EAP/TLS authentication timeout
Hi,
I'm trying to establish a EAP/TLS authentication. The certificates are
created by the freeradius scripts. rad_eap_test v0.22 is used for
testing. Somehow the authentication request runs into to timeout, but I
can't see what's wrong. Any suggestions ?
# ~/rad_eap_test -S testing123 -u wied...@edcllc.net -m IEEE8021X -e TLS
-H localhost -P 1812 -j client.pem -k client.pem -p hello -c timeout; 6
Sending RADIUS message to authentication server RADIUS message: code=1
(Access-Request) identifier=0 length=147
Attribute 1 (User-Name) length=20
Value: 'wied...@edcllc.net'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '70-6F-6C-69-73-68'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=27
Value: 'rad_eap_test + eapol_test'
Attribute 79 (EAP-Message) length=25
Value: 02 00 00 17 01 77 69 65 64 65 6d 6a 40 65 64 63 6c 6c 63 2e
6e 65 74
Attribute 80 (Message-Authenticator) length=18
Value: cb 31 3e 88 24 e8 1a 10 cc b4 d2 12 6e bf 8c 68 Received
RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0
length=80
Attribute 79 (EAP-Message) length=24
Value: 01 01 00 16 04 10 89 18 38 04 bb 3d d5 df 53 ef 55 cb 64 5b
52 9b
Attribute 80 (Message-Authenticator) length=18
Value: d8 85 a6 2f e9 11 da 62 f9 a3 43 1b 04 21 70 90
Attribute 24 (State) length=18
Value: be 60 98 38 be 61 9c a1 ab 26 38 fa 49 90 77 88
Copied RADIUS State Attribute
Sending RADIUS message to authentication server RADIUS message: code=1
(Access-Request) identifier=1 length=148
Attribute 1 (User-Name) length=20
Value: 'wied...@edcllc.net'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '70-6F-6C-69-73-68'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=27
Value: 'rad_eap_test + eapol_test'
Attribute 79 (EAP-Message) length=8
Value: 02 01 00 06 03 0d
Attribute 24 (State) length=18
Value: be 60 98 38 be 61 9c a1 ab 26 38 fa 49 90 77 88
Attribute 80 (Message-Authenticator) length=18
Value: e4 1a c5 34 14 71 94 0c 2b 7c 4b ad 9b 3f c6 ae Received
RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1
length=64
Attribute 79 (EAP-Message) length=8
Value: 01 02 00 06 0d 20
Attribute 80 (Message-Authenticator) length=18
Value: 55 fa ee 1b 05 ce 82 83 ed ea 1c 98 a6 0e 52 2d
Attribute 24 (State) length=18
Value: be 60 98 38 bf 62 95 a1 ab 26 38 fa 49 90 77 88
--
FreeRADIUS Version 2.1.3, for host i486-pc-linux-gnu, built on Feb 25
2009 at 14:17:43 Starting - reading configuration files ...
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and Home Servers proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to
Differencent assigments in users files
Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
Am 04.11.2009 um 11:12 schrieb verhoem: Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. It should read Cleartext-Password := Testing In FreeRadius passwords are assigned ( := ) not compared ( == ). I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 55, Issue 10
Thank you for your message. I am away until Nov 10th. I will respond to your message on my return . For urgent matters, please contact helpd...@stgeorges.bc.ca . Cheers, Gilbert Lo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
http://freeradius.org/radiusd/man/users.html 2009/11/4 Nicolas Goutte nicolas.gou...@extragroup.de Am 04.11.2009 um 11:12 schrieb verhoem: Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. It should read Cleartext-Password := Testing In FreeRadius passwords are assigned ( := ) not compared ( == ). I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
Am 04.11.2009 um 11:21 schrieb Ana Gallardo: http://freeradius.org/radiusd/man/users.html Well, unfornately there is an example: bob User-Password == hello which is bad. Have a nice day! 2009/11/4 Nicolas Goutte nicolas.gou...@extragroup.de Am 04.11.2009 um 11:12 schrieb verhoem: Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. It should read Cleartext-Password := Testing In FreeRadius passwords are assigned ( := ) not compared ( == ). I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Monthly 'rollover'
What we would like to do, is at the end of each month (Just before date rolls into next month), the current accounting record to stop, a new record to start (As if a start record had been recieved) without disconnecting the user from the nas. Giving the appearance in the radacct table, the the user disconnected and reconnected, keeping all data records for that month, within that month. Don't do that. Im curious as to why not? Because it doesn't make sense to break accounting records that are correct. Fix what's wrong instead. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
http://freeradius.org/radiusd/man/users.html Well, unfornately there is an example: bob User-Password == hello which is bad. That's out of date. man 5 users on the radius server will be up-to-date (ie documentation is included with the server). I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = http://wiki.freeradius.org/Operators in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. O'Reilly's book is also out of date. Updated documentation is available with server source. Look through that info first. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clean script session in raddact
Need to know if there's a script that allows users to clean their session has been connected by a long period in the table raddact. DELETE FROM radacct WHERE AcctStartTime whatever Why would you allow users to do anything with their accounting records? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly 'rollover'
Hi Jeremy, I had exactly the same need as you, except I wanted my rollover to take place on an hourly basis for live accounting. I found this guide helpful: http://www.netexpertise.eu/en/freeradius/daily-accounting.html Regards, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol On 11/03/2009 09:45 PM, Jeremy Brooking wrote: Hi, We bill based on data from radius, using dpkg install of Freeradius2.0.4 with mysql, however, when a user maintains a connection for say longer than a month, it throws our accounting out. What we would like to do, is at the end of each month (Just before date rolls into next month), the current accounting record to stop, a new record to start (As if a start record had been recieved) without disconnecting the user from the nas. Giving the appearance in the radacct table, the the user disconnected and reconnected, keeping all data records for that month, within that month. I've tried googling for the answers, but can only assume my search strings are wrong. Could someone here help me with this, or point me in the direction I need to be looking. regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NTLM
Hi,
I was setting up NTLM auth against AD and it works well however I wanted
to add another server sections in the config and that was working ok too
up to the point when somebody wants to do mschap authentication against
something else than AD
I followed the recommendations and add the following:
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username={mschap:User-Name:-None}
--domain={mschap:NT-Domain:-WEBANGEL} --challenge={mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
to the module section in mschap but now it seams that it cannot do any
other backends
I have sql engine returning ok before mschap
and than mschap returning reject and whole request is rejected.
I attach log of activity from radius -X
I would like to have two separate server sections
one authenticating against AD and the other against SQL and I would like
the end-client to be able to use MSCHAPv2 to use both.
Thank you in advance for your help.
Regards
Paul
FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Sep 18 2009 at 10:59:17
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/ntlm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/mssql.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/ntlm
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/mssql
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 0
reject_delay = 0
Re: regex 'fun'
Alan DeKok al...@deployingradius.com wrote: Alexander Clouter wrote: I got those :alpha:-n-chums actually working and tested them with a bunch of test cases; they definitely seem to be doing what I would expect...well unless the realm has a space in it :) Odd... Glad you do too, means I have not missed something.hopefully :) I never understood why eduroam just didn't use SRV records against the realm to find the RADIUS server and a DNS based whitelist to validate which realms were part of the community. :-/ It's hard. Once FreeRADIUS gets SRV support... I decided, in an imaginary place where I am God and decider of all, it would be better to have a RADIUS-esque proxy brige thingy mcwhatsit. The RADIUS server's would proxy to the 'eduroam proxy' you would run locally, it would then 'eduroam-ise' the request (filter cruft, check the realm is routable etc etc) and then shift the packets themselves off to their destination. The only complication I can see is the Message-Authenticator I think, however I would imagine the .ac.uk community can dig into the sofa for some loose change to hire some FreeRADIUS consultant...if he is not too busy lying with his feet kicked up in France with fresh food and good wine :) I'm in Canada right now. Cold... wintry... good beer. Hmmm, if it is anything like the New England beer I tried a while back, I am not so keen. But RadSec and/or DTLS should solve much of the security issues. EAP-TTLS wrapped in TLS eh, I already have the user validating the cert they are sending the credentials to...kinda redundant surely? I hear PKI is meant to 'solve' the realm whitelisting part too...'great' :-/ This network monkey recommends people realise PKI is stupid, however if the eduroam world were maybe to think about a PGPesque key signing approach, that I would be interested in supporting. Cheers -- Alexander Clouter .sigmonster says: Try to divide your time evenly to keep others happy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regex 'fun'
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Eduroam should really be creating a routing protocol for RADIUS. I don't think it would be hard: git + ssh + text files. See Section 2.7 of: http://tools.ietf.org/id/draft-dekok-radext-nai-00.txt firstly, its 'eduroam', not 'Eduroam' - minor point but none the less :-) Say's 'eduroam' in my SSID, maybe I'll go and check my 'E-mail' after this posting? ;) secondly - the current system uses a rpoxy heirarchy because that was the lowest common capable denominator when the federation was created and its fairly easy for sites/countries to get connected. This is great...it was *built* first then pinned down, as a result it was guaranteed to work. Cheap, easy to join, and quick to discover how useful the whole system actually is. For this, it gets my praise, and everyone elses, it is awesome. It is awesome though as it is dead easy to join for anyone doing anything vaguely 802.1Xy locally (wifi, wired, whatever). there are currently moves underway to investigate/implement moves to using dynamic RADIUS/REALM lookups etc however there are then fundamental changes that need to be undertaken - such as having required 'membership' - eg certificate extension to prove you are a valid eduroam site - couple that with requirements to use eg RADSEC for secure transit (cant used shared secrets with random other sites!) and then theres what to do to the countless RADIUS servers in use that dont (and maybe wont) support such features... sure , sure 'RADSecProxy' is a tech answer but I've already approached sites big on Windows servers and IAS/NPS - the thought of running some non-MS software on their server makes them very angry/angsty it looks like a proxy system would need to kept into place to keep those sites in (as well as imagine telling them to open ports up to their MS server to the world..) They don't have to, they run it on a separate box and configure they box to blindly send all non-local realmed stuff to a separate nearby RADIUS proxy that does the talking to Eduroam; okay I am now touting the 'separate' proxy...but Eduroam has some pretty unique requirements that *no-one* else does and this is the key point. We need something RADIUS like, you need something like a 'bridge', between RADIUS and Eduroam which could be 98% RADIUS. currently, the proxy system doesnt involve even more CA/PKI stuff and it doesnt open system to the world...a lot of sites like that. :-| So the bar (including the administrative work both for you and the end-sysadmin does) is set low. If RADSEC raises that bar it has failed. It's 2009, it is meant to be *easier* for systems to communicate with one another...if you are implementing something that is more difficult it is the wrong solution. That does not just apply to Eduroam either :) Cheers -- Alexander Clouter .sigmonster says: Does not include installation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM
I was setting up NTLM auth against AD and it works well however I wanted
to add another server sections in the config and that was working ok too
up to the point when somebody wants to do mschap authentication against
something else than AD
I followed the recommendations and add the following:
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username={mschap:User-Name:-None}
--domain={mschap:NT-Domain:-WEBANGEL} --challenge={mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
to the module section in mschap but now it seams that it cannot do any
other backends
I have sql engine returning ok before mschap
and than mschap returning reject and whole request is rejected.
I attach log of activity from radius -X
I would like to have two separate server sections
one authenticating against AD and the other against SQL and I would like
the end-client to be able to use MSCHAPv2 to use both.
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_(ntlm_auth)_with_accounts_stored_elsewhere
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: checking user connect time
Hi, Thanks for your quick answer. I am very new to radius server, so i was not able to understand what you pointed out below. It would be great if you can elaborate a bit on it. Regards, Yagnesh Dave. On Mon, 02 Nov 2009 17:04:11 +0530 wrote Can you let me know where can we check the time for which a particular user is connected, basically this is required so that we can advice the customer if his ISDN line is connected for too long. SELECT (now() - AcctStartTime) FROM radacct WHERE UserName='some_user' AND AcctStopTime IS NULL Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM
Thank you!!!
On Wed, 2009-11-04 at 12:17 +, Ivan Kalik wrote:
I was setting up NTLM auth against AD and it works well however I wanted
to add another server sections in the config and that was working ok too
up to the point when somebody wants to do mschap authentication against
something else than AD
I followed the recommendations and add the following:
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username={mschap:User-Name:-None}
--domain={mschap:NT-Domain:-WEBANGEL} --challenge={mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
to the module section in mschap but now it seams that it cannot do any
other backends
I have sql engine returning ok before mschap
and than mschap returning reject and whole request is rejected.
I attach log of activity from radius -X
I would like to have two separate server sections
one authenticating against AD and the other against SQL and I would like
the end-client to be able to use MSCHAPv2 to use both.
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_(ntlm_auth)_with_accounts_stored_elsewhere
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: checking user connect time
Hi, I also found this command in the Radius E-book by O`reilly. radiusreport -i 0 -f detail But this command does not work, i get an error message saying not found. Please help me. Regards, Yagnesh Dave On Wed, 04 Nov 2009 17:50:55 +0530 wrote Hi, Thanks for your quick answer. I am very new to radius server, so i was not able to understand what you pointed out below. It would be great if you can elaborate a bit on it. Regards, Yagnesh Dave. On Mon, 02 Nov 2009 17:04:11 +0530 wrote Can you let me know where can we check the time for which a particular user is connected, basically this is required so that we can advice the customer if his ISDN line is connected for too long. SELECT (now() - AcctStartTime) FROM radacct WHERE UserName='some_user' AND AcctStopTime IS NULL Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regex 'fun'
Hi, proxy that does the talking to Eduroam; okay I am now touting the 'separate' proxy...but Eduroam has some pretty unique requirements that *no-one* else does and this is the key point. 'eduroam' not Eduroam please! ;-) So the bar (including the administrative work both for you and the end-sysadmin does) is set low. If RADSEC raises that bar it has failed. It's 2009, it is meant to be *easier* for systems to communicate with one another...if you are implementing something that is more difficult it is the wrong solution. That does not just apply to Eduroam either :) err, no. the current concept would be something like... 1) end site gets connected and asks eduroam for a cert for their server 2) NREN validates request 3) end site gets the cert and adds it to their server thats all easy and requires no skills..agreed? now, the 'technical part' end site reconfigures their RADIUS server so it knows about that cert oh, something like radsec_cert = myservercert.der radsec_ca = eduroam-ca.der then they enable the new functionality to do dynamic host lookups...oh, maybe $INCLUDE dynamic-server-discovery.conf or ln -s sites-evailable/dynamic-server sites-enabled/dynamic-server if thats raised the bar then its a tiny tiny raise that even an ant couldnt get under IMHO. okay - some of this might be over simplified for the initial beta-testers of such new functionality but its pretty much what people are visualising as the real-life way of things working.. so, no need for wierd external programs and PERL code...no need for PGP or whitelists. the only thing missign would be sites-enabled/throw-my-stats-to-eduroam-and-NREN;-) sites-enabled/log-errors-to-NREN-or-eduroam 8-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: checking user connect time
Hi Dave, Radiusreport is a seperate project - see http://www.pgregg.com/projects/radiusreport/ Ivan posted an SQL statement above which answers your initial query. Simply execute the query on your SQL server. For simplified management you may want to take a look at installing and configuring daloradius - see http://daloradius.com/ Kind Regards, Phil 2009/11/4 Yagnesh Dave yagnesh.d...@rediffmail.com Hi, I also found this command in the Radius E-book by O`reilly. radiusreport -i 0 -f detail But this command does not work, i get an error message saying not found. Please help me. Regards, Yagnesh Dave On Wed, 04 Nov 2009 17:50:55 +0530 wrote Hi, Thanks for your quick answer. I am very new to radius server, so i was not able to understand what you pointed out below. It would be great if you can elaborate a bit on it. Regards, Yagnesh Dave. On Mon, 02 Nov 2009 17:04:11 +0530 wrote Can you let me know where can we check the time for which a particular user is connected, basically this is required so that we can advice the customer if his ISDN line is connected for too long. SELECT (now() - AcctStartTime) FROM radacct WHERE UserName='some_user' AND AcctStopTime IS NULL Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline@middle? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP/TLS authentication timeout
on the first line with the other check items
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /var/log/freeradius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/freeradius/attrs.access_reject
key = %{User-Name}
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /etc/freeradius/huntgroups
hints = /etc/freeradius/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating DOT
realm DOT {
format = suffix
delimiter = .
ignore_default = no
ignore_null = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /etc/freeradius/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 55334, id=0,
length=144
User-Name = wied...@edcllc.net
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x02170177696564656d6a406564636c6c632e6e6574
Message-Authenticator = 0x775abc55737e6cea952a10e9328c70d1
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log] expand: %t - Wed Nov 4 12:05:43 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[DOT] Looking up realm net for User-Name = wied...@edcllc.net
[DOT] No such realm net
++[DOT] returns noop
[suffix] Looking up realm edcllc.net for User-Name =
wied...@edcllc.net
[suffix] No such realm edcllc.net
++[suffix] returns noop
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry wied...@edcllc.net at line 63
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 55334
EAP-Message = 0x010100160410188a0c3e8d6cc7af9b6d4b283464185d
Message-Authenticator = 0x
State = 0x1fbca39a1fbda7840b404aff3aa5dd7e
Finished request 0.
Going to the next request
Waking up in 4.9
Re: AW: EAP/TLS authentication timeout
Wiedemann, Joerg wrote: I got a little further in using eapol_test. Now the radius server reports the following. There is a lot... but reading it for error and failure doesn't hurt, either. ... [tls] TLS 1.0 Handshake [length 0382], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. The certs you are using are wrong or non-existent. Follow the guide on http://deployingradius.com to get EAP working. There is also an EAP-TLS howto on freeradius.org, and on the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: EAP/TLS authentication timeout
I got a little further in using eapol_test. Now the radius server reports the following. ... [tls] TLS 1.0 Handshake [length 0382], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA And what is unclear about that message? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clean script session in raddact
On Wed, 2009-11-04 at 10:40 +, Ivan Kalik wrote: Need to know if there's a script that allows users to clean their session has been connected by a long period in the table raddact. DELETE FROM radacct WHERE AcctStartTime whatever Why would you allow users to do anything with their accounting records? Ivan Kalik Kalik Informatika ISP Hello Ivan I solved the problem, thanks. but now another problem has presented me, I want to add another server as secondary freeradius if the first fails or becomes available to any problems. Both servers are running well, but I would keep the same records in both databases, for when a user is authenticated on my primary server will add the same record in both database. and the same goes for when authenticating against the secondary server. But what happens when the first server is not available for network and such records can not be stored in the bd? Is there a way to replicate it when it becomes available or loses this entry? there is any way to do this? Thanks Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Craig Campbell cr...@ccraft.ca wrote:
I'm running an unreleased 'development? version of freeradius (2.1.8?).
me too, I get exactly what you are getting. If you are always
fiddling with FreeRADIUS I recommend you always run it in gdb as then
you can get things fixed easily.
I usually build FreeRADIUS (under Debian stable) with:
git clone http://git.freeradius.org/freeradius-server.git
cd freeradius-server
git checkout release_2_1_7
git checkout -b soas
git cherry-pick c7a9d2aa1b3fa91591ce95f19aa5ba42c102f4f7
git cherry-pick fbdc02ad699b9bc4d410daaa54f76df7141d2f64
git cherry-pick fa0e98d1056e22fa413078dbd8c3fe0d85532826
git cherry-pick 92ab5fef40320d1dbc3fe59db82cb20a3ec69249
git cherry-pick 4ca219b1f1ab68fc8434072e51a8e4b95cf37c16
git cherry-pick 52880d0020b7b900ae8383b142b08e4e11cde639
git cherry-pick 137e3759b2ffc0c4f99064dadbd7461d3e86ae2a
git cherry-pick 9491d6eb7b963532855ccc8a63a523a2a1e3af2b
git cherry-pick 4baebf8202d7db372a9ad2ce5026ec6c986f0de7
git cherry-pick 382b6c2223ba1a233ca9f4d248beb888a0123f3e
git cherry-pick 751e9a39b2221a2623001a4611021a8e01cf4375
git cherry-pick 1013e94b66064f24170e394e63ba4f093c141d74
git cherry-pick 1628ef2387d9f7a89b3c2ff8945f49777eb135f1
git cherry-pick 83c2cd412b1208e67381372baa73c779cd2848f6
git cherry-pick f6e2dba8a7e4dd31d36d5b8ee434d21600e3f99f
git cherry-pick 64700e41098a874581d683c8606c94f9ad23079d
git cherry-pick e69be18535bd8b9a2cfb50a9df7cb44e3129ab4c
git cherry-pick 9261f3e0026323b2c397af13d02fbc5780908143
DEB_BUILD_OPTIONS='debug nostrip noopt' CFLAGS='-DIE_LIBTOOL_DIE' debuild -us -b
It's when I add (I am pretty sure it's the in the first 8 or so
patches) the following I get the same problem with FreeRADIUS:
git cherry-pick 12ead56dffca9b3ecddc8a7860a1ef5b5361b374
git cherry-pick d711a368ebf0e057e54596d22584ca2ce37e209c
git cherry-pick 057c7ac764a4639f715edcbde7dc22491b79be62
git cherry-pick a4202aeb848174ed430fd29573e3dd2db78ae2a1
git cherry-pick a92700b3fb88239ccb0db9f5ece68dd430937df3
git cherry-pick b1e815d0b4bec01f9721d4b92786960b2218f149
git cherry-pick 30adbf8230730a7503f5e3654df90c5c2a38a8ed
git cherry-pick f2d96581f98990d24991c99a681d018a3df85e92
git cherry-pick 5aa01c58d91063b5bbbf5aef941137d7cf638bbe
git cherry-pick 9b70af0c517daad7d374f4cc948488429d3a9cc0
git cherry-pick 98b22609015439b16cc62cf45e4472a14377da2a
git cherry-pick 092f0ea30cdfc2d669afe47061fafb9407269641
git cherry-pick b853a84e6c4ccd5d9e2c4ad9da2c421a234e887f
git cherry-pick d9dd62aae7baa5346f19236cead4414c03546d45
git cherry-pick 1700127c8a7150f57056495a2980fd132dafdb92
git cherry-pick 9dbc8974fdd2300a70293eda9c62bce20a3c9165
I guess at this point I am going to be told to be a good boy and run off
and use git bisect? :)
Looking through the patches normally I cannot see what could have caused
the graceful exit...which is exactly what I am getting:
garibaldi:/usr/src# gdb freeradius
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type show
copying
and show warranty for details.
This GDB was configured as x86_64-linux-gnu...
(gdb) run -f
Starting program: /usr/sbin/freeradius -f
[Thread debugging using libthread_db enabled]
[New Thread 0x7f9ba2eeaae0 (LWP 14420)]
[New Thread 0x41313950 (LWP 14423)]
[New Thread 0x4271a950 (LWP 14424)]
[New Thread 0x42f1b950 (LWP 14425)]
[New Thread 0x4371c950 (LWP 14426)]
[New Thread 0x43f1d950 (LWP 14427)]
Program received signal SIGTERM, Terminated.
[Switching to Thread 0x7f9ba2eeaae0 (LWP 14420)]
0x7f9ba171e1c7 in kill () from /lib/libc.so.6
(gdb) bt full
#0 0x7f9ba171e1c7 in kill () from /lib/libc.so.6
No symbol table info available.
#1 0x004228d9 in main (argc=2, argv=0x7fffaaef61c8) at radiusd.c:419
rcode = 0
argval = -1
spawn_flag = 1
dont_fork = 1
flag = 0
act = {__sigaction_handler = {sa_handler = 0x422ab0 sig_fatal,
sa_sigaction = 0x422ab0 sig_fatal}, sa_mask = {__val = {0 repeats 16
times}}, sa_flags = 0, sa_restorer = 0}
(gdb) where
#0 0x7f9ba171e1c7 in kill () from /lib/libc.so.6
#1 0x004228d9 in main (argc=2, argv=0x7fffaaef61c8) at radiusd.c:419
(gdb)
(gdb) run -f
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/freeradius -f
[Thread debugging using libthread_db enabled]
[New Thread 0x7f0874b2bae0 (LWP 14731)]
[New Thread 0x40d60950 (LWP 14732)]
[New Thread 0x41561950 (LWP 14733)]
[New Thread 0x41d62950 (LWP 14734)]
[New Thread 0x42563950 (LWP 14735)]
[New Thread 0x42d64950 (LWP 14736)]
Program received signal SIGTERM, Terminated.
[Switching to Thread 0x7f0874b2bae0 (LWP 14731)]
0x7f087335f1c7 in kill () from /lib/libc.so.6
(gdb) bt full
#0 0x7f087335f1c7 in kill () from /lib/libc.so.6
No symbol table info
Design question considering 802.1x + edirectory + Active Directory
Hello, I would like to know if anyone could help me with the design of this implementation : Requirements : - 802.1x Authentication for wired and wireless clients ( Windows XP with Novell Client ) - Single sign on login to Novell eDirectory and Active Directory - Radius Authentication should run over FreeRadius or IAS but not both, if it's possible. - High Availability is required for Radius service - Virtualization of the Radius servers is recommended Questions : - I have been looking at multi-platform 802.1x clients like Juniper Networks Odyssey Access Client ( OAC ) for multiplaform 802.1x login. But I don't know if it's possible to do the same without it. - Is there any downloadable Freeradius + LDAP virtual machine for testing ?? Thanks a lot ! Ric2009 -- View this message in context: http://old.nabble.com/Design-question-considering-802.1x-%2B-edirectory-%2B-Active-Directory-tp26200517p26200517.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VSA extension
D'Oh! Did the trick, totally missed that small step Thank you for your assistance Larry From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of Peter Lambrechtsen Sent: Monday, November 02, 2009 5:10 PM To: FreeRadius users mailing list Subject: Re: VSA extension On Tue, Nov 3, 2009 at 12:42 PM, Larry Ross lfr...@ucdavis.edumailto:lfr...@ucdavis.edu wrote: Hello All; I am trying to add a new vendor to the dictionary directory. I created the file in /usr/local/share/freeradius/dictionary.procera contents below. The vendor in question provided their Vendor ID Did you also add the include into the /usr/local/share/freeradius/dictionary file??? ie echo $INCLUDE dictionary.procera /usr/local/share/freeradius/dictionary ?? Then tried again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
dont_fork = 1
flag = 0
act = {__sigaction_handler = {sa_handler = 0x422ab0 sig_fatal,
sa_sigaction = 0x422ab0 sig_fatal}, sa_mask = {__val = {0 repeats 16
times}}, sa_flags = 0, sa_restorer = 0}
(gdb) where
#0 0x7f9ba171e1c7 in kill () from /lib/libc.so.6
#1 0x004228d9 in main (argc=2, argv=0x7fffaaef61c8) at
radiusd.c:419
(gdb)
(gdb) run -f
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/freeradius -f
[Thread debugging using libthread_db enabled]
[New Thread 0x7f0874b2bae0 (LWP 14731)]
[New Thread 0x40d60950 (LWP 14732)]
[New Thread 0x41561950 (LWP 14733)]
[New Thread 0x41d62950 (LWP 14734)]
[New Thread 0x42563950 (LWP 14735)]
[New Thread 0x42d64950 (LWP 14736)]
Program received signal SIGTERM, Terminated.
[Switching to Thread 0x7f0874b2bae0 (LWP 14731)]
0x7f087335f1c7 in kill () from /lib/libc.so.6
(gdb) bt full
#0 0x7f087335f1c7 in kill () from /lib/libc.so.6
No symbol table info available.
#1 0x004228d9 in main (argc=2, argv=0x7fff7cb36e08) at
radiusd.c:419
rcode = 0
argval = -1
spawn_flag = 1
dont_fork = 1
flag = 0
act = {__sigaction_handler = {sa_handler = 0x422ab0 sig_fatal,
sa_sigaction = 0x422ab0 sig_fatal}, sa_mask = {__val = {0 repeats 16
times}}, sa_flags = 0, sa_restorer = 0}
(gdb) where
#0 0x7f087335f1c7 in kill () from /lib/libc.so.6
#1 0x004228d9 in main (argc=2, argv=0x7fff7cb36e08) at
radiusd.c:419
Happens about twice a daycompletely unrelated to the load on the
server. Quick 'fix' is to back up to commit
9261f3e0026323b2c397af13d02fbc5780908143.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information from ESET Smart Security, version of virus
signature database 4573 (20091104) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 4573 (20091104) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Alexander Clouter wrote: It's when I add (I am pretty sure it's the in the first 8 or so patches) the following I get the same problem with FreeRADIUS: ... I guess at this point I am going to be told to be a good boy and run off and use git bisect? :) Pretty much, sorry. Looking through the patches normally I cannot see what could have caused the graceful exit...which is exactly what I am getting: ... #1 0x004228d9 in main (argc=2, argv=0x7fffaaef61c8) at radiusd.c:419 That just means that the main event loop exited, and the server is telling all child threads to stop. It looks like the server received a TERM, QUIT, or INT signal. Why, I don't know. But yes, git bisect would be tremendously useful. I'm traveling for the next week, so I'll have limited time to look at it myself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Craig Campbell cr...@ccraft.ca wrote: Thanks for the update - I was concluding I'd have to wait for the release of 2.1.8 to pursue this. I am currently in a situation where I can help debug 2.1.8, since the 'new' systems aren't yet in production. Well I can see no reason to run FreeRADIUS no in a debugger all the time, even when in production. However my nickname is Rambo Clouter so maybe you do not want to follow my advice. :) When you compile FreeRADIUS you simply make sure you leave debugging symbols in and turn off compiler optimisations (so your CFLAGS should be '-O0 -g'. You probably can do this by running configure as follows: CFLAGS='-O0 -g' ./configure --all-your-usual-options-that-you-want Looking at your debug output (and I am in no way an expert at that) it seems as though the process received a signal? Well FreeRADIUS is sending it to herself according to gdb: src/main/radiusd.c line 419 /* * Send a TERM signal to all * associated processes * (including us, which gets * ignored.) */ #ifndef __MINGW32__ if (spawn_flag) kill(-radius_pid, SIGTERM); #endif For whatever reason, it is not getting ignored. At first I thought it was because I run my FreeRADIUS (even in production) in gdb, but as you do not I am wondering what is actually going on. To run it in the debugger just run 'gdb freeradius' and you will get the gdb prompt. There you want to type 'run -f' and wait for it to puke. When it does you could type 'where' for it to tell you what happened, but we know what is happening, we want to find which patch is doing it :) Oh familise yourself with screen[2] if you do not know it already, you should run the debugger in a screen'd session so you can return to it later without having to remain logged in. I am running a 'custom' module (event.c as I recall) from Alan that resolves an issue with hung children (very exciting!), and I followed Alan's instructions to get to this point. I would really like to try to 'give back' if I can and assist in identifying the cause of the program exiting (assuming it is a new and as of yet unidentified bug). Would copying the steps you have below on my two redhat systems be a good way to proceed? Pretty much follow: http://www.reactivated.net/weblog/archives/2006/01/using-git-bisect-to-find-buggy-kernel-patches/ I had been running with the cherry-pick'ed patches for weeks and had no problems up to 9261f3e0026323b2c397af13d02fbc5780908143, so I am certain that the issue is the result of the patches between 12ead56dffca9b3ecddc8a7860a1ef5b5361b374 and 9dbc8974fdd2300a70293eda9c62bce20a3c9165. The problem is you *have* to apply my listed cherry-picks, as if you add *any* of the TCP related code Alan has been working on, it all stops compiling[1] Cheers [1] I am pretty sure Alan has stashed a number of patches that he has not put into the publically available GIT trees as things like the jumbo socket clean up patch (e04b62f1bd257489bd92ccc584b0886c7e2011e8) refer to my_ipaddr/my_port which is not in any header files I have or found in 'master' [2] http://blogamundo.net/code/screen/ -- Alexander Clouter .sigmonster says: Simplicity does not precede complexity, but follows it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Alan DeKok al...@deployingradius.com wrote: Alexander Clouter wrote: It's when I add (I am pretty sure it's the in the first 8 or so patches) the following I get the same problem with FreeRADIUS: ... I guess at this point I am going to be told to be a good boy and run off and use git bisect? :) Pretty much, sorry. It really is bug week for me. Cisco (x4), FreeRADIUS (x1), Linux (x2), etc etc. Say, I do the git bisect, you will let my ldap xlat dn patch[1] go in, I have been patient and waited two years? :) Looking through the patches normally I cannot see what could have caused the graceful exit...which is exactly what I am getting: ... #1 0x004228d9 in main (argc=2, argv=0x7fffaaef61c8) at radiusd.c:419 That just means that the main event loop exited, and the server is telling all child threads to stop. It looks like the server received a TERM, QUIT, or INT signal. Why, I don't know. Yep, that was my take too. As far as I can tell it just decided to gracefully close down which is why when I nosey through the applied patches I was hunting for a change in logic flow or something. But yes, git bisect would be tremendously useful. I'm traveling for the next week, so I'll have limited time to look at it myself. Sure thing. I'll try to find the time tomorrow, however it could take a week or so to pin down as I'll need to run for two days to be sure it is 'okay'. Cheers [1] http://stuff.digriz.org.uk/0001-support-to-get-DN-in-ldap_xlat.patch -- Alexander Clouter .sigmonster says: Be careful! Is it classified? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regex 'fun'
Hi, So, 'eduroam-ca.der' can be a *group* of Root CA's I hope and there is a with a decent system you can just point the CA part to a directory or listing of CAs for it to check. simple extensions can prove 'club' membership for whatever purpose/resource you are happy with Kinda my point is there is no reason why the bar could not be lowered further. The DNS idea was a hair brained idea of mine and I think it is crazy enough to work...plus it is using the *existing* infrastructure; i dont think you can claim credit - many of us have had similar ideas and some even went to write things up: http://www.ietf.org/id/draft-ietf-radext-dynamic-discovery-01.txt Bah, to hell with you all ;) at maximum cruising speed please! :-I alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Alexander Clouter wrote: The problem is you *have* to apply my listed cherry-picks, as if you add *any* of the TCP related code Alan has been working on, it all stops compiling[1] *Please* use the git stable branch. The master branch has a whole whack of other changes in it which may or may not get into a stable release. Much of the work in stable has been merged into master. But... the TCP work hasn't. This is because the re-work in master that moves sockets into loadable modules conflicts with the TCP changes. I haven't had the time to go integrate the changes. And since the stable branch works, it's a low priority. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
