Re: Re: EAP session matching the State variable

[marco perugini]

Alan DeKok ha scritto:

  marco perugini wrote:
  
  
hi list, i use freeradius [v 2.1.1] in wimax context and from yesterday
this message is driving me crazy: "EAP session matching the State variable".

  
  
  That's "NO eap session matching..."

  
  
here's the use-case: i do auth and connection all right but if/when i lost my
connection and i try to reconnect that massage shows me up in radius' debug;

  
  
  Then your supplicant and/or access point is broken.  If the supplicant
loses association with the AP, then EAP *must* be re-started from
scratch.  Re-using State attributes from previous EAP sessions will
cause authentication to fail on *every* single RADIUS server that exists.
  

hi alan! thank for your feedback, kind as usual..
is there a way to restart eap session? is there some script to run to
have EAP
restarted from scratch?

best regards, marco

  
  
  
in about 20 min i succeed in reconnecting. i thought radius was stateless..

  
  
  No.  EAP requires state.  The AP maintains state for EAP sessions.

  
  
do you know if there is some config changes to do to avoid this trouble?

  
  
  Fix the AP so that it doesn't re-use old State attributes.

  Alan DeKok.

  


-- 







  

  
   
  
  
  4IT S.r.l.
  Marco Perugini | system administrator 
  -
  Via Udine 30-36, 00161 Roma 
  Phone +39 06 97601680
  Mobile +39 339.39.81.246
  Fax +39 06 97601683
  m.perug...@4it.it
  www.4it.it 
  
  

  

“Il
presente messaggio e gli eventuali allegati sono di natura
confidenziale. Qualora
vi fosse pervenuto per errore, vi preghiamo di cancellarlo
immediatamente dal vostro sistema e di avvisare il mittente. Grazie.”

“This
electronic mail transmission and any accompanying attachments contain
confidential information. If you have received this communication in
error, please immediately delete the E-mail and either notify the
sender. Thank you.”






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: checking user connect time

[Ivan Kalik]

> Can you let me know where can we check the time for which a particular
> user is connected, basically this is required so that we can advice the
> customer if his ISDN line is connected for too long.

SELECT (now() - AcctStartTime) FROM radacct WHERE UserName='some_user' AND
AcctStopTime IS NULL

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Send Reject When User Logged In Already

[boyali kus]

Hello Again,

Here is the debug output:

..
++[mschap] returns ok
+- entering group session {...}
[sql]   expand: %{User-Name} -> usertr2048
[sql] sql_set_user escaped user --> 'usertr2048'
[sql]   expand: SELECT COUNT(*)  FROM
radacct  WHERE username =
'%{SQL-User-Name}'  AND acctstoptime IS
NULL -> SELECT COUNT(*)  FROM radacct
WHERE username = 'usertr2048'
AND acctstoptime IS NULL
rlm_sql (sql): Reserving sql socket id: 1
[sql]   expand: SELECT radacctid, acctsessionid, username,
   nasipaddress, nasportid, framedipaddress,
 callingstationid, framedprotocol
  FROM radacctWHERE
username = '%{SQL-User-Name}'AND
acctstoptime IS NULL -> SELECT radacctid, acctsessionid, username,
   nasipaddress, nasportid, framedipaddress,
 callingstationid, framedprotocol
  FROM radacct
WHERE username = 'usertr2048'AND
acctstoptime IS NULL
checkrad: Net::Telnet 3.00+ CPAN module not installed
rlm_sql (sql): Released sql socket id: 1
[sql] Failed to check the terminal server for user 'usertr2048'.
++[sql] returns fail
+- entering group post-auth {...}
...

So it says checkrad: Net::Telnet 3.00+ CPAN module not installed.
Meanwhile the radutmp line in session section of
/sites-available/default file is commented out, sql line is in charge.

Best Regards

>  If you:
>
>  a) receive accounting packets
>
>  b) configure the SQL module to store data
>
>  c) set 'Simultaneous-Use := 1' somewhere
>
>  Then it should work.
>
>  As *always*, run the server in debugging mode to see what it's doing.
>  In 2.1.7, you can use "raddebug".
>
>  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Send Reject When User Logged In Already

[Ivan Kalik]

> Here is the debug output:
>
> ..
> ++[mschap] returns ok
> +- entering group session {...}
> [sql]   expand: %{User-Name} -> usertr2048
> [sql] sql_set_user escaped user --> 'usertr2048'
> [sql]   expand: SELECT COUNT(*)  FROM
> radacct  WHERE username =
> '%{SQL-User-Name}'  AND acctstoptime IS
> NULL -> SELECT COUNT(*)  FROM radacct
> WHERE username = 'usertr2048'
> AND acctstoptime IS NULL
> rlm_sql (sql): Reserving sql socket id: 1
> [sql]   expand: SELECT radacctid, acctsessionid, username,
>nasipaddress, nasportid, framedipaddress,
>  callingstationid, framedprotocol
>   FROM radacctWHERE
> username = '%{SQL-User-Name}'AND
> acctstoptime IS NULL -> SELECT radacctid, acctsessionid, username,
>nasipaddress, nasportid, framedipaddress,
>  callingstationid, framedprotocol
>   FROM radacct
> WHERE username = 'usertr2048'AND
> acctstoptime IS NULL
> checkrad: Net::Telnet 3.00+ CPAN module not installed
> rlm_sql (sql): Released sql socket id: 1
> [sql] Failed to check the terminal server for user 'usertr2048'.
> ++[sql] returns fail
> +- entering group post-auth {...}
> ...
>
> So it says checkrad: Net::Telnet 3.00+ CPAN module not installed.
> Meanwhile the radutmp line in session section of
> /sites-available/default file is commented out, sql line is in charge.

If you don't want checkrad.pl to check with NAS (ie only look in the
radacct table) set nastype as other in clints.conf.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Send Reject When User Logged In Already

[boyali kus]

Yes this is exactly what I want. Thank you Ivan!

> If you don't want checkrad.pl to check with NAS (ie only look in the
> radacct table) set nastype as other in clints.conf.
>
> Ivan Kalik
> Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x Strange active directory with MSCHAP issue

[sea you]

Hi,

I read the FAQ earlier, and I regenerate the certificates based on the
readme (altough the xpextensions was there as far as i know), however the
solution was what Ivan suggested that I should downgrade to samba 3.0. Now
im a happy freeradius user, thanks guys, now trying to do ldap group lookups
and assign vlan based on that :)

Best regards,
cU

On Sun, Nov 1, 2009 at 1:28 PM, Alan DeKok wrote:

> sea you wrote:
> > Hello List,
> >
> > I'm trying to set up freeradius for users to authenticate against Active
> > Directory. The problem is that it seems to be that the client tries and
> > somehow succeeds but then it sends Access-Challenge again.
>
>   This is in the FAQ, and in the comments in eap.conf.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Dynamic VLANing and anonymous identity on re-auth?

[Palmer J.D.F.]

Hi all,

Is it possible to use anonymous outer identities with dynamic VLANing?

We have a problem with reauths when using anonymous outers, the initial
login is fine and the VLAN is assigned using sql.authorize, but re-auths
only seem to use the outer identity and hence no VLAN information is
sent back in the access-accept packet.

On a reauth, the only mention I see of the real username is...

[peap] Adding cached attributes to the reply:
User-Name = "test-user"
[eap] Freeing handler
++[eap] returns ok
Login OK: [anonym...@swansea.ac.uk] (from client wism port 29 cli
00-26-69-04-a7-f7)

Is it possible to capture this brief appearance of the real username to
run the sql.authorize to get the correct VLAN info?
Fast re-auth is disabled in experimental.conf (FR 2.1.7)

Many thanks,
Jezz Palmer.


-
Jezz Palmer
Library & Information Services
Swansea University
Singleton Park
Swansea
SA2 8PP
-







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic VLANing and anonymous identity on re-auth?

[Alan Buxey]

Hi,
> Hi all,
> 
> Is it possible to use anonymous outer identities with dynamic VLANing?
> 
> We have a problem with reauths when using anonymous outers, the initial
> login is fine and the VLAN is assigned using sql.authorize, but re-auths
> only seem to use the outer identity and hence no VLAN information is
> sent back in the access-accept packet.
> 
> On a reauth, the only mention I see of the real username is...
> 
> [peap] Adding cached attributes to the reply:
> User-Name = "test-user"
> [eap] Freeing handler
> ++[eap] returns ok
> Login OK: [anonym...@swansea.ac.uk] (from client wism port 29 cli
> 00-26-69-04-a7-f7)
> 
> Is it possible to capture this brief appearance of the real username to
> run the sql.authorize to get the correct VLAN info?
> Fast re-auth is disabled in experimental.conf (FR 2.1.7)

if you are doing the authorise in the main virtual server after the
inner-tunnel has done its business, then you must copy the User-Name
to an internal attribute that can be used in the post-auth section
(for example)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP session matching the State variable

[Alan DeKok]

marco perugini wrote:
> is there a way to restart eap session? is there some script to run to
> have EAP
> restarted from scratch?

  Your supplicant needs to re-start the EAP session.  This is a question
for your local OS vendor.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Client Certificates

[Paul Ryszka]

Hello,

Do I need separate certificate for each client or can I use one cert for
all clients ?
Is there easy way to generate bunch of them using supplied scripts ?

Regards 
Paul


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Logging Error Messages in SQL

[Jeff Fern]

All,

We are running Freeradius 2.1.7, some of our clients aren't properly
configured, and we sometimes see errors like this in /var/log/radius.log:

Mon Nov  2 16:23:04 2009 : Error: TLS Alert read:fatal:unknown CA
Mon Nov  2 16:23:04 2009 : Error: TLS_accept:failed in SSLv3 read
client certificate A
Mon Nov  2 16:23:04 2009 : Error: rlm_eap: SSL error error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Mon Nov  2 16:23:04 2009 : Error: SSL: SSL_read failed inside of TLS (-1),
TLS session fails.

What I would like to be able to do is log part of this message in our
database, so if the user seeks help about not being able to get access,
our helpdesk just need to query the database rather than needing to ask us
to look through the log file for any additional information.

I haven't been able to find any info about this, does anyone have any ideas?

Cheers,
-Jeff


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple servers

[Paul Ryszka]

Hello,

I recently spotted that freeradius 2.0 can do multiple instances in one
go. I have two raddb directories that works for each server at the
moment is there  easy way to make them instances on the same server?
I looked at the example configuration files but I did not find any
server clauses or listen in sites-enabled directory.Should I just put
listen clause in one of the files remove the default file there and
remove listen from radiusd.conf ?

Regards
Paul


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: EAP session matching the State variable

[marco perugini]

thank a
lot for your feedback alan!

marco


Alan DeKok ha scritto:

  marco perugini wrote:
  
  
is there a way to restart eap session? is there some script to run to
have EAP
restarted from scratch?

  
  
  Your supplicant needs to re-start the EAP session.  This is a question
for your local OS vendor.

  Alan DeKok.

  


-- 







  

  
   
  
  
  4IT S.r.l.
  Marco Perugini | system administrator 
  -
  Via Udine 30-36, 00161 Roma 
  Phone +39 06 97601680
  Mobile +39 339.39.81.246
  Fax +39 06 97601683
  m.perug...@4it.it
  www.4it.it 
  
  

  

“Il
presente messaggio e gli eventuali allegati sono di natura
confidenziale. Qualora
vi fosse pervenuto per errore, vi preghiamo di cancellarlo
immediatamente dal vostro sistema e di avvisare il mittente. Grazie.”

“This
electronic mail transmission and any accompanying attachments contain
confidential information. If you have received this communication in
error, please immediately delete the E-mail and either notify the
sender. Thank you.”






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple servers

[Ivan Kalik]

> I recently spotted that freeradius 2.0 can do multiple instances in one
> go. I have two raddb directories that works for each server at the
> moment is there  easy way to make them instances on the same server?
> I looked at the example configuration files but I did not find any
> server clauses or listen in sites-enabled directory.Should I just put
> listen clause in one of the files remove the default file there and
> remove listen from radiusd.conf ?

It's documented in raddb/sites-available/README.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Dynamic VLANing and anonymous identity on re-auth?

[Palmer J.D.F.]

 
> if you are doing the authorise in the main virtual server after the
> inner-tunnel has done its business, then you must copy the User-Name
> to an internal attribute that can be used in the post-auth section
> (for example)

Does the inner-tunnel get called on a re-auth? As said the only time I
see the real username on a re-auth is when it appears to be produced
from the cache.
> [peap] Adding cached attributes to the reply:
> User-Name = "test-user"

At what point can I copy it?
 
I have sql.authorize sections in post-auth on both the inner and default
sections, I've tried putting them all over the place. :-D

Cheers,
Jezz.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

VSA extension

[Larry Ross]

Hello All;
I am trying to add a new vendor to the dictionary directory.  I created the 
file in /usr/local/share/freeradius/dictionary.procera contents below.  The 
vendor in question provided their Vendor ID


# -*- text -*-
##
#
#  Procera VSAs,
#
#  $Id$
#
##
VENDORProcera   12913
BEGIN-VENDOR  Procera
ATTRIBUTE Procera-Local-User-Name   1  string
END-VENDORProcera


I then add

Procera-Local-User-Name = "admin"

to my username in users.conf

Now when I try and execute radiusd I recieve
/usr/local/etc/raddb/users[68]: Parse error (reply) for entry lfross: Invalid 
octet string "admin" for attribute name "Procera-Local-User-Name"
Errors reading /usr/local/etc/raddb/users


I have never encountered issues adding vendors before, any information is 
greatly appreciated.

Thank you

Larry Ross
Network Operations
University California Davis
http://www-noc.ucdavis.edu
lfr...@ucdavis.edu

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VSA extension

[Peter Lambrechtsen]

On Tue, Nov 3, 2009 at 12:42 PM, Larry Ross  wrote:

>  Hello All;
>
> I am trying to add a new vendor to the dictionary directory.  I created the
> file in /usr/local/share/freeradius/dictionary.procera contents below.  The
> vendor in question provided their Vendor ID
>

Did you also add the include into the /usr/local/share/freeradius/dictionary
file???

ie

echo "$INCLUDE dictionary.procera" >> /usr/local/share/freeradius/dictionary

??

Then tried again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html