Re: Need help no of users and capacity load
Padam J Singh wrote: > > > >>Are you storing these users in a LDAP or a DB? > mysql db > >> Also, are you doing authentication and accounting (RAS) or just > authentication (EAP)? > > authentication, accounting. Storing only accounting information. > > > Hello Ramesh, > > Capacity depends a lot on how the RADIUS server is accessing > authentication stores. Are you storing these users in a LDAP or a DB? > It is these resources that generally become the bottle-neck first > rather than the RADIUS Server. > > Also, are you doing authentication and accounting (RAS) or just > authentication (EAP)? > > Padam > > ramesh p wrote: > We are going to have up to 3 million users in our radius > setup in the next month. At present we are using freeradius1.1.6 in > linux platform and over 1 million users. we are planning to upgrade to > latest version. How the performance matter with 3 million users. Please > suggest interms of load balancing and capacity per server.? How many > radius servers will be ideal to keep. > > Thanks, > Rams. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- View this message in context: http://www.nabble.com/Need-help-no-of-users-and-capacity-load-tp24307187p24318359.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help no of users and capacity load
Hello Ramesh, Capacity depends a lot on how the RADIUS server is accessing authentication stores. Are you storing these users in a LDAP or a DB? It is these resources that generally become the bottle-neck first rather than the RADIUS Server. Also, are you doing authentication and accounting (RAS) or just authentication (EAP)? Padam ramesh p wrote: We are going to have up to 3 million users in our radius setup in the next month. At present we are using freeradius1.1.6 in linux platform and over 1 million users. we are planning to upgrade to latest version. How the performance matter with 3 million users. Please suggest interms of load balancing and capacity per server.? How many radius servers will be ideal to keep. Thanks, Rams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating to LDAP not stripping prefix
Hello All, I'm new to the list so please excuse any obvious exclusions. I have setup free radius to authenticate against our ldap directory and this works fine until I try to use the windows login and password instead of being prompted for one. It puts the prefix of either the workstation name or the domain name in front. How do I strip these out? My ldap configuration is below and tls is configured and working I just left it out. Freeradius 2 on SUSE. Thanks. ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap-server" identity = "cn=admin,o=wcc" password = sfasdf basedn = "ou=users,o=wcc" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # Christopher Shields Network Support Services Manager 630.466.5732 cshie...@waubonsee.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap tls issues
I run into some difficulties troubleshooting Freeradius. I turned on tls, with valid certificates and key file and the debug output stops at this message, not going any further. The permissions on cert and key files are fine, I even tried setting the radiusd user to root. Any ideas. Thanks in advance. rlm_eap_tls: Loading the certificate file as a chain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Req from HA rejected
Kiran, The WiMAX forum does not define the user authentication between HA and HAAA. HAAA solely depends on the shared secret between HA and HAAA to validate the request from HA is good. Its security models uses the MIP keys to authenticate users has been authenticated into ASN gateway at HA. What you need to do is to set AUTH-TYPE := Accept if it is HA. You may uses hints to indicate it is HA instead of ASN gateway. Thanks, Jay Xiong On Fri, Jun 26, 2009 at 6:12 PM, Ben Wiechman wrote: > If you are not generating the original keying material (i.e. you are the > V-AAA) I would think you would need to proxy this request to the H-AAA as > well as the required keys are going to be available there. You are not > receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is > capable of assigning the required keys. > > >From the Steel Belted docs: > 6. The home agent performs an authentication check by sending the HAAA > server > an Access-Request message requesting its cryptographic keys for the Mobile > IP > session. The Access-Request message contains the home agent’s cryptographic > keys (MN-HA-MIP4-SPI and HA-RK-SPI). > 7. The HAAA server responds to the Access-Request message by sending the > home agent an Access-Accept message containing its cryptographic keys: > MN-HA-MIP4-KEY, MN-HA-MIP4-SPI, HA-RK-KEY, HA-RK-SPI, and > HA-RK-Lifetime. > > Ben > > From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org > [mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.o > rg] On Behalf Of Kiran Kumar > Sent: Thursday, June 18, 2009 4:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Access Req from HA rejected > > Hi All, > > I am using the Free Radius to test Proxy Authentication from H-AAA, the > initial Authentication (proxied through H-AAA) goes through fine. But the HA > then triggers an Access Request message (we are using PMIP), but this fails > at the Free radius. I suspect this is because the HA root keys etc are not > generated by Free radius but by the H-AAA. Can you please let me know what > configuration needs to be done to get this scenario working… > > Sending Access-Accept of id 161 to 10.142.139.65 port 52687 > MS-MPPE-Recv-Key = > 0x6ef829271559b13ef642c20c60522275590132e27a5b64d744e77799f12508b0 > MS-MPPE-Send-Key = > 0x3b0dfc2d198cebbd3fe32e9b3a8e1fad36f26f1b8595ea5cd1698eb52d29d872 > EAP-Message = 0x03080004 > Message-Authenticator = 0x > User-Name = "u...@isp2.wimaxlab.com" > Finished request 7. > Going to the next request > Waking up in 4.3 seconds. > rad_recv: Access-Request packet from host 10.142.139.65 port 52687, id=162, > length=201 > User-Name = "u...@isp2.wimaxlab.com" > NAS-IP-Address = 10.142.139.68 > Service-Type = Framed-User > Framed-IP-Address = 0.0.0.0 > Vendor-Specific = 0x1fe418060003 > Vendor-Specific = 0x1fe4a9060a8e8b46 > WiMAX-Release = "1.0" > WiMAX-Accounting-Capabilities = 3 > WiMAX-GMT-Timezone-offset = 3600 > WiMAX-hHA-IP-MIP4 = 10.142.139.70 > WiMAX-MN-hHA-MIP4-SPI = 512 > WiMAX-HA-RK-SPI = 512 > NAS-Identifier = "HA_ISP1" > Event-Timestamp = "Jun 18 2009 09:36:50 GMT" > Message-Authenticator = 0x7fc30b3f450c08556a469367efb2d166 > Chargeable-User-Identity = "NUL" > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > [suffix] Looking up realm "isp2.wimaxlab.com" for User-Name = > "u...@isp2.wimaxlab.com" > [suffix] No such realm "isp2.wimaxlab.com" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[unix] returns notfound > [files] users: Matched entry u...@isp2.wimaxlab.com at line 205 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] No clear-text password in the request. Not performing PAP. > ++[pap] returns noop > WARNING: Please update your configuration, and remove 'Auth-Type = Local' > WARNING: Use the PAP or CHAP modules instead. > No User-Password or CHAP-Password attribute in the request. > Cannot perform authentication. > Failed to authenticate the user. > Using Post-Auth-Type Reject > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> > u...@isp2.wimaxlab.com > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 8 for 1 seconds > Going to the next request > Waking up in 0.1 seconds. > > > > > Thanks and Regards, > Kiran Kumar.B > WiMAX Test Engineer > Fujitsu Telecommunications Europe > Solihull Parkway, Birmingham B37 7YU > Work Phone: +44 (0) 121 717 6299 > Mobile: +44 (0) 7549 203 655 > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.
Need help no of users and capacity load
We are going to have up to 3 million users in our radius setup in the next month. At present we are using freeradius1.1.6 in linux platform and over 1 million users. we are planning to upgrade to latest version. How the performance matter with 3 million users. Please suggest interms of load balancing and capacity per server.? How many radius servers will be ideal to keep. Thanks, Rams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different default_eap_type for different users
Alan DeKok wrote: > Nicolas Boullis wrote: > >>I'm currently in the process of switching from an old freeradius 1.1.6 >>to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). > > Why not 2.1.6? No good reason for this, only that current Debian stable (Lenny) has packages for 2.0.4, not 2.1.6. (And since administration of radius servers is only a small part of my work, I'd rather rely on Debian packages and Debian security team than track the potential security issues of all the server softwares that I use.) >>Hence, I thought I would use the hints file to force EAP-Type (the good >>news is that I can recognize the IP phones with their username): >>CP-7942G-SEP0024C4BE96B7 >>EAP-Type = MD5-Challenge >> >>But this apparently does not work. > > It's a *configuration* item, not a reply item. See "man users" > > ... > CP-7942G-SEP0024C4BE96B7 EAP-Type := MD5-Challenge > ... > > That will work. Unfortunately, it does not, freeradius still tries TLS (PEAP?): # freeradius -X (...) Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 138.195.254.246 port 1645, id=21, length=181 User-Name = "CP-7942G-SEP0024C4BE96B7" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1F-6D-11-DD-98" Calling-Station-Id = "00-24-C4-BE-96-B7" EAP-Message = 0x0203001d0143502d37393432472d534550303032344334424539364237 Message-Authenticator = 0xad86f0122944a370ac2bc487e0b292a4 NAS-Port-Type = Ethernet NAS-Port = 50024 NAS-Port-Id = "FastEthernet0/24" NAS-IP-Address = 138.195.254.246 +- entering group authorize hints: Matched CP-7942G-SEP0024C4BE96B7 at 78 ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702 expand: %t -> Thu Jul 2 11:51:53 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "CP-7942G-SEP0024C4BE96B7", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry CP-7942G-SEP0024C4BE96B7 at line 135 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 21 to 138.195.254.246 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x State = 0xe0c5d17fe0c1c8f39eb404d78a61b99b Finished request 0. Going to the next request Waking up in 4.9 seconds. Note the "hints: Matched CP-7942G-SEP0024C4BE96B7 at 78" and "rlm_eap: processing type tls". (... a few minutes later ...) I just tried to set EAP-Type in users rather that in hints, and now it works fine. Thanks! But why does it work in users and not in hints? (I thought I had to use hints because it is run before eap in the authorize section...) Cheers, -- Nicolas Boullis Ecole Centrale Paris France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different default_eap_type for different users
Nicolas Boullis wrote: > I'm currently in the process of switching from an old freeradius 1.1.6 > to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). Why not 2.1.6? > The bad news is that some IP phones fail to authenticate when > default_eap_type=peap (they only support MD5). Changing to > default_eap_type=md5 works, but I'm not satsified with it since most > clients use PEAP... > > In the default EAP configuration, it is written, about the > default_eap_type=peap option: > # If the EAP-Type attribute is set by another module, > # then that EAP type takes precedence over the > # default type configured here. > > Hence, I thought I would use the hints file to force EAP-Type (the good > news is that I can recognize the IP phones with their username): > CP-7942G-SEP0024C4BE96B7 > EAP-Type = MD5-Challenge > > But this apparently does not work. It's a *configuration* item, not a reply item. See "man users" ... CP-7942G-SEP0024C4BE96B7 EAP-Type := MD5-Challenge ... That will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different default_eap_type for different users
Hello, I'm currently in the process of switching from an old freeradius 1.1.6 to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). I used to support only 802.1x or WPA clients, all using PEAP/MSchapv2, so I had default_eap_type=peap in my configuration. But now, I will also have to support a few 802.1x clients using TLS or MD5. The bad news is that some IP phones fail to authenticate when default_eap_type=peap (they only support MD5). Changing to default_eap_type=md5 works, but I'm not satsified with it since most clients use PEAP... In the default EAP configuration, it is written, about the default_eap_type=peap option: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. Hence, I thought I would use the hints file to force EAP-Type (the good news is that I can recognize the IP phones with their username): CP-7942G-SEP0024C4BE96B7 EAP-Type = MD5-Challenge But this apparently does not work. I also tried to have several eap instances, and check User-Name to know which one to use in the authorize and authenticate section: if (User-Name == "CP-7942G-SEP0024C4BE96B7") { eap_ipphones } else { eap } But then freeradius -X fails to start with: /etc/freeradius/sites-enabled/default[234]: Unknown Auth-Type "(User-Name == "CP-7942G-SEP0024C4BE96B7")" in authenticate sub-section. Is there a way I can have per-user default_eap_type? Regards, -- Nicolas Boullis Ecole Centrale Paris France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting help please
That would be it. Sorry to waste your time - I have asked our Cisco guy to set this up for us. Cheers, David - Original Message - From: "Chris" Still don't see any accounting packets. Did you configure a RADIUS accounting server in your NAS? You usually have to set both authentication and accounting servers. RADIUS Servers (including FreeRADIUS) do not generate accounting records based on authentication attempts. They act on accounting packets sent by the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Hello Jay > If you want to leverage the existing user profiles in the RADIUS > server for authentication, authorization, this Internet Draft TLS-EAP > Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be > what you are looking for. Unfortunately, there is no implementation up > to date as far as I know. > > I am designing and developing the software for this Internet draft > based on OpenSSL, EAP module from wpa-supplicant and freeradius > client. Please let me know any special requirements if you are > interested in using TLS-EAP Extension. I read the draft you mentioned above and I'm not 100% sure if I understood it correctly. So basically spoken the authentication/authorization becomes more of less independant from the application using this software/draft. There's an authentication/authorization infrastructure besides client and service that is generic and can be used for *different* services. So, e.g. I can use it for authentication/authorization for a webbrowser towards apache, for a mailclient towards the mailservice etc. If it is like that, this sounds pretty amazing and would give us exactely what we need. Best regards! M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap: ldap_search() failed: Operations error
I suffered with this for a while. I my case it was because a lookup against the AD root failed. I had to specify a container. Since I needed to look in different containers, a bit of "unlang" and Alan and Ivan's help fixed it. Hope this helps, Leighton From: freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.org] On Behalf Of Alba Sent: 01 July 2009 22:45 To: FreeRadius users mailing list Subject: Fwd: rlm_ldap: ldap_search() failed: Operations error > It's a magic LDAP && Active directory issue. :-) Thanks! On Wed, Jul 1, 2009 at 3:15 PM, Alan DeKok mailto:al...@deployingradius.com>> wrote: Alba wrote: > Thanks Alan, I'll try it. > > Do you know the cause of this message? Is it a bug or a configuration issue? It's a magic LDAP && Active directory issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif"; alt="Inspiring tomorrow's professionals"> --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html