 192.168.1.22 User-Password = 11 Client-IP-Address = 192.168.1.4 Packet-Type = Access-Request Fri Jun 5 09:48:31 2009 NAS-IP-Address = 192.168.1.15 NAS-Identifier = Quidway NAS-Port = 40961 NAS-Port-Type = Ethernet Framed-IP-Address = 192.168.1.22 User-Name = miaowang Calling-Station-Id = -- Service-Type = Login-User Login-IP-Host = 192.168.1.15 Framed-MTU = 1500 User-Password = 11 Client-IP-Address = 192.168.1.15 You can't enforce this just using sql. Use users file or unlang. Hint: routers have access lists. Why don't you use them? It's much more efficient. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New name to reflect new functionality (was RE: DHCP code in 2.0.4+)
FreeRadius should always be called FreeRadius. It's almost a brand name, which is very well known, and has an excellent reputation. I agree the new stuff in FreeRadius needs way more attention. Virtually no one i know associates Free_Radius_ with VMPS, nor DHCP. I'd avoid the word free. I'd agree. (Open- is taken too. What about Flex-Something.) How could this be organized, in the source tree or elsewhere? A new server core maybe called Flex-Something without any knowledge of RADIUS, DHCP or the like? An add-on package called FreeRadius, another called FlexDHCP? Kind of confusing, there must be a better way. Best regards, Martin Lorentz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mysql configuration problem
grep mysql_config still remains as follows: configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. checking for mysql_config... no configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. I am not able to conclude whether mysql support has been completely installed.Please can anyone help me out? Read the debug: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 It has. Is it possible to use mysql support only for accounting purposes without using it for authentication and authorization purposes? Yes. List it where you want it (and don't list it where you don't). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New name to reflect new functionality (was RE: DHCP code in 2.0.4+)
On 9/6/09 11:07, Martin Lorentz wrote: FreeRadius should always be called FreeRadius. It's almost a brand name, which is very well known, and has an excellent reputation. I agree the new stuff in FreeRadius needs way more attention. Virtually no one i know associates Free_Radius_ with VMPS, nor DHCP. I'd avoid the word free. I'd agree. (Open- is taken too. What about Flex-Something.) How could this be organized, in the source tree or elsewhere? A new server core maybe called Flex-Something without any knowledge of RADIUS, DHCP or the like? An add-on package called FreeRadius, another called FlexDHCP? Kind of confusing, there must be a better way. Whenever I think of Flex, I think of Flex-LM... and that's not a good association :( I know it's all 1980sish but we could bring back Synergy. syn⋅er⋅gism –noun 1. the interaction of elements that when combined produce a total effect that is greater than the sum of the individual elements, contributions, etc. It actually fits what FreeRADIUS is moving towards; lots of protocols working together to provide control of a network. SyNC - Synergous/Synchronous Network Control, also reads as (Sync) SyNAC - Synergous/Synchronous Network Access Control Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[freeradius] fail-over ldap + reply-item missing
Hi all
I try to do a fail-over with two ldap on my freeradius. I read this article
http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i
use the keyword redundant in my /raddb/site-available/default in authorize and
authenticate section.
redundant {
Primary-ldap
Secondary-ldap
}
I also enabled reply_log
When the two ldap are launched, it works.
reply log :
Tue Jun 9 11:45:53 2009
Packet-Type = Access-Accept
Reply-Message = Utilisateur: fmehault, group: Administrateur
Cisco-AVPair = shell:priv-lvl=15
Service-Type = NAS-Prompt-User
But if i stop the Secondary-ldap, I have just :
reply log :
Tue Jun 9 11:49:19 2009
Packet-Type = Access-Accept
I can see in my log that radiusd try to contact Secondary-ldap at first. Why ?
Then it test 3 times, rather than test Primary-ldap, why ?
I will be please to give you more information about my problem to help me to
fix it,
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr - dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[files] expand:
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
- ((uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
resume :
Primary-ldap started
Secondary-ldap started
It works
Primary-ldap stoped
Secondary-ldap started
It works
Primary-ldap started
Secondary-ldap stoped
Access-Accept without reply-item ...
If someone can explain me what is my problem
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robust proxy accounting
Alan,
I hoping you can help me. We're currently testing FR2.1.6 and robust proxy
accounting.
We have two servers running FR2.1.6. When both servers are operational the
relaying of
accounting packets works. However, when one of the servers is down the other
operational
server fails to retain the accounting data. The software deletes the
detail.work file
and any other detail files stored in the listener's sub-directory. Looking at
the debug
output the only thing that's different after the last time that the detail.work
file is
accessed is shown below.
A copy of the debug output is available at:
http://netgrp-pc052.leeds.ac.uk/radiusd.debug.txt
Thanks,
Chris Howley
Sending proxied request internally to virtual server.
server acct_detail.leeds.ac.uk {
+- entering group accounting {...}
[detail.leeds.ac.uk] Suppressing writes to detail file as the request was just
read from a detail file.
++[detail.leeds.ac.uk] returns noop
} # server acct_detail.leeds.ac.uk
Going to the next request
Received proxied response from internal virtual server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
On Tue, 2009-06-09 at 09:24 +0200, Alan DeKok wrote: Umm no. It means they protocol was designed from an incomplete problem statement, and an incomplete knowledge of the system. That isn't good engineering practice. Maybe - but it's the way a good many, in fact most, of the main protocols we use today have become what they are. People do their best, then the real world comes along and reminds them of all the things they forgot. It's normal for stuff to need fixing. This doesn't mean DHCP failover is a good protocol. There are enough legitimate gripes to throw rocks at. See earlier messages in this thread. I (a) found a theoretical issue with the protocol, and (b) demonstrated it in a live system. I missed it. What was it again? Yes, it doesn't implement the various states that the ISC protocol uses. However, those states are largely there because of implementation decisions, rather than theoretical analysis. You do need quite a few states for leases, and you need some mechanism for transitioning between those states in an orderly fashion, in a way that does not invalidating the contract you have with your DHCP clients. But these lease states aren't the same states as those used in the DHCP failover protocol. Seems to me you don't need *any* of those, because the servers simply do not have to communicate directly. They communicate, if at all, through changing state in a shared database. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
On 9/6/09 13:58, Karl Auer wrote: On Tue, 2009-06-09 at 09:24 +0200, Alan DeKok wrote: Umm no. It means they protocol was designed from an incomplete problem statement, and an incomplete knowledge of the system. That isn't good engineering practice. Maybe - but it's the way a good many, in fact most, of the main protocols we use today have become what they are. People do their best, then the real world comes along and reminds them of all the things they forgot. It's normal for stuff to need fixing. This doesn't mean DHCP failover is a good protocol. There are enough legitimate gripes to throw rocks at. See earlier messages in this thread. I (a) found a theoretical issue with the protocol, and (b) demonstrated it in a live system. I missed it. What was it again? When we tried it back in 2007 with an Active/Active configuration, the two instances of ISC DHCPD started handing out duplicate leases completely arbitrarily. We scrapped the second instance and went down to a single one. Haven't tried it again since. It didn't work then... it may do now. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
On Tue, 2009-06-09 at 14:07 +0100, Arran Cudbard-Bell wrote: See earlier messages in this thread. I (a) found a theoretical issue with the protocol, and (b) demonstrated it in a live system. I missed it. What was it again? When we tried it back in 2007 with an Active/Active configuration, the two instances of ISC DHCPD started handing out duplicate leases completely arbitrarily. We scrapped the second instance and went down to a single one. Haven't tried it again since. Thanks - but that's not a theoretical problem (necessarily). I'm interested in the protocol itself; Alan has been talking about an error in the protocol which would lead to failure *even if the protocol were implemented correctly*. What does Active/Active mean? Presumably not the same as primary/primary, which would be a configuration error... Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius] fail-over ldap + reply-item missing
I try to do a fail-over with two ldap on my freeradius. I read this
article http://wiki.freeradius.org/Fail-over, I instantiated two openldap
modules and i use the keyword redundant in my
/raddb/site-available/default in authorize and authenticate section.
redundant {
Primary-ldap
Secondary-ldap
}
I also enabled reply_log
When the two ldap are launched, it works.
reply log :
Tue Jun 9 11:45:53 2009
Packet-Type = Access-Accept
Reply-Message = Utilisateur: fmehault, group: Administrateur
Cisco-AVPair = shell:priv-lvl=15
Service-Type = NAS-Prompt-User
But if i stop the Secondary-ldap, I have just :
reply log :
Tue Jun 9 11:49:19 2009
Packet-Type = Access-Accept
I can see in my log that radiusd try to contact Secondary-ldap at first.
Why ? Then it test 3 times, rather than test Primary-ldap, why ?
Read rlm_ldap documentation about group support. You are not using
instances in groups.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
Karl Auer wrote: Maybe - but it's the way a good many, in fact most, of the main protocols we use today have become what they are. People do their best, then the real world comes along and reminds them of all the things they forgot. It's normal for stuff to need fixing. That's nice. Except that database replication was already a solved problem when the protocol was designed. See earlier messages in this thread. I (a) found a theoretical issue with the protocol, and (b) demonstrated it in a live system. I missed it. What was it again? It doesn't have transaction numbers. Parts of the request/ack protocol is missing anything *other* than request/ack. It can't say get me all leases since time T. It can't say get me the leases since I last synced. What I did was to configure a primary and secondary. Let them sync. Then, take down the secondary, and delete it's lease database. When the secondary comes back up, the fail-over protocol does this: S: Send me leases P: I did! S: OK. And the secondary is quite happy to sit there with *zero* leases. It's really mind-boggling. Maybe they've fixed it in more recent versions, but it's still a catastrophic design error. A real replication protocol using techniques known since at least 1990 is: S: send me transactions since time 0 P: Hmm... I recall sending you transactions until time T, but OK... P: here's all the leases from time 0..T' S: OK. I'm synced at time T' P: Thanks, I'll remember that ... S: Can you send me updates since time T'? P: OK, here they are You do need quite a few states for leases, and you need some mechanism for transitioning between those states in an orderly fashion, in a way that does not invalidating the contract you have with your DHCP clients. Yes. So long as both servers can share the same view of what the client should be doing, they will work together seamlessly. Note that this does *not* mean that they share *all* information before responding to the client. Replication can be lazy in many, many, cases. But these lease states aren't the same states as those used in the DHCP failover protocol. Seems to me you don't need *any* of those, because the servers simply do not have to communicate directly. They communicate, if at all, through changing state in a shared database. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
On 9/6/09 14:20, Karl Auer wrote: On Tue, 2009-06-09 at 14:07 +0100, Arran Cudbard-Bell wrote: See earlier messages in this thread. I (a) found a theoretical issue with the protocol, and (b) demonstrated it in a live system. I missed it. What was it again? When we tried it back in 2007 with an Active/Active configuration, the two instances of ISC DHCPD started handing out duplicate leases completely arbitrarily. We scrapped the second instance and went down to a single one. Haven't tried it again since. Thanks - but that's not a theoretical problem (necessarily). I'm interested in the protocol itself; Alan has been talking about an error in the protocol which would lead to failure *even if the protocol were implemented correctly*. What does Active/Active mean? Presumably not the same as primary/primary, which would be a configuration error... With a pair of servers running Active/Active means that both servers participate at the same time. In ISC terms this would be 'load sharing'. Active/Passive generally refers to some kind of redundancy arrangement. Regards, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP code in 2.0.4+
Hi, When we tried it back in 2007 with an Active/Active configuration, the two instances of ISC DHCPD started handing out duplicate leases completely arbitrarily. We scrapped the second instance and went down to a single one. Haven't tried it again since. It didn't work then... it may do now. we run in an active/standby home-made configuration. the lease file is copied periodically from the live server to the standby (heck, we may lose some details if there is a problem but each lease file revision is logged) and then a process on the standby checks whether dhcpd is alive on the master. if it isnt, is starts dhcpd process ..if it detects the master is alive again it kills its process. why? when we tried any of the active/active and stanbdy methods in ISC DHCPD at the time it b0rked in many weird ways. this works. havent had time to get the 4.1.x runway time yet...been really waiting to get around to FR DHCP :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I
am focus on section GROUP SUPPORT.
So I have two ldap module instances in raddb/modules/ldap :
ldap ldaplabobe2 { [...] }
ldap ldaplabobe1 { [...] }
I added the ldap module in the instantiate{} block in radiusd.conf.
instantiate {
exec
expr
expiration
logintime
ldaplabobe2
ldaplabobe1
}
I use this form in my raddb/users :
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
Instead of
DEFAULT Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
Then I still use redundant in authorize and authenticate section in
raddb/site-available/default (I test whithout also)
And now I have Access-Reject for all, some reply-item are in the users file,
others are in my openldap (I use radiusgroupname with
ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...)
So I progress I think but it doesn't work for now. Sorry if I need some help, I
begin with openldap, I read lot of documentation freeradius, openldap, PAM (my
head will explose) and all is new for me , so maybe I read the solution at my
problem but don't remember :s
Thansk for your help.
Regards,
François
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = fmehault
Calling-Station-Id = 192.168.0.80
User-Password = toto
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] expand: %t - Tue Jun 9 16:27:02 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = fmehault, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr - dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[files] expand:
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
- ((uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
((uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
((cn=administrateur)(|((objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Francois
MEHAULT,ou
my freeradius-2.1.6 is not auth with PIN only
I will be glad, if anyone can direct me to whare The log below is the
part of the debug for the new test freeradius server 2.1.6 am testing with.
However, the hotspotlogin,cgi is able to pass the param username to the
radius but when the query is run against the database the Tue Jun 9
14:59:48 2009 : Info: [sql] expand: %{User-Name} -
0x32333435363738393031 the value of the username sent is changed.
I have disabled the chap in the /usr/local/etc/raddb/sites-enabled/default.
kindly advise on what to do.
### my radcheck has the info below.
mysql select * from radcheck;
+-+++++
| id | username | attribute | op | value |
+-+++++
| 5 | 2345678901 | Auth-Type | := | Accept |
| 201 | 1234567890 | Cleartext-Password | := | 1234567890 |
+-+++++
4 rows in set (0.00 sec)
##radiusd -XX (part of the debug)
rad_recv: Access-Request packet from host 127.0.0.1 port 44600, id=0,
length=189
ChilliSpot-Max-Input-Octets = 0x32333435363738393031
ChilliSpot-Max-Output-Octets = 0
NAS-IP-Address = 127.0.0.1
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = 00-1F-29-80-62-F3
Called-Station-Id = 00-50-DA-0C-C9-B0
NAS-Identifier = nas01
Acct-Session-Id = 4a2e6a77
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf2ee6add34820fb96dcceef08c07bbc5
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Tue Jun 9 14:59:48 2009 : Info: +- entering group authorize {...}
Tue Jun 9 14:59:48 2009 : Info: ++[preprocess] returns ok
Tue Jun 9 14:59:48 2009 : Info: ++[mschap] returns noop
Tue Jun 9 14:59:48 2009 : Info: [suffix] No '@' in User-Name =
2345678901, looking up realm NULL
Tue Jun 9 14:59:48 2009 : Info: [suffix] No such realm NULL
Tue Jun 9 14:59:48 2009 : Info: ++[suffix] returns noop
Tue Jun 9 14:59:48 2009 : Info: [eap] No EAP-Message, not doing EAP
Tue Jun 9 14:59:48 2009 : Info: ++[eap] returns noop
Tue Jun 9 14:59:48 2009 : Info: ++[unix] returns notfound
Tue Jun 9 14:59:48 2009 : Info: ++[files] returns noop
Tue Jun 9 14:59:48 2009 : Info: [sql] expand: %{User-Name} -
0x32333435363738393031
Tue Jun 9 14:59:48 2009 : Info: [sql] sql_set_user escaped user --
'0x32333435363738393031'
Tue Jun 9 14:59:48 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Tue Jun 9 14:59:48 2009 : Info: [sql] expand: SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
'0x32333435363738393031' ORDER BY id
Tue Jun 9 14:59:48 2009 : Info: [sql] expand: SELECT groupname
FROM radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = '0x32333435363738393031' ORDER BY
priority
Tue Jun 9 14:59:48 2009 : Debug: rlm_sql (sql): Released sql socket id: 4
Tue Jun 9 14:59:48 2009 : Info: [sql] User 0x32333435363738393031 not found
Tue Jun 9 14:59:48 2009 : Info: ++[sql] returns notfound
Tue Jun 9 14:59:48 2009 : Info: ++[expiration] returns noop
Tue Jun 9 14:59:48 2009 : Info: ++[logintime] returns noop
Tue Jun 9 14:59:48 2009 : Info: [pap] WARNING! No known good password
found for the user. Authentication may fail because of this.
Tue Jun 9 14:59:48 2009 : Info: ++[pap] returns noop
Tue Jun 9 14:59:48 2009 : Debug: rlm_sqlcounter: Entering module
authorize code
Tue Jun 9 14:59:48 2009 : Debug: rlm_sqlcounter: Could not find Check
item value pair
Tue Jun 9 14:59:48 2009 : Info: ++[validity] returns noop
Tue Jun 9 14:59:48 2009 : Debug: rlm_sqlcounter: Entering module
authorize code
Tue Jun 9 14:59:48 2009 : Debug: rlm_sqlcounter: Could not find Check
item value pair
Tue Jun 9 14:59:48 2009 : Info: ++[noresetcounter] returns noop
Tue Jun 9 14:59:48 2009 : Debug: rlm_sqlcounter: Entering module
authorize code
Tue Jun 9 14:59:48 2009 : Debug: rlm_sqlcounter: Could not find Check
item value pair
Tue Jun 9 14:59:48 2009 : Info: ++[hotspotcontrol] returns noop
Tue Jun 9 14:59:48 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue Jun 9 14:59:48 2009 : Info: Failed to authenticate the user.
Tue Jun 9 14:59:48 2009 : Info: Using Post-Auth-Type Reject
Tue Jun 9 14:59:48 2009 : Info: +- entering group REJECT {...}
Tue Jun 9 14:59:48 2009 : Info: [attr_filter.access_reject]expand:
%{User-Name} - 0x32333435363738393031
Tue Jun 9 14:59:48 2009 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Jun 9 14:59:48 2009 : Info:
RE: [freeradius] fail-over ldap + reply-item missing
(following my last mail)
I read in my log:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
So in the user file I replace
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
By
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr, Auth-Type := LDAP
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
And I start radiud -X and I have :
/usr/local/etc/raddb/users[247]: Parse error (check) for entry DEFAULT: Unknown
value LDAP for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users
/usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files
/usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module
files.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize
section.
}
}
Errors initializing modules
But in raddb/site-available/default, in section authenticate i have Auth-Type
LDAP :
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
redundant {
ldaplabobe2
ldaplabobe1
}
}
eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Robust proxy accounting
Chris Howley wrote:
Sending proxied request internally to virtual server.
server acct_detail.leeds.ac.uk {
+- entering group accounting {...}
[detail.leeds.ac.uk] Suppressing writes to detail file as the request was
just read from a detail file.
++[detail.leeds.ac.uk] returns noop
} # server acct_detail.leeds.ac.uk
You've configured it to read packets from the detail file, and then
log them back to the detail file. I don't think that's part of the
example configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my freeradius-2.1.6 is not auth with PIN only
Goke Aruna wrote:
I will be glad, if anyone can direct me to whare The log below is the
part of the debug for the new test freeradius server 2.1.6 am testing with.
However, the hotspotlogin,cgi is able to pass the param username to the
radius
It's not in the debug log below.
rad_recv: Access-Request packet from host 127.0.0.1 port 44600, id=0,
length=189
... there's no User-Name attribute. The packet violates the RADIUS
specifications. Yet, somehow, magically:
Tue Jun 9 14:59:48 2009 : Info: [suffix] No '@' in User-Name =
2345678901, looking up realm NULL
There's a User-Name in the packet! How did that happen?
Tue Jun 9 14:59:48 2009 : Info: [sql] expand: %{User-Name} -
0x32333435363738393031
And now the User-Name is different!
You've managed to copy the Chillispot-Max-Input-Octets into the
User-Name. Why?
It looks like you've edited the dictionaries without knowing what
you're doing. Don't do that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my freeradius-2.1.6 is not auth with PIN only
Alan DeKok wrote:
Goke Aruna wrote:
I will be glad, if anyone can direct me to whare The log below is the
part of the debug for the new test freeradius server 2.1.6 am testing with.
However, the hotspotlogin,cgi is able to pass the param username to the
radius
It's not in the debug log below.
rad_recv: Access-Request packet from host 127.0.0.1 port 44600, id=0,
length=189
... there's no User-Name attribute. The packet violates the RADIUS
specifications. Yet, somehow, magically:
Tue Jun 9 14:59:48 2009 : Info: [suffix] No '@' in User-Name =
2345678901, looking up realm NULL
There's a User-Name in the packet! How did that happen?
Tue Jun 9 14:59:48 2009 : Info: [sql] expand: %{User-Name} -
0x32333435363738393031
And now the User-Name is different!
You've managed to copy the Chillispot-Max-Input-Octets into the
User-Name. Why?
It looks like you've edited the dictionaries without knowing what
you're doing. Don't do that.
Alan DeKok.
after commenting out the include directive for dictionary.chillispot
from the radius dictionary file, i am able to login but my check-item
which is attribute Max-Secs-Passed was not loaded.
Thanks but I still need to do the billing based on the added attributes.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting and radutmp problem
I want to use mysql only for accounting purposes.I have uncommented the sql and sql_log entries iin the various modules. While users try to login,entries are being entered into the radpostauth table of mysql.However, no entries are being made into the radacct table.Can anyone please tell me the reason for this?? Secondly,in order to check the users logged on currently,we must use the radutmp file.However,no file of this name exists at /usr/local/var/log/radius.What may be the reason for this?? And what corrective action must i take for solving these problems?? -- View this message in context: http://www.nabble.com/accounting-and-radutmp-problem-tp23949734p23949734.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lower case
Hello everyone I migrated my freeradius version 1.1.3-1.4.el5 that came with CentOS 5.3 to version 2.1.6-2. I am looking for an option that I had in my previous configuration and does not find it on this new, maybe it is removed. the fact is that many of my users sometimes tend to write the username with the first letter in upper or miniscule. If someone could guide me, how i cant fix this. lower_user = after lower_pass = no Thanks Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication failure - PEAP - MS-CHAPv2
Dear List, I'm having a strange issue with FreeRADIUS 2.1.4, using a configuration with the following items: - Cisco Aironet 1130AG access point - Ubuntu-based server with FreeRADIUS and OpenLDAP - Client machines (Windows XP SP2, Ubuntu 9.04) The issue I have is, that I don't get a response from the client after the server sends an Access-Challange packet. The certificates were made with the bootstrap script of FreeRADIUS, so it already contains the OIDs required by Windows. The AP is configured correctly, IP-address, port numbers and shared secret are properly set up, I've already checked them. Users are stored in an LDAP database and each user has a sambaNTPassword attribute, which contains an NT-hashed password. LDAP-RADIUS attribute mappings are properly set (NT-Password - sambaNTPassword). The strange thing is, that I can successfully authenticate using an EAP test tool (eapol_test), no errors show up in the output. Using another AP with a slightly different configuration (using smbpasswd instead of LDAP for authorization) works, too. I've also read, that XP SP2 is incompatible with third-party RADIUS-servers. I decided to install SP3, but it did not help. What I can see, is an Access-Challange message at the end of the debug output. What can be wrong with my configuration? Can it be, that it's an incompatibility issue between FreeRADIUS and the access point? Thank you for your help in advance! Best regards: Gergely Kiss freeradius_config.tar.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Hi Chuan,
Thx for reply amongst this heated discussion on DHCP
I've currently got install freeRadius 2.1.6 and Poptop 2.4.4 and I see no
dictionary file in /etc/ppp/radius/dictionary. In fact I have no radius
directory in /etc/ppp
All freeradius dictionary's are located in /usr/share/freeradius
The question is, how can I pass WISPr-Bandwidth-Max-Down to ip-up.local as I
was hoping it would be in in /var/run/radattr.pppX, but all thats in there is:-
Framed-IP-Address 192.168.0.70
Session-Timeout 1646690
MS-CHAP2-Success 7S=A8CF4948283C1C4BE11682787ADBD0EA9852E691
MS-MPPE-Recv-Key \220\265J\372\250\336\342nD\226o\272\007\030I\372'\313\...@j\36
1\370\266\212?_\377\262\324\215X\274\357
MS-MPPE-Send-Key \235\342\367\325\243\210\020\217|H\314WkU0\201\352\374\364\023\
220\220\315z\364\277\254\361\356[Ce\002
MS-MPPE-Encryption-Policy
MS-MPPE-Encryption-Types
However we can see WISPr-Bandwidth-Max-Down being sucessfully passed to
FreeRadius?
++[exec] returns noop
Sending Access-Accept of id 198 to 127.0.0.1 port 53025
Framed-IP-Address := 192.168.0.70
WISPr-Bandwidth-Max-Down := 512000
Session-Timeout = 1646690
MS-CHAP2-Success =
0x37533d41384346343934383238334331433442453131363832373837414442443045413938353245363931
MS-MPPE-Recv-Key = 0x0b660d35b65015368d107e57d97e2b55
MS-MPPE-Send-Key = 0xc78164fb4478212fbd0d198389ee2d52
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 198 with timestamp +244
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 38836, id=199,
length=98
Acct-Session-Id = 4A2EE3A302FB00
User-Name = test99
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.70
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
I would love to use WISPr as suggested, but cannot find out how to get this to
work.
Currently I've just defaulted EVERYONE to the same bandwidth restrictions by
using the follow script in /etc/ppp/ip-up.local
ip-up.local
DOWNSPEED=256
UPSPEED=768
/sbin/tc qdisc del dev $1 root /dev/null
/sbin/tc qdisc del dev $1 ingress /dev/null
# speed server-client
if [ $UPSPEED != 0 ] ;
then
/sbin/tc qdisc add dev $1 root handle 1: htb default 20 r2q 1
/sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${UPSPEED}kbit
burst 4k
/sbin/tc class add dev $1 parent 1:1 classid 1:10 htb rate ${UPSPEED}kbit
burst 4k prio 1
/sbin/tc class add dev $1 parent 1:1 classid 1:20 htb rate ${UPSPEED}kbit
burst 4k prio 2
/sbin/tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 quantum 1500
/sbin/tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 quantum 1500
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip tos
0x10 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip
protocol 1 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1: protocol ip prio 10 u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u160x 0xffc0 at 2 match u8
0x10
0xff at 33 flowid 1:10
fi
# speed client-server
if [ $DOWNSPEED != 0 ] ;
then
/sbin/tc qdisc add dev $1 handle : ingress
/sbin/tc filter add dev $1 parent : protocol ip prio 50 u32 match ip
src 0.0.0.0/0 police rate ${DOWNSPEED}kbit burst 12k drop flowid :1
fi
/sbin/ifconfig $1 mtu 1400
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting and radutmp problem
I want to use mysql only for accounting purposes.I have uncommented the sql and sql_log entries iin the various modules. While users try to login,entries are being entered into the radpostauth table of mysql.However, no entries are being made into the radacct table.Can anyone please tell me the reason for this?? Is your NAS sending accounting packets? Secondly,in order to check the users logged on currently,we must use the radutmp file.However,no file of this name exists at /usr/local/var/log/radius.What may be the reason for this?? Same as above - your NAS most likely isn't sending accounting packets. And what corrective action must i take for solving these problems?? Configure NAS to send accounting to that radius server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lower case
I migrated my freeradius version 1.1.3-1.4.el5 that came with CentOS 5.3 to version 2.1.6-2. I am looking for an option that I had in my previous configuration and does not find it on this new, maybe it is removed. the fact is that many of my users sometimes tend to write the username with the first letter in upper or miniscule. That works just for pap requests. Use lc perl function to rewrite username/pass in perl module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
I'm having a strange issue with FreeRADIUS 2.1.4, using a configuration with the following items: - Cisco Aironet 1130AG access point - Ubuntu-based server with FreeRADIUS and OpenLDAP - Client machines (Windows XP SP2, Ubuntu 9.04) The issue I have is, that I don't get a response from the client after the server sends an Access-Challange packet. The certificates were made with the bootstrap script of FreeRADIUS, so it already contains the OIDs required by Windows. The AP is configured correctly, IP-address, port numbers and shared secret are properly set up, I've already checked them. Users are stored in an LDAP database and each user has a sambaNTPassword attribute, which contains an NT-hashed password. LDAP-RADIUS attribute mappings are properly set (NT-Password - sambaNTPassword). The strange thing is, that I can successfully authenticate using an EAP test tool (eapol_test), no errors show up in the output. Using another AP with a slightly different configuration (using smbpasswd instead of LDAP for authorization) works, too. I've also read, that XP SP2 is incompatible with third-party RADIUS-servers. I decided to install SP3, but it did not help. What I can see, is an Access-Challange message at the end of the debug output. What can be wrong with my configuration? Can it be, that it's an incompatibility issue between FreeRADIUS and the access point? Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Hi all again,
Ok, I've got WISPr-Bandwidth-Max-Down in /var/run/radattr.ppp0 but the value is
all wrong.
I set WISPr-Bandwidth-Max-Down = 512000 (as a reply)
and in /var/run/radattr.ppp0 its show as - WISPr-Bandwidth-Max-Down -1062731706
I just basically copied the dictionary.wispr to /usr/share/radiusclient-ng as
in order to get it loaded in radattr.ppp0 :-
[r...@xxx radiusclient-ng]# more dictionary.wispr
ATTRIBUTE WISPr-Location-ID 1 string
ATTRIBUTE WISPr-Location-Name 2 string
ATTRIBUTE WISPr-Logoff-URL3 string
ATTRIBUTE WISPr-Redirection-URL 4 string
ATTRIBUTE WISPr-Bandwidth-Min-Up 5 integer
ATTRIBUTE WISPr-Bandwidth-Min-Down6 integer
ATTRIBUTE WISPr-Bandwidth-Max-Up 7 integer
ATTRIBUTE WISPr-Bandwidth-Max-Down8 integer
#ATTRIBUTE WISPr-Session-Terminate-Time9 string
#ATTRIBUTE WISPr-Session-Terminate-End-Of-Day 10 string
ATTRIBUTE WISPr-Billing-Class-Of-Service 11 string
Any ideas please.
Thx
Nev
- Original Message -
From: Neville
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, June 09, 2009 10:45 PM
Subject: Re: PPTPD Bandwidth Shaping
Hi Chuan,
Thx for reply amongst this heated discussion on DHCP
I've currently got install freeRadius 2.1.6 and Poptop 2.4.4 and I see no
dictionary file in /etc/ppp/radius/dictionary. In fact I have no radius
directory in /etc/ppp
All freeradius dictionary's are located in /usr/share/freeradius
The question is, how can I pass WISPr-Bandwidth-Max-Down to ip-up.local as I
was hoping it would be in in /var/run/radattr.pppX, but all thats in there is:-
Framed-IP-Address 192.168.0.70
Session-Timeout 1646690
MS-CHAP2-Success 7S=A8CF4948283C1C4BE11682787ADBD0EA9852E691
MS-MPPE-Recv-Key
\220\265J\372\250\336\342nD\226o\272\007\030I\372'\313\...@j\36
1\370\266\212?_\377\262\324\215X\274\357
MS-MPPE-Send-Key
\235\342\367\325\243\210\020\217|H\314WkU0\201\352\374\364\023\
220\220\315z\364\277\254\361\356[Ce\002
MS-MPPE-Encryption-Policy
MS-MPPE-Encryption-Types
However we can see WISPr-Bandwidth-Max-Down being sucessfully passed to
FreeRadius?
++[exec] returns noop
Sending Access-Accept of id 198 to 127.0.0.1 port 53025
Framed-IP-Address := 192.168.0.70
WISPr-Bandwidth-Max-Down := 512000
Session-Timeout = 1646690
MS-CHAP2-Success =
0x37533d41384346343934383238334331433442453131363832373837414442443045413938353245363931
MS-MPPE-Recv-Key = 0x0b660d35b65015368d107e57d97e2b55
MS-MPPE-Send-Key = 0xc78164fb4478212fbd0d198389ee2d52
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 198 with timestamp +244
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 38836, id=199,
length=98
Acct-Session-Id = 4A2EE3A302FB00
User-Name = test99
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.70
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
I would love to use WISPr as suggested, but cannot find out how to get this
to work.
Currently I've just defaulted EVERYONE to the same bandwidth restrictions by
using the follow script in /etc/ppp/ip-up.local
ip-up.local
DOWNSPEED=256
UPSPEED=768
/sbin/tc qdisc del dev $1 root /dev/null
/sbin/tc qdisc del dev $1 ingress /dev/null
# speed server-client
if [ $UPSPEED != 0 ] ;
then
/sbin/tc qdisc add dev $1 root handle 1: htb default 20 r2q 1
/sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${UPSPEED}kbit
burst 4k
/sbin/tc class add dev $1 parent 1:1 classid 1:10 htb rate ${UPSPEED}kbit
burst 4k prio 1
/sbin/tc class add dev $1 parent 1:1 classid 1:20 htb rate ${UPSPEED}kbit
burst 4k prio 2
/sbin/tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 quantum
1500
/sbin/tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 quantum
1500
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip
tos 0x10 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip
protocol 1 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1: protocol ip prio 10 u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u160x 0xffc0 at 2 match u8
0x10
0xff at 33 flowid 1:10
fi
Re: PPTPD Bandwidth Shaping
Ok, I've got WISPr-Bandwidth-Max-Down in /var/run/radattr.ppp0 but the value is all wrong. I set WISPr-Bandwidth-Max-Down = 512000 (as a reply) and in /var/run/radattr.ppp0 its show as - WISPr-Bandwidth-Max-Down -1062731706 I just basically copied the dictionary.wispr to /usr/share/radiusclient-ng as in order to get it loaded in radattr.ppp0 :- [r...@xxx radiusclient-ng]# more dictionary.wispr ATTRIBUTE WISPr-Location-ID 1 string ATTRIBUTE WISPr-Location-Name 2 string ATTRIBUTE WISPr-Logoff-URL3 string ATTRIBUTE WISPr-Redirection-URL 4 string ATTRIBUTE WISPr-Bandwidth-Min-Up 5 integer ATTRIBUTE WISPr-Bandwidth-Min-Down6 integer ATTRIBUTE WISPr-Bandwidth-Max-Up 7 integer ATTRIBUTE WISPr-Bandwidth-Max-Down8 integer #ATTRIBUTE WISPr-Session-Terminate-Time9 string #ATTRIBUTE WISPr-Session-Terminate-End-Of-Day 10 string ATTRIBUTE WISPr-Billing-Class-Of-Service 11 string Any ideas please. Try writing to the correct list. Your problem is not with freeradius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libradius-1.1.7.so
Hi, I'm new here. I installed freeradius 1.1.7 on a debian lenny. ./configure make make install when I tri to start radiusd -x I get the following error : radiusd: error while loading shared libraries: libradius-1.1.7.so: cannot open shared object file: No such file or directory (I dont have to use deb package and I have to use 1.1.7) can someone tell me how to install that library? thanks- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libradius-1.1.7.so
Hi, I'm new here. I installed freeradius 1.1.7 on a debian lenny. ./configure make make install when I tri to start radiusd -x I get the following error : radiusd: error while loading shared libraries: libradius-1.1.7.so: cannot open shared object file: No such file or directory (I dont have to use deb package and I have to use 1.1.7) can someone tell me how to install that library? Read the FAQ. Example is about mysql library but applies to any other. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: {Spam?} Re: libradius-1.1.7.so
you talking about It says Could not link ... file not found, what do I
do? in the FAQ?
I tried:
server-radius:/home/freeradius-1.1.7# ./configure | grep libradius-1.1.7.so
configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may
not work
configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl
may not work
config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir
setting
config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore
the --datarootdir setting
configure: WARNING: silently not building rlm_counter.
configure: WARNING: FAILURE: rlm_counter requires: libgdbm.
configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or
gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat).
configure: WARNING: silently not building rlm_dbm.
configure: WARNING: silently not building rlm_eap_ttls.
configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL.
configure: WARNING: silently not building rlm_eap_peap.
configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL.
configure: WARNING: silently not building rlm_eap_tls.
configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL.
configure: WARNING: silently not building rlm_ippool.
configure: WARNING: FAILURE: rlm_ippool requires: libgdbm.
configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are
found!
configure: WARNING: the comm_err library isn't found!
configure: WARNING: silently not building rlm_krb5.
configure: WARNING: FAILURE: rlm_krb5 requires: krb5.
configure: WARNING: silently not building rlm_ldap.
configure: WARNING: FAILURE: rlm_ldap requires: libldap_r ldap.h.
configure: WARNING: silently not building rlm_otp.
configure: WARNING: FAILURE: rlm_otp requires: openssl-libs
openssl-includes openssl-includes openssl-includes openssl-includes
openssl-includes.
configure: WARNING: silently not building rlm_pam.
configure: WARNING: FAILURE: rlm_pam requires: libpam.
configure: WARNING: iodbc headers not found.
Use --with-iodbc-include-dir=path.
configure: WARNING: sql submodule 'iodbc' disabled
configure: WARNING: silently not building rlm_sql_postgresql.
configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq.
configure: WARNING: oracle headers not found.
Use --with-oracle-home-dir=path.
configure: WARNING: sql submodule 'oracle' disabled
configure: WARNING: unixODBC headers not found.
Use --with-unixodbc-include-dir=path.
configure: WARNING: sql submodule 'unixodbc' disabled
- Original Message -
From: Ivan Kalik t...@kalik.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, June 10, 2009 1:27 AM
Subject: {Spam?} Re: libradius-1.1.7.so
Hi, I'm new here. I installed freeradius 1.1.7 on a debian lenny.
./configure
make
make install
when I tri to start radiusd -x I get the following error :
radiusd: error while loading shared libraries: libradius-1.1.7.so: cannot
open shared object file: No such file or directory
(I dont have to use deb package and I have to use 1.1.7)
can someone tell me how to install that library?
Read the FAQ. Example is about mysql library but applies to any other.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Nessun virus nel messaggio in arrivo.
Controllato da AVG - www.avg.com
Versione: 8.5.339 / Database dei virus: 270.12.55/2160 - Data di rilascio:
06/07/09 05:53:00
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Cisco switch and authorization.
Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += shell:priv-lvl=15 -- Jefferson K Davis Technology Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my freeradius-2.1.6 is not auth with PIN only
On Tue, Jun 9, 2009 at 5:10 PM, Goke Aruna gok...@gmail.com wrote:
Alan DeKok wrote:
Goke Aruna wrote:
I will be glad, if anyone can direct me to whare The log below is the
part of the debug for the new test freeradius server 2.1.6 am testing
with.
However, the hotspotlogin,cgi is able to pass the param username to the
radius
It's not in the debug log below.
rad_recv: Access-Request packet from host 127.0.0.1 port 44600, id=0,
length=189
... there's no User-Name attribute. The packet violates the RADIUS
specifications. Yet, somehow, magically:
Tue Jun 9 14:59:48 2009 : Info: [suffix] No '@' in User-Name =
2345678901, looking up realm NULL
There's a User-Name in the packet! How did that happen?
Tue Jun 9 14:59:48 2009 : Info: [sql] expand: %{User-Name} -
0x32333435363738393031
And now the User-Name is different!
You've managed to copy the Chillispot-Max-Input-Octets into the
User-Name. Why?
It looks like you've edited the dictionaries without knowing what
you're doing. Don't do that.
Alan DeKok.
after commenting out the include directive for dictionary.chillispot from
the radius dictionary file, i am able to login but my check-item which is
attribute Max-Secs-Passed was not loaded.
Thanks but I still need to do the billing based on the added attributes.
I still need your advice on how to go about adding my own attributes to the
dictionary file and also what I have done wrong in including the
dictionary.chillispot
Thanks.
goksie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-avpair
Hi all, Anybody knows how to configure freeradius to send access list configuration back to a cisco router applied to Dialer 0. Thanks, Jorge Pallares Email disclaimer: The information contained in or attached to this communication may contain confidential or privileged information and is intended for the addressee only. If you are not the intended recipient of this email communication, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email in error, please notify the sender by return email and permanently delete the document. Any drawing provided with this communication is provided for general information purposes only. No person receiving or using that drawing should rely on it as a complete or accurate representation of the rail assets referred to in it. All written dimensions take precedence over scaled dimension. The drawing has been prepared by, or compiled from information provided by, persons other than VicTrack. To the maximum extent permissible by law, VicTrack takes no responsibility for, and makes no representations in relation to, the completeness, accuracy or quality of any information contained in the drawing. Each user of the drawing releases VicTrack from all and any loss, damage, cost, expense or liability in relation to the use of, or any reliance on, the drawing or the information contained in it. The drawing is provided only for the information of the person or organisation to whom VicTrack provides it. It may not be provided to, or used by, any other person without VicTrack's prior written consent. The views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of VicTrack. VicTrack does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
