RE: authorize_check_query - authorize_reply_query - synchronous or asynchronous?
Hi Alan,
Thanks heaps for your reply! :-)
So my basic question is: Does authorize_check_query complete fully
before
starting the call to authorize_reply_query?
To re-phrase your question:
Q: What work does the database perform after it's returned an answer
from a SELECT?
A: Nothing.
That is true for a select statement, but my authorize_check_query is /not/ a
simple select.
It is this:
authorize_check_query = select id, username, attribute, value, op
from\
auth('%{SQL-User-Name}',
'%{NAS-IP-Address}')\
as (id integer, username varchar, attribute
varchar, value varchar, op varchar)
the 'auth()' function is a plpgsql function that does a variety of lookups
and other checks, and then depending on the results returned from that
query, it *might* update database records, or it might insert additional
data.
Therefore, it is important to know whether authorize_check_query and
authorize_reply_query execute synchronously or not.
If they happen at the same time, then I expect that
'authorize_reply_query'
may execute before I get a chance to create the relevant records for the
'guest' user...
I know I can just go ahead and find out my answer by 'empirical method',
but
I figure that just because it seems to work every time, there is no
definite
guarantee that it will work *every* time unless I can be certain that
these
functions execute in sequence :-}
Databases ensure transactional consistency. This is the job of a
database.
Yes, very true - so it is conveivably possible that authorize_reply_query is
completed before my authorize_check_query has updated or inserted records.
I'm sure that there is a definitive answer to this question Does freeradius
wait for the result of auth-check before running auth-reply? and I am aware
that it may not be the answer that I'd hope to hear ;-) but I'd still like
to know it, noneteheless :-D
Thanks - I really do appreciate any comments!
Regards, Mike.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize_check_query - authorize_reply_query - synchronous or asynchronous?
Hi Mike,
I use a similar setup (PG Functions for auth/acct) and I never had an
issue with the query ordering.
Padam
freerad...@duxtel.com wrote:
Hi Alan,
Thanks heaps for your reply! :-)
So my basic question is: Does authorize_check_query complete fully
before
starting the call to authorize_reply_query?
To re-phrase your question:
Q: What work does the database perform after it's returned an answer
from a SELECT?
A: Nothing.
That is true for a select statement, but my authorize_check_query is /not/ a
simple select.
It is this:
authorize_check_query = select id, username, attribute, value, op
from\
auth('%{SQL-User-Name}',
'%{NAS-IP-Address}')\
as (id integer, username varchar, attribute
varchar, value varchar, op varchar)
the 'auth()' function is a plpgsql function that does a variety of lookups
and other checks, and then depending on the results returned from that
query, it *might* update database records, or it might insert additional
data.
Therefore, it is important to know whether authorize_check_query and
authorize_reply_query execute synchronously or not.
If they happen at the same time, then I expect that
'authorize_reply_query'
may execute before I get a chance to create the relevant records for the
'guest' user...
I know I can just go ahead and find out my answer by 'empirical method',
but
I figure that just because it seems to work every time, there is no
definite
guarantee that it will work *every* time unless I can be certain that
these
functions execute in sequence :-}
Databases ensure transactional consistency. This is the job of a
database.
Yes, very true - so it is conveivably possible that authorize_reply_query is
completed before my authorize_check_query has updated or inserted records.
I'm sure that there is a definitive answer to this question Does freeradius
wait for the result of auth-check before running auth-reply? and I am aware
that it may not be the answer that I'd hope to hear ;-) but I'd still like
to know it, noneteheless :-D
Thanks - I really do appreciate any comments!
Regards, Mike.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about scalability
How many radius accounting requests per second can free radius support? I am using openser-1.1.1-1.1 . I have tested up to around 400. But need it to support more than 600 requests per sec. Please let me know the max rate it can support or if it has any dependency on the hardware. Thanks, Regards, Divya Shah QA | GlobalLogic India. B-34/1, Sector-59, Noida Office Phone: +91.120.406.2000 - 3145 www.globallogic.com http://www.globallogic.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize_check_query - authorize_reply_query - synchronous or asynchronous?
freerad...@duxtel.com wrote: That is true for a select statement, but my authorize_check_query is /not/ a simple select. sigh Do you understand how databases work? the 'auth()' function is a plpgsql function that does a variety of lookups and other checks, and then depending on the results returned from that query, it *might* update database records, or it might insert additional data. Does the pgsql function do things AFTER it returns? No - there is no problem Yes - your database is irrevocably broken Databases ensure transactional consistency. This is the job of a database. Yes, very true - so it is conveivably possible that authorize_reply_query is completed before my authorize_check_query has updated or inserted records. I have *no idea* how you concluded that when I said the exact opposite. I'm sure that there is a definitive answer to this question Does freeradius wait for the result of auth-check before running auth-reply? and I am aware that it may not be the answer that I'd hope to hear ;-) but I'd still like to know it, noneteheless :-D Could you explain why my previous answer is incomprehensible to you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
max accounting requests per second
How many radius accounting requests per second can free radius support? I am using freeradius-1.0.4-4.2 I have tested up to around 400. But need it to support more than 600 requests per sec. Please let me know the max rate it can support or if it has any dependency on the hardware. Thanks, Regards, Divya Shah QA | GlobalLogic India. B-34/1, Sector-59, Noida Office Phone: +91.120.406.2000 - 3145 www.globallogic.com http://www.globallogic.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max accounting requests per second
Divya Shah wrote: How many radius accounting requests per second can free radius support? How fast is your database? I am using freeradius-1.0.4-4.2 Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authorize_check_query - authorize_reply_query - synchronous or asynchronous?
G'day! sigh Do you understand how databases work? Heheh - uh, yes: I understand how a database works! Does the pgsql function do things AFTER it returns? duh Of course not! I have *no idea* how you concluded that when I said the exact opposite. H, I read your last reply again with hindsight gained from this new response, and I still can't interpret that comment as a definitive answer to the question. Could you explain why my previous answer is incomprehensible to you? I am wondering if this is a genuine question, or if there is some sarcastic or condescending undertone - but when I look at my last reply to you, I realise that those comments could be taken that way too! And since no such thing were intended, I'll respond anyway (whether you are interested or not! ;-) Perhaps I am missing some significant detail that is obvious to you...(?) I am coming to this discussion with the assumption that the two queries we are talking about might be executed synchronously by freeradius: as in both functions are called at the same time, and the radius reply packet is constructed from the joint results of both. Perhaps this is just a plain dumb idea, but that has been my thinking :-} I've done a bit (NOT a lot!) of C++ coding in the past, and I'm thinking of synchronous (vs asynchronous) functions that can be called essentially simultaneously by the core process, and then retrieved a few cycles later when the results of those functions have become available. If that were the case for freeradius db queries, then it is conceivable that the radius reply query could complete before the auth function had finished doing it's job. In fact the way I see it, and the way I have the database queries working at the moment, /if/ the radius reply were executed BEFORE the radius auth were called, the system would probably work just the same and with no noticeable effect on functionality! But all that aside, I now understand (although you have not actually *said* it ;-) that if radius_auth_query makes updates to the database, radius_reply_query result will ALWAYS reflect up those changes - and that is all that I need to know! So thanks indeed! :-) Much appreciated (truly - no sarcasm intended! :-) Cheers, Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
Hi,
My problem is that the response I send to our LAC has to contain
extra
information depending on the domain. Is it possible to query a local
mysql database for this extra information (these are cisco av pairs
needed to establish the tunnels between the LAC and LNS)
Yes. See man unlang.
and add it into
the Access-Accept message that is returned to the LAC from the
radius?
Use unlang in post-proxy.
Ivan Kalik
Thanks for the guidance ivan, its given me a good starting point. I have
managed to get new information into my accept requests by hard coding
update reply sections in the unlang code (example below) :
update reply {
Tunnel-Client-Auth-ID = fluidata
}
However I am having real problems getting the mysql part working. I have
tried using examples other people are using that work and they either
just get treated as a string or the server wont even run in debug mode.
I don't appear to be able to use the sql module itself as I get an error
saying its not supported in the post-proxy configuration section. Can
anyone suggest where I might be going wrong with this? Inside the
post-proxy section I have:
Where %{2} is the result of a regular expression to split a full
username so I just have the domain to use later on.
if ( %{sql: SELECT Attribute from radreply where username
='%{2}' and attribute='Tunnel-Password'} ) {
ok
}
I have tried this with and without the
Output looks like:
WARNING: Unknown module sql in string expansion %{sql: SELECT
Attribute from radreply where Username ='burst.net' and
Attribute='Tunnel-Password'}
expand: %{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'} -
? Evaluating (%{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'} ) - FALSE
++? if (%{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'} ) - FALSE
/etc/raddb/sites-enabled/default[562]: SQL modules aren't allowed in
'post-proxy' sections -- they have no such method.
/etc/raddb/sites-enabled/default[512]: Errors parsing post-proxy
section.
If anyone has any thoughts on this or whether I can obtain the same
information another way that would be much appreciated. I will be having
potentially hundreds of different relams going through this freeradius
instance and I need to add this information for each one
Dan Fisher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authorize_check_query - authorize_reply_query - synchronous or asynchronous?
Thanks Padam! That's just what I was hoping to hear :-)
Regards, Mike.
From: freeradius-users-bounces+freeradius=duxtel@lists.freeradius.org
[mailto:freeradius-users-bounces+freeradius=duxtel@lists.freeradius.org]
On Behalf Of Padam J Singh
Sent: Monday, 23 November 2009 8:57 PM
To: FreeRadius users mailing list
Subject: Re: authorize_check_query - authorize_reply_query - synchronous or
asynchronous?
Hi Mike,
I use a similar setup (PG Functions for auth/acct) and I never had an issue
with the query ordering.
Padam
freerad...@duxtel.com wrote:
Hi Alan,
Thanks heaps for your reply! :-)
So my basic question is: Does authorize_check_query complete fully
before
starting the call to authorize_reply_query?
To re-phrase your question:
Q: What work does the database perform after it's returned an answer
from a SELECT?
A: Nothing.
That is true for a select statement, but my authorize_check_query is /not/ a
simple select.
It is this:
authorize_check_query = select id, username, attribute, value, op
from\
auth('%{SQL-User-Name}',
'%{NAS-IP-Address}')\
as (id integer, username varchar, attribute
varchar, value varchar, op varchar)
the 'auth()' function is a plpgsql function that does a variety of lookups
and other checks, and then depending on the results returned from that
query, it *might* update database records, or it might insert additional
data.
Therefore, it is important to know whether authorize_check_query and
authorize_reply_query execute synchronously or not.
If they happen at the same time, then I expect that
'authorize_reply_query'
may execute before I get a chance to create the relevant records for the
'guest' user...
I know I can just go ahead and find out my answer by 'empirical method',
but
I figure that just because it seems to work every time, there is no
definite
guarantee that it will work *every* time unless I can be certain that
these
functions execute in sequence :-}
Databases ensure transactional consistency. This is the job of a
database.
Yes, very true - so it is conveivably possible that authorize_reply_query is
completed before my authorize_check_query has updated or inserted records.
I'm sure that there is a definitive answer to this question Does freeradius
wait for the result of auth-check before running auth-reply? and I am aware
that it may not be the answer that I'd hope to hear ;-) but I'd still like
to know it, noneteheless :-D
Thanks - I really do appreciate any comments!
Regards, Mike.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Thanks Alan, I re -acquired the source, but there seems to be a (minor I think) error. $git clone git://git.freeradius.org/freeradius-server.git $cd freeradius-server $git fetch origin stable:stable $git pull $make clean $CFLAGS='-O0 -g' ./configure $make snip Making all in frs_acct... gmake[6]: Entering directory `/home/craig/src/freeradius/freeradius-server/src/modules/frs_acct' /bin/sh /home/craig/src/freeradius/freeradius-server/libtool --mode=compile gcc -O0 -g -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/craig/src/freeradius/freeradius-server/src -I/home/craig/src/freeradius/freeradius-server/libltdl -c frs_acct.c libtool: compile: gcc -O0 -g -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/craig/src/freeradius/freeradius-server/src -I/home/craig/src/freeradius/freeradius-server/libltdl -c frs_acct.c -fPIC -DPIC -o .libs/frs_acct.o In file included from /home/craig/src/freeradius/freeradius-server/src/freeradius-devel/radiusd.h:107, from frs_acct.c:29: /home/craig/src/freeradius/freeradius-server/src/freeradius-devel/smodule.h:144: error: expected specifier-qualifier-list before 'RADCLIENT' gmake[6]: *** [frs_acct.lo] Error 1 gmake[6]: Leaving directory `/home/craig/src/freeradius/freeradius-server/src/modules/frs_acct' gmake[5]: *** [common] Error 2 As soon as I can build a version, I'll test again to ensure we got the bug we were seeking. Thanks, -craig - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, November 22, 2009 3:14 AM Subject: Re: Unexpected Exiting normally 2.1.8? Craig Campbell wrote: Once you have another version (reverted), I can test again... I am really unfamiliar with git, so I may need a hint as to getting the correct version for testing. I've reverted the problem commit. It doesn't fix the PostgreSQL issue, and it causes other problems. The fix is now in the stable branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4627 (20091121) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4629 (20091123) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about scalability
Am Montag, 23. November 2009 11:19:41 schrieb Divya Shah: How many radius accounting requests per second can free radius support? I am using openser-1.1.1-1.1 . I have tested up to around 400. But need it to support more than 600 requests per sec. Please let me know the max rate it can support or if it has any dependency on the hardware. Thanks, Regards, Divya Shah Hi, have you read http://freeradius.org/features/fast.html 400 req/sec seems to be very low. I think you have a large potential for optimization in your setup. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Craig Campbell wrote: Thanks Alan, I re -acquired the source, but there seems to be a (minor I think) error. $git clone git://git.freeradius.org/freeradius-server.git $cd freeradius-server $git fetch origin stable:stable $git pull No. See http://git.freeradius.org for the exact commands. $ git checkout stable Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize_check_query - authorize_reply_query - synchronous or asynchronous?
freerad...@duxtel.com wrote: sigh Do you understand how databases work? Heheh - uh, yes: I understand how a database works! Then there is no issue. Perhaps I am missing some significant detail that is obvious to you...(?) I am coming to this discussion with the assumption that the two queries we are talking about might be executed synchronously by freeradius: as in both functions are called at the same time, and the radius reply packet is constructed from the joint results of both. Perhaps this is just a plain dumb idea, but that has been my thinking :-} No. Try running the server in debugging mode. It runs the queries SEQUENTIALLY. Read doc/rlm_sql. This is documented. It runs the reply query ONLY if the results of the check query say that the reply query should be run. This is documented. I've done a bit (NOT a lot!) of C++ coding in the past, and I'm thinking of synchronous (vs asynchronous) functions that can be called essentially simultaneously by the core process, and then retrieved a few cycles later when the results of those functions have become available. If that were the case for freeradius db queries, then it is conceivable that the radius reply query could complete before the auth function had finished doing it's job. I understand. As I have been trying to say, this is NOT how FreeRADIUS works. It is NOT how most applications use SQL, either. In fact the way I see it, and the way I have the database queries working at the moment, /if/ the radius reply were executed BEFORE the radius auth were called, the system would probably work just the same and with no noticeable effect on functionality! Nonsense. It would behave *completely* differently. See the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No NAS-PORT seen
Hello everyone! After some work now I have succesfully got MySQL to work towards the Freeradius server or at least I think it does. But hurm.. I´ve added a user by adding a user in radcheck, ive written insert into radcheck (id, username, attribute, op, value) VALUES (null, 'test-user', 'Cleartext-Password', ':=', 'test-pass'); and then I´ve written select * from radcheck; which shows the new user. Well all of that works but from that point and forward it doesnt, I cant get my new user to authenticate towards the radius server and I get from attr_filter that the request matched entry DEFAULT at line 11, which sends a reject message if I have understood it correctly. Also I´ve commented out that the radius server should use the users file to do checks against when someone tries to authenticate, well that dont seem to work because when i try to authenticate towards the radius server with a user in the users file I succeed while i do not succeed when i try to authenticate by using the user that i created in the mysql database. Have I missed something? But something i also noticed is that when i authenticate as the user who is in the users file and have commented out that it should use the users file it gets a message from rlm_radutmp saying No NAS-Port seen. Cannot do anything. Have I done something terrible wrong? Ive installed and made my own build of Freeradius 2.1.7 after i installed mysql client and all those libraries and mysql server. also I installed OpenSSL 0.9.8l before installation of the Freeradius server. Since the log is so big from radiusd -X is there any possibility to save it into a file? And how do i do that? Best regards/ Peter Carlstedt _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Hi, Craig Campbell cr...@ccraft.ca wrote: I re -acquired the source, but there seems to be a (minor I think) error. $git clone git://git.freeradius.org/freeradius-server.git $cd freeradius-server $git fetch origin stable:stable $git pull - should be 'git checkout stable' $make clean $CFLAGS='-O0 -g' ./configure $make Otherwise if I am reading that right you are trying to compile off the unstable branch. Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #169: broadcast packets on wrong frequency - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No NAS-PORT seen
Peter Carlstedt wrote: Well all of that works but from that point and forward it doesnt, I cant get my new user to authenticate towards the radius server and I get from attr_filter that the request matched entry DEFAULT at line 11, which sends a reject message if I have understood it correctly. Also I´ve commented out that the radius server should use the users file to do checks against when someone tries to authenticate, well that dont seem to work because when i try to authenticate towards the radius server with a user in the users file I succeed while i do not succeed when i try to authenticate by using the user that i created in the mysql database. Have I missed something? It shouldn't be that hard. If you change the configuration, re-start the server. And READ the debug output. There's a lot of text in it, but it describes which modules its using, and what it's doing. The ONLY answer to configuration problems is in the debug output. But something i also noticed is that when i authenticate as the user who is in the users file and have commented out that it should use the users file it gets a message from rlm_radutmp saying No NAS-Port seen. Cannot do anything. That only comes from accounting traffic, not from authentication traffic. Please do NOT confuse the two. Ive installed and made my own build of Freeradius 2.1.7 after i installed mysql client and all those libraries and mysql server. also I installed OpenSSL 0.9.8l before installation of the Freeradius server. Since the log is so big from radiusd -X is there any possibility to save it into a file? And how do i do that? $ script radius.log $ radiusd -X (run) $ exit And then look at the file radius.log Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combine Proxy Answer with Local Information
Dan Fisher | Fluidata wrote:
However I am having real problems getting the mysql part working. I have
tried using examples other people are using that work and they either
just get treated as a string or the server wont even run in debug mode.
If it doesn't run in debugging mode, it prints a *descriptive* error
saying why.
I don’t appear to be able to use the sql module itself as I get an error
saying its not supported in the post-proxy configuration section.
Use sql.authorize, instead of just sql.
Where %{2} is the result of a regular expression to split a full
username so I just have the domain to use later on.
if ( %{sql: SELECT Attribute from radreply where username
=’%{2}’ and attribute='Tunnel-Password'} ) {
What the heck is that supposed to do?
WARNING: Unknown module sql in string expansion %{sql: SELECT
Attribute from radreply where Username ='burst.net' and
Attribute='Tunnel-Password'}
So... you haven't configured the SQL module. How is it supposed to do
SQL qeuries?
/etc/raddb/sites-enabled/default[562]: SQL modules aren't allowed in
'post-proxy' sections -- they have no such method.
Use sql.authorize.
And configure the SQL module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update of No NAS-PORT seen
Hello again!
I have an update of the problem.
I also got an error which I´ve had before, then Ivan Kalik I think told me that
i need to enable copy_request_to_tunnel = yes. Well I have that enabled so I
can authenticate by peap. But now I get the same error when I try to
authenticate the user which has been created in the MySQL database. The error I
get is: (only mentioning the mschapv2 mschap response from the output)
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test-user with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Also as a side note, the user in the database has a Cleartext-Password :=
test-pass.
I read on the wiki that I should use := and not == to do the check of the
password.
Also I have not set a AUTH-TYPE, i let the server figure it out on its own.
Best regards/ Peter
Message: 5
Date: Mon, 23 Nov 2009 14:03:41 +
From: Peter Carlstedt pc_...@hotmail.com
Subject: No NAS-PORT seen
To: freeradius-users@lists.freeradius.org
Message-ID: snt120-w743f9b44dfaedbdcb59f0b4...@phx.gbl
Content-Type: text/plain; charset=iso-8859-1
Hello everyone!
After some work now I have succesfully got MySQL to work towards the
Freeradius server or at least I think it does.
But hurm.. I?ve added a user by adding a user in radcheck, ive written
insert into radcheck (id, username, attribute, op, value) VALUES (null,
'test-user', 'Cleartext-Password', ':=', 'test-pass');
and then I?ve written select * from radcheck; which shows the new user.
Well all of that works but from that point and forward it doesnt, I cant get
my new user to authenticate towards the radius server and I get from
attr_filter that the request matched entry DEFAULT at line 11, which sends a
reject message if I have understood it correctly. Also I?ve commented out
that the radius server should use the users file to do checks against when
someone tries to authenticate, well that dont seem to work because when i try
to authenticate towards the radius server with a user in the users file I
succeed while i do not succeed when i try to authenticate by using the user
that i created in the mysql database.
Have I missed something?
But something i also noticed is that when i authenticate as the user who is
in the users file and have commented out that it should use the users file it
gets a message from rlm_radutmp saying No NAS-Port seen. Cannot do anything.
Have I done something terrible wrong?
Ive installed and made my own build of Freeradius 2.1.7 after i installed
mysql client and all those libraries and mysql server. also I installed
OpenSSL 0.9.8l before installation of the Freeradius server.
Since the log is so big from radiusd -X is there any possibility to save it
into a file? And how do i do that?
Best regards/ Peter Carlstedt
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from
Hotmail?.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091123/7742bdb9/attachment.html
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 55, Issue 106
*
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth and AD authentication
freeradius2-2.1.7-2.el5 freeradius2-utils-2.1.7-2.el5 freeradius2-libs-2.1.7-2.el5 CentOS 5.2 I'm trying to get freeradius to authenticate with an AD server, using the instructions at http://deployingradius.com/documents/configuration/active_directory.html The initial confirmation of communication with AD is working. The instructions then say to try: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password to confirm, and it looks like it's working. However, the instructions also indicate you should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication. However, whether I use ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password or ntlm_auth --domain=MYDOMAIN --username=user --password=password the output/response looks the same: NT_STATUS_OK: Success (0x0) which leads me to believe that the nt-key isn't being provided? What is the nt-key supposed to look like? If it's not showing up correctly, any ideas why? thanks Rick Rick Steeves http://www.sinister.net In reality nothing is more damaging to the adventurous spirit within a man than a secure future - Alexander Supertramp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and AD authentication
On Mon, 2009-11-23 at 10:24 -0500, freerad...@corwyn.net wrote: However, whether I use ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password or ntlm_auth --domain=MYDOMAIN --username=user --password=password the output/response looks the same: NT_STATUS_OK: Success (0x0) Hi Rick, That's ok I had the same working like a charm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No NAS-PORT seen
--
Message: 2
Date: Mon, 23 Nov 2009 15:25:32 +0100
From: Alan DeKok al...@deployingradius.com
Subject: Re: No NAS-PORT seen
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 4b0a9b5c.6000...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Peter Carlstedt wrote:
Well all of that works but from that point and forward it doesnt, I cant
get my new user to authenticate towards the radius server and I get from
attr_filter that the request matched entry DEFAULT at line 11, which
sends a reject message if I have understood it correctly. Also I?ve
commented out that the radius server should use the users file to do
checks against when someone tries to authenticate, well that dont seem
to work because when i try to authenticate towards the radius server
with a user in the users file I succeed while i do not succeed when i
try to authenticate by using the user that i created in the mysql database.
Have I missed something?
It shouldn't be that hard. If you change the configuration, re-start
the server.
I re-start the server all the time when I change the configuration...so that is
not the case.
I´ve checked if it works with radtest and it does. So in my mind it feels like
i´ve missed something in the peap configuration?
And READ the debug output. There's a lot of text in it, but it
describes which modules its using, and what it's doing. The ONLY answer
to configuration problems is in the debug output.
But something i also noticed is that when i authenticate as the user who
is in the users file and have commented out that it should use the users
file it gets a message from rlm_radutmp saying No NAS-Port seen. Cannot
do anything.
That only comes from accounting traffic, not from authentication
traffic. Please do NOT confuse the two.
Ive installed and made my own build of Freeradius 2.1.7 after i
installed mysql client and all those libraries and mysql server. also I
installed OpenSSL 0.9.8l before installation of the Freeradius server.
Since the log is so big from radiusd -X is there any possibility to save
it into a file? And how do i do that?
$ script radius.log
$ radiusd -X
(run)
$ exit
And then look at the file radius.log
Alan DeKok.
Ok thanks!
I´ll do that.
Peter Carlstedt
--
Message: 4
Date: Mon, 23 Nov 2009 14:53:42 +
From: Peter Carlstedt pc_...@hotmail.com
Subject: Update of No NAS-PORT seen
To: freeradius-users@lists.freeradius.org
Message-ID: snt120-w79b8526aa982daa24e059b4...@phx.gbl
Content-Type: text/plain; charset=iso-8859-1
Hello again!
I have an update of the problem.
I also got an error which I?ve had before, then Ivan Kalik I think told me
that i need to enable copy_request_to_tunnel = yes. Well I have that enabled
so I can authenticate by peap. But now I get the same error when I try to
authenticate the user which has been created in the MySQL database. The error
I get is: (only mentioning the mschapv2 mschap response from the output)
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test-user with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Also as a side note, the user in the database has a Cleartext-Password :=
test-pass.
I read on the wiki that I should use := and not == to do the check of the
password.
Also I have not set a AUTH-TYPE, i let the server figure it out on its own.
Best regards/ Peter
_
Windows Live: Make it easier for your friends to see what you’re up to on
Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Update of No NAS-PORT seen
I also got an error which I´ve had before, then Ivan Kalik I think told me that i need to enable copy_request_to_tunnel = yes. Well I have that enabled so I can authenticate by peap. But now I get the same error when I try to authenticate the user which has been created in the MySQL database. The error I get is: (only mentioning the mschapv2 mschap response from the output) Have you enabled sql in inner-tunnel virtual server? If you could be bothered to post the complete debug we would be able to tell you how to fix things. Also as a side note, the user in the database has a Cleartext-Password := test-pass. I read on the wiki that I should use := and not == to do the check of the password. Also I have not set a AUTH-TYPE, i let the server figure it out on its own. That is all correct. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help: radiusd process quit automatically
radiusd process would quit automatically while doing authorization and accounting presure test about 150 times per second,can anyone tell me what the problem is?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help: radiusd process quit automatically
pangjiacai wrote: radiusd process would quit automatically while doing authorization and accounting presure test about 150 times per second,can anyone tell me what the problem is?? Read doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and AD authentication
At 10:24 AM 11/23/2009, freerad...@corwyn.net wrote:
to confirm, and it looks like it's working.
Hmm. I have two sets of authentication I care about, VPN Users, and
Cisco switches. I'd like to be able to control access to each of
those separately (different AD Security Groups, and different shared keys).
I've found instructions for restricting ntlm_auth to a particular
security group, but adding --require-membership-of={SID|Name} to the
ntlm_auth command.
But I can't puzzle out how I'd then have one set of authentication
for one security group, and one set of authentication for a second
security group. (currently any AD users works).
Am I going to have to do something like create different modules
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
Rick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stripping Realms from SQL Accounting Queries
Hi,
I'm using FreeRADIUS with LDAP for authentication and mySQL for logging. The
LDAP queries seem to be stripping the realm name properly, whereas the mySQL
queries are not. I'm running FreeRADIUS 2.1.6 on FreeBSD:
FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.2, built on Nov 10
2009 at 08:34:04
Here's what I've got in my modules/ldap:
- modules/ldap -
ldap {
server = foo
basedn = dc=foo
identity = uid=foo
password = foo
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
}
access_attr = uid
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = sambaNTPassword
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_attribute = memberUid
groupmembership_filter = (memberUid=%{Stripped-User-Name:-%{User-Name}})
}
- modules/ldap -
Here's what I've got in my sql/mysql/wpa.conf file:
- sql/mysql/wpa.conf -
accounting_start_query = insert into RadiusLog (SessionID, UserName,
WapIpAddress, UserMacAddress, StartTime) value ('%{Acct-Session-Id}',
'%{Stripped-User-Name:-%{User-Name}}', '%{NAS-IP-Address}',
'%{Calling-Station-Id}', '%S')
accounting_stop_query = update RadiusLog set EndTime = '%S', BytesIn =
'%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', BytesOut
= '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}' where
SessionID = '%{Acct-Session-Id}' and UserName =
'%{Stripped-User-Name:-%{User-Name}}' and StartTime = date_sub(now(), interval
30 day)
accounting_update_query = update RadiusLog set BytesIn =
'%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', BytesOut
= '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}' where
SessionID = '%{Acct-Session-Id}' and UserName =
'%{Stripped-User-Name:-%{User-Name}}' and StartTime = date_sub(now(), interval
30 day)
- sql/mysql/wpa.conf -
And here are some sample queries from the SQL trace file:
- /var/log/radacct/radius.sql -
insert into RadiusLog (SessionID, UserName, WapIpAddress, UserMacAddress,
StartTime) value ('0004F815', 't...@foo', '192.168.32.8', '0024.2b58.2f46',
'2009-11-23 10:52:58');
update RadiusLog set EndTime = '2009-11-23 10:53:46', BytesIn = '0' 32 |
'2487', BytesOut = '0' 32 | '1356' where SessionID = '0004F815' and UserName
= 't...@foo' and StartTime = date_sub(now(), interval 30 day);
- /var/log/radacct/radius.sql -
I tried adding a realm definition in proxy.conf, like this:
- proxy.conf -
realm foo {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
- proxy.conf -
But that didn't help at all.
I know I must be missing something obvious. Most of the Google hits on this
talk about creating realms and stuff, but that hasn't helped me. Can anyone
share some wisdom here?
Thanks!
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
t...@soe.ucsc.edu
831-459-5354
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and AD authentication
On Mon, 2009-11-23 at 13:35 -0500, freerad...@corwyn.net wrote:
At 10:24 AM 11/23/2009, freerad...@corwyn.net wrote:
to confirm, and it looks like it's working.
Hmm. I have two sets of authentication I care about, VPN Users, and
Cisco switches. I'd like to be able to control access to each of
those separately (different AD Security Groups, and different shared keys).
I've found instructions for restricting ntlm_auth to a particular
security group, but adding --require-membership-of={SID|Name} to the
ntlm_auth command.
But I can't puzzle out how I'd then have one set of authentication
for one security group, and one set of authentication for a second
security group. (currently any AD users works).
Am I going to have to do something like create different modules
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
Rick
You need to create two separate entries in modules having two mschap
entries .. sth like :
mschap mschap_group1 {
...
ntlm_auth = your first ntlm_auth command
}
mschap mschap_group2 {
...
ntlm_auth = your second ntlm_auth command
}
and then have the respective mschaps used in the respective virtual
servers for each client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: Also tried modify wpa_supplicant conf: - ca_cert=ca.pem + ca_cert=server.pem But with the same result. Because the path is wrong, ie. certificate is not there. Put the correct path to where you have imported the certificate. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I'm still more than confused. Problem is on the server site, isn't it? CA and server certs are now in same dir as whole RADIUS configuration, is necessary put certs into trusted directory like /etc/ssl/certs? Thanks for advice. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth and AD authentication
I'm sorta struggling with the same thing, a la a single NAS (Cisco
switch) requiring multiple auth types: 1,) VTY / enable access from
NetEng group (in AD), 2.) 8021.x auth for everyone! Similar with VPN
appliance, VTY's AND IPSec auths. The request type will differ for each
type of requests, so it's simply a matter of uniquely identifying each
type of request and performing the conditional processing. Easy right?
:)
I shared some emails with Ivan on this issue and got close, but then got
involved in other things so never got fully resolved. Seems there are
several ways to do it, but I THINK the common thread is to use unlang
and / or hints to set the auth_type as required and/or direct the
requests to a virtual server that does what you need.
If / when I get this worked out I intend to publish a How To, but if
you beat me to it please share! I've spent MANY MANY hours on it thus
far and now I've forgotten much of it!
Gary
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or
g] On Behalf Of freerad...@corwyn.net
Sent: Monday, November 23, 2009 12:35 PM
To: FreeRadius users mailing list; freeradius-users@lists.freeradius.org
Subject: Re: ntlm_auth and AD authentication
At 10:24 AM 11/23/2009, freerad...@corwyn.net wrote:
to confirm, and it looks like it's working.
Hmm. I have two sets of authentication I care about, VPN Users, and
Cisco switches. I'd like to be able to control access to each of
those separately (different AD Security Groups, and different shared
keys).
I've found instructions for restricting ntlm_auth to a particular
security group, but adding --require-membership-of={SID|Name} to the
ntlm_auth command.
But I can't puzzle out how I'd then have one set of authentication
for one security group, and one set of authentication for a second
security group. (currently any AD users works).
Am I going to have to do something like create different modules
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
Rick
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system.
/font
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and AD authentication
Gary Gatten wrote: I'm sorta struggling with the same thing, a la a single NAS (Cisco switch) requiring multiple auth types: 1,) VTY / enable access from NetEng group (in AD), 2.) 8021.x auth for everyone! Similar with VPN appliance, VTY's AND IPSec auths. The request type will differ for each type of requests, so it's simply a matter of uniquely identifying each type of request and performing the conditional processing. Easy right? Yes. a) write down what is in the request, and how you differentiate one type of request from another b) write down what replies you want to give for each type of request c) implement (a) and (b). People usually get stuck at (a). They want to treat different things differently. But they don't know what different means. It's usually blindingly obvious: requests for MAC auth have username/password the same... and containing the MAC. EAP requests hae EAP-Message. ADSL requests come from a specific set of NASes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote: t...@kalik.net wrote: Also tried modify wpa_supplicant conf: - ca_cert=ca.pem + ca_cert=server.pem But with the same result. Because the path is wrong, ie. certificate is not there. Put the correct path to where you have imported the certificate. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I'm still more than confused. Problem is on the server site, isn't it? CA and server certs are now in same dir as whole RADIUS configuration, is necessary put certs into trusted directory like /etc/ssl/certs? Thanks for advice. I think that the idea was to put the full path to certificates in the conf file like : ca_cert=/full/path/to/server.pem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and AD authentication
At 02:33 PM 11/23/2009, Paul Ryszka wrote:
On Mon, 2009-11-23 at 13:35 -0500, freerad...@corwyn.net wrote:
Am I going to have to do something like create different modules
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
You need to create two separate entries in modules having two mschap
entries .. sth like :
mschap mschap_group1 {
...
ntlm_auth = your first ntlm_auth command
}
mschap mschap_group2 {
...
ntlm_auth = your second ntlm_auth command
}
and then have the respective mschaps used in the respective virtual
servers for each client.
I currently have (working)
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=int.invtitle.com
--username=%{mschap:User-Name} --password=%{User-Password}
--require-membership-of=int.example.com+VPN_Users
}
so I'm not sure how that relates to mschap groups? I don't currently
have a mschap group at all currently in the radiusd.conf file.
Would I just create
exec ntlm_auth_2 {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=int.invtitle.com
--username=%{mschap:User-Name} --password=%{User-Password}
--require-membership-of=int.example.com+Cisco_Users
}
And how do I control which group is used for auth from a specific client?
Rick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth and AD authentication
Hmm. I have two sets of authentication I care about, VPN Users, and Cisco switches. I'd like to be able to control access to each of those separately (different AD Security Groups, and different shared keys). I'm not sure what you mean by different shared keys - can you clarify? Also, perhaps I do not understand your requirement; but, I think you mean authorization, not authentication above. Authentication is validation of a user/password combination. Authorization is checking to determine what type of access (if any) a user should have to a device. If I haven't misunderstood what you're trying to do, then I would determine the type of access the user has in the authorization section. Personally, I use a perl module for authorization because we have many different types of devices/groups, including controlling access to several wireless networks. The perl module obtains the user's groups from LDAP (including their default group which isn't in the memberOf attribute) and uses a hash that specifies user/group/machine/container to nas mappings and optionally allows returning custom vsa's. This may be overkill for you, I'm not sure.. You could define multiple mschap modules (that's where ntlm_auth is defined) and use unlang to call the appropriate module. But, this would quickly become unmanageable if you have many different groups you want to test during authorization. If all you will ever have is two groups, then I suppose it wouldn't be an issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and AD authentication
On Mon, 2009-11-23 at 15:05 -0500, freerad...@corwyn.net wrote:
At 02:33 PM 11/23/2009, Paul Ryszka wrote:
On Mon, 2009-11-23 at 13:35 -0500, freerad...@corwyn.net wrote:
Am I going to have to do something like create different modules
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
You need to create two separate entries in modules having two mschap
entries .. sth like :
mschap mschap_group1 {
...
ntlm_auth = your first ntlm_auth command
}
mschap mschap_group2 {
...
ntlm_auth = your second ntlm_auth command
}
and then have the respective mschaps used in the respective virtual
servers for each client.
I currently have (working)
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=int.invtitle.com
--username=%{mschap:User-Name} --password=%{User-Password}
--require-membership-of=int.example.com+VPN_Users
}
so I'm not sure how that relates to mschap groups? I don't currently
have a mschap group at all currently in the radiusd.conf file.
Would I just create
exec ntlm_auth_2 {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=int.invtitle.com
--username=%{mschap:User-Name} --password=%{User-Password}
--require-membership-of=int.example.com+Cisco_Users
}
And how do I control which group is used for auth from a specific client?
Rick
no you have to have two different modules
look how mschap module looks like in the default config (there is a
place for ntlm auth there) and just copy it twice
you can choose the module in authorize section of virtual server
so you have one virtual server with mschap_group1 and the other with
mschap_group2.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Paul Ryszka wrote: On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote: t...@kalik.net wrote: Also tried modify wpa_supplicant conf: - ca_cert=ca.pem + ca_cert=server.pem But with the same result. Because the path is wrong, ie. certificate is not there. Put the correct path to where you have imported the certificate. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I'm still more than confused. Problem is on the server site, isn't it? CA and server certs are now in same dir as whole RADIUS configuration, is necessary put certs into trusted directory like /etc/ssl/certs? Thanks for advice. I think that the idea was to put the full path to certificates in the conf file like : ca_cert=/full/path/to/server.pem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same result, full path on both sites (client/server). -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and AD authentication
At 02:33 PM 11/23/2009, Paul Ryszka wrote:
On Mon, 2009-11-23 at 13:35 -0500, freerad...@corwyn.net wrote:
Am I going to have to do something like create different modules
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?
You need to create two separate entries in modules having two mschap
entries .. sth like :
mschap mschap_group1 {
...
ntlm_auth = your first ntlm_auth command
}
mschap mschap_group2 {
...
ntlm_auth = your second ntlm_auth command
}
and then have the respective mschaps used in the respective virtual
servers for each client.
I currently have (working)
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=int.invtitle.com
--username=%{mschap:User-Name} --password=%{User-Password}
--require-membership-of=int.example.com+VPN_Users
}
so I'm not sure how that relates to mschap groups? I don't currently
have a mschap group at all currently in the radiusd.conf file.
Would I just create
exec ntlm_auth_2 {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=int.invtitle.com
--username=%{mschap:User-Name} --password=%{User-Password}
--require-membership-of=int.example.com+Cisco_Users
}
And how do I control which group is used for auth from a specific client?
Are Cisco users sending pap or mschap requests. If it's pap just add after
pap in authorize:
if(!contol:Auth-Type) {
update control {
Auth-Type = ntlm_auth_2
}
}
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: Also tried modify wpa_supplicant conf: - ca_cert=ca.pem + ca_cert=server.pem But with the same result. Because the path is wrong, ie. certificate is not there. Put the correct path to where you have imported the certificate. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I'm still more than confused. Problem is on the server site, isn't it? No. Problem is missing ca certificate on the supplicant machine. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripping Realms from SQL Accounting Queries
Hi,
I'm using FreeRADIUS with LDAP for authentication and mySQL for logging.
The LDAP queries seem to be stripping the realm name properly, whereas the
mySQL queries are not. I'm running FreeRADIUS 2.1.6 on FreeBSD:
FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.2, built on Nov
10 2009 at 08:34:04
Here's what I've got in my modules/ldap:
- modules/ldap -
ldap {
server = foo
basedn = dc=foo
identity = uid=foo
password = foo
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
}
access_attr = uid
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = sambaNTPassword
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_attribute = memberUid
groupmembership_filter =
(memberUid=%{Stripped-User-Name:-%{User-Name}})
}
- modules/ldap -
Here's what I've got in my sql/mysql/wpa.conf file:
- sql/mysql/wpa.conf -
accounting_start_query = insert into RadiusLog (SessionID, UserName,
WapIpAddress, UserMacAddress, StartTime) value ('%{Acct-Session-Id}',
'%{Stripped-User-Name:-%{User-Name}}', '%{NAS-IP-Address}',
'%{Calling-Station-Id}', '%S')
accounting_stop_query = update RadiusLog set EndTime = '%S', BytesIn =
'%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}',
BytesOut = '%{%{Acct-Output-Gigawords}:-0}' 32 |
'%{%{Acct-Output-Octets}:-0}' where SessionID = '%{Acct-Session-Id}' and
UserName = '%{Stripped-User-Name:-%{User-Name}}' and StartTime =
date_sub(now(), interval 30 day)
accounting_update_query = update RadiusLog set BytesIn =
'%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}',
BytesOut = '%{%{Acct-Output-Gigawords}:-0}' 32 |
'%{%{Acct-Output-Octets}:-0}' where SessionID = '%{Acct-Session-Id}' and
UserName = '%{Stripped-User-Name:-%{User-Name}}' and StartTime =
date_sub(now(), interval 30 day)
- sql/mysql/wpa.conf -
And here are some sample queries from the SQL trace file:
- /var/log/radacct/radius.sql -
insert into RadiusLog (SessionID, UserName, WapIpAddress, UserMacAddress,
StartTime) value ('0004F815', 't...@foo', '192.168.32.8', '0024.2b58.2f46',
'2009-11-23 10:52:58');
update RadiusLog set EndTime = '2009-11-23 10:53:46', BytesIn = '0' 32
| '2487', BytesOut = '0' 32 | '1356' where SessionID = '0004F815' and
UserName = 't...@foo' and StartTime = date_sub(now(), interval 30 day);
- /var/log/radacct/radius.sql -
I tried adding a realm definition in proxy.conf, like this:
- proxy.conf -
realm foo {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
- proxy.conf -
But that didn't help at all.
I know I must be missing something obvious. Most of the Google hits on
this talk about creating realms and stuff, but that hasn't helped me. Can
anyone share some wisdom here?
Perhaps do what is suggested wherever you care to look (this list,
documentation, website, ...) - run server in debug mode (radiusd -X). Then
you will see exactly what is happening.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Paul Ryszka wrote: On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote: t...@kalik.net wrote: Also tried modify wpa_supplicant conf: - ca_cert=ca.pem + ca_cert=server.pem But with the same result. Because the path is wrong, ie. certificate is not there. Put the correct path to where you have imported the certificate. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I'm still more than confused. Problem is on the server site, isn't it? CA and server certs are now in same dir as whole RADIUS configuration, is necessary put certs into trusted directory like /etc/ssl/certs? Thanks for advice. I think that the idea was to put the full path to certificates in the conf file like : ca_cert=/full/path/to/server.pem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same result, full path on both sites (client/server). If ca certificate on the client is where ca_cert configuration item is pointing the problem must be with permissions. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Hi, Problem is on the server site, isn't it? CA and server certs are now in same dir as whole RADIUS configuration, is necessary put certs into trusted directory like /etc/ssl/certs? you can stick them whereever the server user can read them - but you must specify the path of the file correctly! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
I have tried this with and without the
Output looks like:
WARNING: Unknown module sql in string expansion %{sql: SELECT
Attribute from radreply where Username ='burst.net' and
Attribute='Tunnel-Password'}
You haven't configured (or included in radiusd.conf) sql.conf.
/etc/raddb/sites-enabled/default[562]: SQL modules aren't allowed in
'post-proxy' sections -- they have no such method.
OK, are you using sql for authorization of local users? If not, alter
authorize_reply query in raddb/sql/mysql/dialup.conf and list
sql.authorize in post-proxy section.
If anyone has any thoughts on this or whether I can obtain the same
information another way that would be much appreciated. I will be having
potentially hundreds of different relams going through this freeradius
instance and I need to add this information for each one
Well, you can run sql queries from perl module (that one has post-proxy
function) but that is much more expensive than running sql.authorize. sql
module has persistant threads to sql server, while perl would need to
establish a new connection each time.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripping Realms from SQL Accounting Queries
Tim Gustafson t...@soe.ucsc.edu wrote:
I'm using FreeRADIUS with LDAP for authentication and mySQL for
logging. The LDAP queries seem to be stripping the realm name
properly, whereas the mySQL queries are not. I'm running FreeRADIUS
2.1.6 on FreeBSD:
FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.2, built on
Nov 10 2009 at 08:34:04
Here's what I've got in my modules/ldap:
- modules/ldap -
ldap {
server = foo
basedn = dc=foo
identity = uid=foo
password = foo
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
[snipped]
groupmembership_filter = (memberUid=%{Stripped-User-Name:-%{User-Name}})
...erm, '%{%{Stripped-User-Name}:-%{User-Name}}', I think what you have
there is some really old depreated or bad syntax'ed version. Same in
your SQL queries too strangely. You will want to make sure you use
'SQL-User-Name' instead too, and not directly 'User-Name' (think SQL
injection).
Cheers
--
Alexander Clouter
.sigmonster says: The fact that it works is immaterial.
-- L. Ogborn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripping Realms from SQL Accounting Queries
...erm, '%{%{Stripped-User-Name}:-%{User-Name}}', I think what
you have there is some really old depreated or bad syntax'ed
version. Same in your SQL queries too strangely. You will want
to make sure you use 'SQL-User-Name' instead too, and not
directly 'User-Name' (think SQL injection).
Thanks for your suggestions.
I tried using SQL-User-Name in the past, and it was always blank - an empty
string.
I tried using '%{%{Stripped-User-Name}:-%{User-Name}}' as you've suggested, but
to no avail - it was still using the un-stripped user name.
I've actually just changed the queries to use %{User-Name} for now to quell the
warnings in the debug log about depreciated syntax. However this has not fixed
my problem. :(
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
t...@soe.ucsc.edu
831-459-5354
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Exiting normally 2.1.8?
Hmm... it seems the error remains... (See below)
I will try another 'fresh build' tomorrow just in case I did something
wrong.
Thanks,
-craig
Detaching after fork from child process 659.
Detaching after fork from child process 689.
Program received signal SIGTERM, Terminated.
0x003acf4306a7 in kill () from /lib64/libc.so.6
(gdb)
(gdb)
(gdb) bt full
#0 0x003acf4306a7 in kill () from /lib64/libc.so.6
No symbol table info available.
#1 0x00424172 in main (argc=2, argv=0x7fff6246da68) at
radiusd.c:419
rcode = 0
argval = -1
spawn_flag = 1
dont_fork = 1
flag = 0
act = {__sigaction_handler = {sa_handler = 0x424349 sig_fatal,
sa_sigaction = 0x424349 sig_fatal}, sa_mask = {
__val = {0 repeats 16 times}}, sa_flags = 0, sa_restorer = 0}
(gdb) where
#0 0x003acf4306a7 in kill () from /lib64/libc.so.6
#1 0x00424172 in main (argc=2, argv=0x7fff6246da68) at
radiusd.c:419
(gdb)
- Original Message -
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Monday, November 23, 2009 7:06 AM
Subject: Re: Unexpected Exiting normally 2.1.8?
Craig Campbell wrote:
Thanks Alan,
I re -acquired the source, but there seems to be a (minor I think)
error.
$git clone git://git.freeradius.org/freeradius-server.git
$cd freeradius-server
$git fetch origin stable:stable
$git pull
No. See http://git.freeradius.org for the exact commands.
$ git checkout stable
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information from ESET Smart Security, version of virus
signature database 4629 (20091123) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 4631 (20091123) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripping Realms from SQL Accounting Queries
Perhaps do what is suggested wherever you care to look (this
list, documentation, website, ...) - run server in debug mode
(radiusd -X). Then you will see exactly what is happening.
I did that, and it didn't help. I added a realm definition back in to the
config file, and here's the debug output now:
[suffix] Looking up realm soe.ucsc.edu for User-Name = t...@soe.ucsc.edu
[suffix] Found realm soe.ucsc.edu
[suffix] Adding Stripped-User-Name = tjg
[suffix] Adding Realm = soe.ucsc.edu
[suffix] Authentication realm is LOCAL.
So far so good...
[ldap] performing user authorization for tjg
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=tjg)
[ldap] expand: dc=soe,dc=ucsc,dc=edu - dc=soe,dc=ucsc,dc=edu
Depreciated syntax aside, we're still doing good...
[sql] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[sql] expand: insert into RadiusLog (SessionID, UserName, WapIpAddress,
UserMacAddress, StartTime) value ('%{Acct-Session-Id}',
'%{Stripped-User-Name:-%{User-Name}}', '%{NAS-IP-Address}',
'%{Calling-Station-Id}', '%S') - insert into RadiusLog (SessionID, UserName,
WapIpAddress, UserMacAddress, StartTime) value ('0004F8C5',
't...@soe.ucsc.edu', '192.168.32.8', '0024.2b58.2f46', '2009-11-23 14:13:42')
Doh, no dice! Incidentally, as I mentioned in another reply a few minutes ago,
using %{SQL-User-Name} instead of %{User-Name} results in an empty string, and
using only %{Stripped-User-Name} also results in an empty string.
If you really would like me to, I suppose I could get you the whole debug
output, but it's a few thousand lines for a single authorization.
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
t...@soe.ucsc.edu
831-459-5354
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: custom script for access
Just getting back to this project. I want the request to come from a standard radius request from another server (or the same server). I was to do some external checks with a bash shell script and then have the script allow or deny access to the user. I am using the flatfile for user entries. I currently have external scripts that write entries to the flatfile for authentication. I can create a regular entry and have radtest verify that the entry is fine. I cannot figure what would have to be in that authentication entry to tell radius to execute the script. Also, I assume that the script must be setup in a configs file so that it can be called on just these special accounts. (not all accounts) The shell script works and is tested when you run it manually. The description of a script that would return ODD and EVEN - allow and deny access was just a simple example trying to explain the challenge. I am trying to give as much info as possible - I upgraded a second system to CentOS 5.3 freeRadius 2.1.7 (was running 1.1.3). Sorry, maybe I am not describing the situation well enough. Thanks, Tom Schmitt Senior IT Staff - RD Phone (801) 594-3030 Cell (801) 231-7230 -Original Message- From: freeradius-users-bounces+d.tom.schmitt=l-3com@lists.freeradius.org [mailto:freeradius-users-bounces+d.tom.schmitt=l-3com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 29, 2009 4:55 AM To: FreeRadius users mailing list Subject: Re: custom script for access d.tom.schm...@l-3com.com wrote: *I tried to post a similar message on the 26^th of October but got no responses – thought maybe I messed it up as my first posting.* Or no one was sure how to help. I then need to have freeRADIUS call a bash shell (or Perl) script that checks additional credentials before allowing or rejecting the user’s access. This can be done. See scripts/exec-program-wait. (At least, I think that's where it is in 1.1.3) This check can take a multiple seconds to complete so I don’t want the original radius request to timeout (not sure if it will though). It won't, but it's a *bad* idea to take that long for authentication. An easy script for testing could be as simple as: If the minute is EVEN = allow in and say an appropriate message If the minute is ODD = do not allow access and say an appropriate message I have read most of the .conf files but am still confused about proxy, etc. You're not proxying, so it doesn't matter. Is there a HOW-TO that shows a simple script example? In 2.1.7, it's in scripts/exec-program-wait. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.34/2462 - Release Date: 10/29/09 07:38:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting auth from a specific realm
I am using freeradius to proxy eduroam requests. These could be for any number of different realms so I only have a DEFAULT realm configured. I now want to reject authentication to one specific realm (my own) but pass all others. The proxy server can't do this for me so I need to do it before proxying. I have been reading all the man pages but can't figure this out..how where is this done? B - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
