Re: Radiusd process exited without notice
Dinh Pham Cong wrote: > Hi all, > > I noticed that my radiusd process exited silently this morning without > any notice before I must start it manually at Mon Dec 21 10:42:23 2009 > as you can see in the below log messages. Besides, no crash is recorded > in /var/log/messages. Try using 2.1.8 when it comes out. It looks like an issue that was previously reported, and fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
EasyHorpak.com wrote: > > [-- text/html, encoding quoted-printable, charset: TIS-620, 66 lines --] > > [-- text/plain, encoding 7bit, charset: us-ascii, 2 lines --] > Please learn to how to use an email client *sigh* -- Alexander Clouter .sigmonster says: Don't hit a man when he's down -- kick him; it's easier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers?file to include multiple MAC addresses??
Arran Cudbard-Bell wrote: >> >> the real answer is to get the vendors to sort their cheap shoddy kit out ;-) > > Ahem *Vendor :P - - Sorry I have to do it or they beat me :( > dare I ask why you do not use you new 'formal' email address? ;) Cheers -- Alexander Clouter .sigmonster says: Oh no, not again. -- Manoj Srivastava - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers file to include multiple MAC addresses??
Hi, > > yep - but a user could just as easily log in with the user-name of > > 00:11:22:33:44:55 ;-) > > > Not when you say !EAP-Message too :) ...and how does that stop, lets just say for example, some user coming along with 802.1X configured on their wired interface and logging it with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-) > Bah, I wrote a "you have to jump this high to connect to the Intertubes" > document for work. The venduhs cannot even get past the tendering phase > now :) > > Although it does nothing about the legacy guff, it stops new guff > connecting. thats true in so much that it controls those things...but lets more evil people on due to it being a nice new hole. oh well. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
I'm probably stupid as I never learn, but I'm going to take my chances reporting succcess again The v2.1.x branch from github up to and including commit 1d80707880c1bf94ad1e87be74221a6c7b4cb4c7 has now been running stable for more than 5 days for me. All the previously reported problems seem to be gone. So I'd say it makes a good 2.1.8 release for Christmas. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate not valid in PEAP
hi, not sure about your mix of PEAP or EAP-TTLS iwht client certificate - usually these systems use another form of user auth - such as password, generic token card etc what you need is the server certificate and you also need to ensure that the CA that signed the servr cert is installed on the windows system - plenty of sites that say how to do this - or you can simply google for eg wireless setup instructions (most universities are starting to have very good pages ;-) ) EAP-TLS uses client certificates - and if you eg put the matching entry for the CN into the users file then it'd know that user/cert is valid (to reject you need to revoke the cert) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
Hi, > The v2.1.x branch from github up to and including commit > 1d80707880c1bf94ad1e87be74221a6c7b4cb4c7 has now been running stable for > more than 5 days for me. All the previously reported problems seem to > be gone. So I'd say it makes a good 2.1.8 release for Christmas. aye - there were some questions relating to getting some of the older requested patches put into 2.1.8 too - has that been addressed? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate not valid in PEAP
Fernando Calvelo Vazquez wrote: > Hi folks: > > I'm still trying to configure any authentication method that includes a > client certificate validation (PEAP, EAP-TTLS... ) behind my > window-vista supplicant software client, but unfortunately no successfully. > Attached to this mail is the output of one PEAP try. > The authentication starts once and again forever, in a loop, but never > ends successfully. There are two ways to figure out what's going on. 1) test it with a real client to be sure it works. See http://deployingradius.com/ for instructions on using eapol_test. You can also use client certificates. See the wpa_supplicant docs for more information. 2) debug Windows http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx If (1) works with client certs, then the issue is only (2). > I'm a bit frustrated with this "certificates" locking point. Blame Microsoft. They put great effort into breaking inter-operability, and in ensuring that it's nearly impossible for administrators to quickly discover the cause of the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
Alan Buxey wrote: > aye - there were some questions relating to getting some of the older > requested patches put into 2.1.8 too - has that been addressed? Which patches? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
Bjørn Mork wrote: > The v2.1.x branch from github up to and including commit > 1d80707880c1bf94ad1e87be74221a6c7b4cb4c7 has now been running stable for > more than 5 days for me. All the previously reported problems seem to > be gone. So I'd say it makes a good 2.1.8 release for Christmas. Thanks. I've added a bunch more minor changes (docs, checks from static analysis tools, etc.) But no more code changes. It should be good to go... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
Hi, > Alan Buxey wrote: > > aye - there were some questions relating to getting some of the older > > requested patches put into 2.1.8 too - has that been addressed? > > Which patches? there were a couple cant remember exactly - i know one was '17' - the CHAP one. I applied it locally to my pre 2.1.8 - it didnt go in 100% clean because it was written some time backthings appear to be okay after it went in. wasnt there also an SQL one and a proxy one? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
Alan DeKok wrote:
>
> I've put a pre-release of version 2.1.8 on the web site:
>
> http://git.freeradius.org/pre/
>
> Please do some sanity checks, and see if it works for you.
>
> This version is from the new "v2.1.x" branch, which is Version 2.1.7,
> plus *only* bug fixes. The "stable" branch is now planned to become
> version 2.2.0 in January. It will include TCP transport, among other
> new features.
>
> If there are no major issues, we can release 2.1.8 next week.
>
Not quite on the pre-release but running
f691b0ec7d4c92919bdd4dc81e8a86b211c00832 from the stable branch I got
these after a 'hiccup' this morning on the network:
Program received signal SIGPIPE, Broken pipe.
[Switching to Thread 0x411b9950 (LWP 18045)]
0x7fa8a156b75b in write () from /lib/libpthread.so.0
(gdb) bt
#0 0x7fa8a156b75b in write () from /lib/libpthread.so.0
#1 0x7fa89e51c1a9 in ?? () from /usr/lib/liblber-2.4.so.2
#2 0x7fa89e06f4b9 in _gnutls_io_write_buffered () from
/usr/lib/libgnutls.so.26
#3 0x7fa89e06c601 in _gnutls_send_int () from /usr/lib/libgnutls.so.26
#4 0x7fa89e08a6e0 in gnutls_alert_send () from /usr/lib/libgnutls.so.26
#5 0x7fa89e06c90f in gnutls_bye () from /usr/lib/libgnutls.so.26
#6 0x7fa89e754c30 in ?? () from /usr/lib/libldap_r-2.4.so.2
#7 0x7fa89e51c6ec in ber_int_sb_close () from /usr/lib/liblber-2.4.so.2
#8 0x7fa89e745f5d in ldap_free_connection () from
/usr/lib/libldap_r-2.4.so.2
#9 0x7fa89e73c8cf in ldap_ld_free () from /usr/lib/libldap_r-2.4.so.2
#10 0x7fa89e96e1c1 in perform_search (instance=0x1f2a0e0, conn=0x1f2a5b0,
search_basedn=0x260b3e0 "ou=Networks,ou=LanWarden,o=soas", scope=1,
filter=0x27f6fc0
"(&(objectClass=lanwardenNetwork)(member=cn=001e4fe171de,ou=users-staff,ou=imported,ou=Hosts,ou=LanWarden,o=soas))",
attrs=0x2676c70, result=0x411b7050) at rlm_ldap.c:811
#11 0x7fa89e96f6ab in ldap_xlat (instance=0x1f2a0e0,
request=0x7fa894002530,
fmt=0x2de8ae0
"ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:MAC-Address-LdapDn}))",
out=0x411b7840 "", freespace=254, func=0x42ba4c ) at rlm_ldap.c:1199
#12 0x0042b89b in decode_attribute (from=0x411b76d0, to=0x411b76c8,
freespace=254, open_p=0x411b765c,
request=0x7fa894002530, func=0x42ba4c ) at xlat.c:911
#13 0x0042bd4f in radius_xlat (out=0x411b7840 "", outlen=254,
fmt=0x2288d30
"%{ldap_autz_soasauth-nd1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:MAC-Address-LdapDn}))}",
request=0x7fa894002530, func=0x42ba4c ) at xlat.c:1086
#14 0x7fa89be8b4bb in do_attr_rewrite (instance=0x2288680,
request=0x7fa894002530) at rlm_attr_rewrite.c:179
#15 0x7fa89be8c0c8 in attr_rewrite_postauth (instance=0x2288680,
request=0x7fa894002530)
at rlm_attr_rewrite.c:453
#16 0x00420655 in call_modsingle (component=7, sp=0x2288540,
request=0x7fa894002530) at modcall.c:297
#17 0x004214ac in modcall (component=7, c=0x2287f50,
request=0x7fa894002530) at modcall.c:669
#18 0x0041ec68 in indexed_modcall (comp=7, idx=0,
request=0x7fa894002530) at modules.c:691
#19 0x004200ff in module_post_auth (postauth_type=0,
request=0x7fa894002530) at modules.c:1533
#20 0x0040a148 in rad_postauth (request=0x7fa894002530) at auth.c:421
#21 0x0040ac45 in rad_authenticate (request=0x7fa894002530) at
auth.c:811
#22 0x00434ef7 in radius_handle_request (request=0x7fa894002530,
fun=0x40a194 )
at event.c:4097
#23 0x00426cb3 in request_handler_thread (arg=0x7fa8940023d0) at
threads.c:492
#24 0x7fa8a1564fc7 in start_thread () from /lib/libpthread.so.0
#25 0x7fa8a08af5ad in clone () from /lib/libc.so.6
#26 0x in ?? ()
(gdb)
Then shortly after restarting it:
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x4f492950 (LWP 23808)]
0x7f0060554ed5 in raise () from /lib/libc.so.6
(gdb) wher
#0 0x7f0060554ed5 in raise () from /lib/libc.so.6
#1 0x7f00605563f3 in abort () from /lib/libc.so.6
#2 0x004281f2 in rad_assert_fail (file=0x4455ef "threads.c", line=406,
expr=0x445628 "(*request)->magic == REQUEST_MAGIC") at util.c:363
#3 0x00426adf in request_dequeue (request=0x7f004c006f30,
fun=0x4f491d30) at threads.c:406
#4 0x00426c3d in request_handler_thread (arg=0x7f004c006f00) at
threads.c:483
#5 0x7f00612a7fc7 in start_thread () from /lib/libpthread.so.0
#6 0x7f00605f25ad in clone () from /lib/libc.so.6
#7 0x in ?? ()
(gdb)
The former one I have seen before and assuemd it was a bug in libldap,
however I guess maybe freeradius should be catching the SIGPIPE there?
As for the latter one, that's new to me. Alas it is going to be
difficult to repeat this 'experiment' as I would have to turn power off
to one of our server rooms...tends to annoy the yokels.
Cheers
--
Alexan
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Just noticed: commit 48674ba26a39620448723f5852aa30a899d515ac Author: Alan T. DeKok Date: Mon Dec 21 12:07:08 2009 +0100 Add OpenSSL license exception commit 5ed6809aad46a999db022d9a0be417178b93dff6 Author: Alan T. DeKok Date: Mon Dec 21 10:49:50 2009 +0100 Synced with upstream debian Thanks! Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian, EAP, and the OpenSSL and GPL incompatibility
Bjørn Mork wrote: > Just noticed: ... > Add OpenSSL license exception > > commit 5ed6809aad46a999db022d9a0be417178b93dff6 > Author: Alan T. DeKok > Date: Mon Dec 21 10:49:50 2009 +0100 > > Synced with upstream debian > > > > Thanks! More to come. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual Server not setting attributes on reply
Hi,
I'm having problems when using a virtual server.
When using the "virtual_server" I'm not getting the reply attributes set.
It may be a config thing, but I haven't been able to find where the
problem is from the documentation. And I can't understand why there
would be the difference.
I have 2 realms set using the same virtual server. The only difference is
realm TEST1 {
virtual_server = test
}
realm TEST2 {
type= radius
format = prefix
delimiter = "/"
authhost = 127.0.0.1:11812
accthost = 127.0.0.1:11813
secret = secret
}
If I authenticate to TEST1/user
My response is "only" a successful auth.
If I authenticate to TEST2/user
My response is a successful auth WITH Attributes (in this case the
attribute I'm setting is
Cisco-AVPair = "shell:priv-lvl=15"
It appears to me that using the virtual server is stripping the
attributes from the reply.
Can anyone tell me
a) The approprate documentation covering this is so I know.
b) What I have done wrong (and where to find the answers)
or
c) This is an actual bug and someone will look at it
Thanks
Timothy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
Alexander Clouter wrote: > Not quite on the pre-release but running > f691b0ec7d4c92919bdd4dc81e8a86b211c00832 from the stable branch I got > these after a 'hiccup' this morning on the network: > > Program received signal SIGPIPE, Broken pipe. > [Switching to Thread 0x411b9950 (LWP 18045)] > 0x7fa8a156b75b in write () from /lib/libpthread.so.0 > (gdb) bt > #0 0x7fa8a156b75b in write () from /lib/libpthread.so.0 > #1 0x7fa89e51c1a9 in ?? () from /usr/lib/liblber-2.4.so.2 > #2 0x7fa89e06f4b9 in _gnutls_io_write_buffered () from > /usr/lib/libgnutls.so.26 Ugh. > Then shortly after restarting it: > > Program received signal SIGABRT, Aborted. > [Switching to Thread 0x4f492950 (LWP 23808)] > 0x7f0060554ed5 in raise () from /lib/libc.so.6 > (gdb) wher > #0 0x7f0060554ed5 in raise () from /lib/libc.so.6 > #1 0x7f00605563f3 in abort () from /lib/libc.so.6 > #2 0x004281f2 in rad_assert_fail (file=0x4455ef "threads.c", > line=406, > expr=0x445628 "(*request)->magic == REQUEST_MAGIC") at util.c:363 > #3 0x00426adf in request_dequeue (request=0x7f004c006f30, > fun=0x4f491d30) at threads.c:406 That shouldn't happen... ever! In fact, I've never seen it happen. It can occur only when memory is free'd, and still used. > The former one I have seen before and assuemd it was a bug in libldap, > however I guess maybe freeradius should be catching the SIGPIPE there? Nope. The libraries usually re-set the signal handlers. > As for the latter one, that's new to me. Alas it is going to be > difficult to repeat this 'experiment' as I would have to turn power off > to one of our server rooms...tends to annoy the yokels. It should either happen a lot, or not at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Server not setting attributes on reply
Hi, > If I authenticate to TEST1/user > My response is "only" a successful auth. > > If I authenticate to TEST2/user > My response is a successful auth WITH Attributes (in this case the > attribute I'm setting is > Cisco-AVPair = "shell:priv-lvl=15" where are you setting that attribute? in the default virtual_server in the post-auth? > It appears to me that using the virtual server is stripping the > attributes from the reply. check your attr filter - check that those attributes arent cleared - if you run in full debug mode you should see everything that is happening and exactly where it gets set and where it gets wiped alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple clients on same IP address
Hi, Is it possible to have multiple Radius clients behind a router connect to a distant Freeradius server (these clients would therefore have the same IP address and be the same client in clients.conf)? I've this and apparently it works, but could there be any problems in the long run? Thanks. -- Fahd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Server not setting attributes on reply
2009/12/21 Alan Buxey :
> Hi,
>
>> If I authenticate to TEST1/user
>> My response is "only" a successful auth.
>>
>> If I authenticate to TEST2/user
>> My response is a successful auth WITH Attributes (in this case the
>> attribute I'm setting is
>> Cisco-AVPair = "shell:priv-lvl=15"
>
> where are you setting that attribute? in the default virtual_server
> in the post-auth?
Not the default virtual server. The test virtual server
The flow is client -> default virtual server acting as a proxy -> test
virtual server
If the test virtual server is configured as a remote radius server
then things work great. If it's configured as a virtual server using
the "virtual_server=name" then things break.
I'm setting the attribues in the test virtual server via post-auth.
The idea would be to have the different virtual servers using tables /
databases for their own user list.
>> It appears to me that using the virtual server is stripping the
>> attributes from the reply.
> check your attr filter - check that those attributes arent cleared - if
> you run in full debug mode you should see everything that is happening
> and exactly where it gets set and where it gets wiped
The attributes just don't look to be getting set. I'm guessing that
the post-auth section isn't being used with you proxy to a "virtual
server" rather than to a "real" server
realm TEST1 using "virtual server"
rad_recv: Access-Request packet from host 192.168.183.20 port 2530,
id=16, length=106
User-Name = "TEST1/default"
Acct-Session-Id = "1261403370P17nsl"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost"
NAS-Port = 0
Calling-Station-Id = "1115551212"
User-Password = "password"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_realm: Looking up realm "TEST1" for User-Name = "TEST1/default"
rlm_realm: Found realm "TEST1"
rlm_realm: Adding Stripped-User-Name = "default"
rlm_realm: Adding Realm = "TEST1"
rlm_realm: Proxying request from user default to realm TEST1
rlm_realm: Preparing to proxy authentication request to realm "TEST1"
++[slash] returns updated
rlm_realm: Request already proxied. Ignoring.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
>>> Sending proxied request internally to virtual server.
server test {
+- entering group authorize
expand: %{Stripped-User-Name} -> default
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> default
rlm_sql (sql): sql_set_user escaped user --> 'default'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'default' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'default' ORDER
BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'default' ORDER BY
id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'default' ORDER
BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'default' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'default' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'shells' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'shells' ORDER BY id
rlm_sql (sql): User found in group shells
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'shells' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'shells' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing MD5-Password from hex encodi
Re: Pre-release of Version 2.1.8
Alan DeKok wrote: > >> Then shortly after restarting it: >> >> Program received signal SIGABRT, Aborted. >> [Switching to Thread 0x4f492950 (LWP 23808)] >> 0x7f0060554ed5 in raise () from /lib/libc.so.6 >> (gdb) wher >> #0 0x7f0060554ed5 in raise () from /lib/libc.so.6 >> #1 0x7f00605563f3 in abort () from /lib/libc.so.6 >> #2 0x004281f2 in rad_assert_fail (file=0x4455ef "threads.c", >> line=406, >> expr=0x445628 "(*request)->magic == REQUEST_MAGIC") at util.c:363 >> #3 0x00426adf in request_dequeue (request=0x7f004c006f30, >> fun=0x4f491d30) at threads.c:406 > > That shouldn't happen... ever! > > In fact, I've never seen it happen. It can occur only when memory is > free'd, and still used. > > [snipped] > >> As for the latter one, that's new to me. Alas it is going to be >> difficult to repeat this 'experiment' as I would have to turn power off >> to one of our server rooms...tends to annoy the yokels. > > It should either happen a lot, or not at all. > Well as I said it is the first time I have seen it and I have been running this code straight since that commit came out on the 5th. So we cannot say 'not at all'. Want to put it down to a neutrino burst? :) Cheers -- Alexander Clouter .sigmonster says: Shut off engine before fueling. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
Alexander Clouter wrote: > Want to put it down to a neutrino burst? :) Been there. Done that. http://www.sno.phy.queensu.ca/sno/papers/nim_paper_99.pdf 9th author, on the first page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Server not setting attributes on reply
Hi, > Not the default virtual server. The test virtual server > The flow is client -> default virtual server acting as a proxy -> test > virtual server > If the test virtual server is configured as a remote radius server > then things work great. If it's configured as a virtual server using > the "virtual_server=name" then things break. test virtual server not setting the options byt he looks of it... post-auth is called in that virtual server - so how should it be getting/setting that attribute? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple clients on same IP address
Fahd Kasri wrote: > > Is it possible to have multiple Radius clients behind a router connect to a > distant Freeradius server (these clients would therefore have the same IP > address and be the same client in clients.conf)? > I've this and apparently it works, but could there be any problems in the > long run? > They would either: * need to use the same shared secret * connect to different IP's provisioned by FreeRADIUS (the server is bind()'ed to more than one address) * send traffic to different port numbers being listened to by FreeRADIUS (listens on ports other than the 'official' ones) You can use a combination of the above (if you are crazy), but you will need to use at lease *one*. The alternative is to kill NAT...for it is evil[1]. Cheers [1] if the network is 'trusted' then use an IPIP/GRE tunnel to get the traffic to the RADIUS server -- Alexander Clouter .sigmonster says: A dead man cannot bite. -- Gnaeus Pompeius (Pompey) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple clients on same IP address
That's what I thought. I tried the first solution (wanting to avoid the two others), and apparently the configuration works. Just wanted to know if there could be any problems with two or more clients using the exact some configuration. Thanks for the info. 2009/12/21 Alexander Clouter > Fahd Kasri wrote: > > > > Is it possible to have multiple Radius clients behind a router connect to > a > > distant Freeradius server (these clients would therefore have the same IP > > address and be the same client in clients.conf)? > > I've this and apparently it works, but could there be any problems in the > > long run? > > > They would either: > * need to use the same shared secret > * connect to different IP's provisioned by FreeRADIUS (the server is >bind()'ed to more than one address) > * send traffic to different port numbers being listened to by >FreeRADIUS (listens on ports other than the 'official' ones) > > You can use a combination of the above (if you are crazy), but you will > need to use at lease *one*. The alternative is to kill NAT...for it is > evil[1]. > > Cheers > > [1] if the network is 'trusted' then use an IPIP/GRE tunnel to get the >traffic to the RADIUS server > > -- > Alexander Clouter > .sigmonster says: A dead man cannot bite. >-- Gnaeus Pompeius (Pompey) > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Fahd Kasri Directeur Technique Weblib http://www.weblib.eu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS 2.x - modules not loaded correctly
On Tue, Dec 15, 2009 at 09:03:33AM +0100, Alan DeKok wrote:
> Axel Vogel wrote:
> > Please look at the configuration of virtual hosts in apache2.
> > The httpd.conf incudes only files with a well defined suffix
> > vhosts.d/*.conf
>
> Sure. Send a patch.
I was thinking we should use the mods-{available,enabled}, also mimicking
apache2 and sites-*. That way we can worry less about the admin editing and
leaving junk in one directory, when only the other one is supposed to be
clean. Something like this?
git mv raddb/modules raddb/mods-available
patch -p1 < mods.diff # attached
--
2. That which causes joy or happiness.
diff --git a/raddb/Makefile b/raddb/Makefile
index 01d3f03..9a3e5b5 100644
--- a/raddb/Makefile
+++ b/raddb/Makefile
@@ -33,9 +33,9 @@ install:
$(INSTALL) -d -m 750 $(R)$(raddbdir)
$(INSTALL) -d -m 750 $(R)$(raddbdir)/sites-available
$(INSTALL) -d -m 750 $(R)$(raddbdir)/sites-enabled
- $(INSTALL) -d -m 750 $(R)$(raddbdir)/modules
+ $(INSTALL) -d -m 750 $(R)$(raddbdir)/mods-available
@echo "Creating/updating files in $(R)$(raddbdir)"; \
- for i in $(FILES) `find sites-available/ modules/ -type f -print | sed 's/.*CVS.*//;s/.*~//;s/.*#.*//' `; do \
+ for i in $(FILES) `find sites-available/ mods-available/ -type f -print | sed 's/.*CVS.*//;s/.*~//;s/.*#.*//' `; do \
[ ! -f $(R)$(raddbdir)/$$i ] && $(INSTALL) -m 640 $$i $(R)$(raddbdir)/$$i; \
if [ "`find $$i -newer $(R)$(raddbdir)/$$i`" ]; then \
echo "** $(R)$(raddbdir)/$$i"; \
@@ -85,6 +85,12 @@ install:
cd $(R)$(raddbdir)/sites-enabled/; \
ln -s ../sites-available/control-socket; \
fi
+ @for m in `cd mods-available/ && ls -1 | sed 's/.*CVS.*//;s/.*~//;s/.*#.*//' `; do \
+ if [ ! -L $(R)$(raddbdir)/$$m ]; then \
+ echo "** Enabling default module $(R)$(raddbdir)/$$m"; \
+ ln -s ../mods-available/$$m $(R)$(raddbdir)/$$m; \
+ fi; \
+ done
clean:
rm -rf sites-enabled/inner-tunnel sites-enabled/default
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS 2.x - modules not loaded correctly
Hi,
> I was thinking we should use the mods-{available,enabled}, also mimicking
> apache2 and sites-*. That way we can worry less about the admin editing and
> leaving junk in one directory, when only the other one is supposed to be
> clean. Something like this?
>
> git mv raddb/modules raddb/mods-available
> patch -p1 < mods.diff # attached
that makes the modules go into modules-available - but then you need
to create the modules-enabled directory and put links into there...
by default the server needs at least a handful of the modules to be present
for its default config to load/work - i know - i've looked at this in the past.
you'll also need to patch the radiusd.conf to read in modules-enabled/*
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple clients on same IP address
Fahd Kasri wrote: > > That's what I thought. I tried the first solution (wanting to avoid the two > others), and apparently the configuration works. Just wanted to know if > there could be any problems with two or more clients using the exact some > configuration. Thanks for the info. > Depends on what you want to do with the accounting data. You might find that tracking your users when NAS-IP-Address is the same becomes really awkward[1]. Anything that keys off that attribute (such as Acct-Unique-Session-Id, as Acct-Session-Id is rarely unique) might cause your grief. So, authentication should work...you might have some problems with simulateous logins *possibly* and your accounting records might be a pain to work with. You need to define what 'work' means for yourself and decide from there. Cheers [1] then you hope your venduh lets you amend the NAS-Identifier attribute -- Alexander Clouter .sigmonster says: TAILFINS!! ... click ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS 2.x - modules not loaded correctly
Josip Rodin wrote:
> I was thinking we should use the mods-{available,enabled}, also mimicking
> apache2 and sites-*. That way we can worry less about the admin editing and
> leaving junk in one directory, when only the other one is supposed to be
> clean. Something like this?
For 2.2.0, yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
STILL Trying to get tunneling to work
>From: t...@kalik.net [mailto:t...@kalik.net]
>Sent: Thursday, December 10, 2009 5:05 PM
>To: FreeRadius users mailing list
>Subject: Re: Trying to get tunneling to work
>
>> I am trying to set up freeradius to proxy requests 802.11 MSCHAPv2 to an
>> IAS
>> server. The IAS requests are authenticated by a Safeword server, which
>> doesn't support 802.11. So the idea is that freeradius takes the request,
>> proxies it to IAS as if it was a non-802.11 client, IAS passes it to the
>> integrated Safeword server, and everything is happy.
>>
>> My configuration works from a 802.11 supplicant if the user exist locally
>> in
>> freeradius, but no proxying happens when the user doesn't exist locally.
>
>Read comments in peap section of eap.conf. Replace LOCAL in Proxy-To-Realm
>statement in inner-tunnel virtual server with the name of the realm
>pointing to IAS server.
>
>Ivan Kalik
As far as I know, this is the case. It is replaced in the users file. I did
a little cleanup on the other config files too. Here is the new output,
though the result is the same. The request is never forwarded out from
freeeradius. Help, anyone?
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm safeword.eng {
authhost = 192.168.30.29:1812
accthost = 192.168.30.29:1813
secret = Testing_Testing
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
radiusd: Loading Clients
client 192.168.7.139/32 {
require_message_authenticator = no
secret = "Testing_Testing"
}
client 127.0.0.1/32 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_m
ttls+eap-md5
Hello,all! Please help!I've to resolve this problem before tommorrow. My task is to cofigure the freeradius using TTLS+EAP-MD5 to authenticate users.I've found much information about how to configure this type on Internet,but there are some differences between different vesions. My freeradius version is:2.1.7 Please tell me the specific steps to configure the freeradius.Which files do I need to modify and how?Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS 2.x - modules not loaded correctly
On Mon, Dec 21, 2009 at 03:39:24PM +, Alan Buxey wrote: > that makes the modules go into modules-available - but then you need > to create the modules-enabled directory and put links into there... > by default the server needs at least a handful of the modules to be present > for its default config to load/work - i know - i've looked at this in the > past. > you'll also need to patch the radiusd.conf to read in modules-enabled/* Yes, of course, I just sent the patch as the preliminary intro into the idea (OP's idea instead had no separate directories and symlinks in mind, it talked of suffixes). As it stands, all entries in current modules/ are harmless when enabled (by default), so that part could stay as is, functionally. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls+eap-md5
anyi_9 wrote: >Please help!I've to resolve this problem before tommorrow. >My task is to cofigure the freeradius using TTLS+EAP-MD5 to > authenticate users.I've found > much information about how to configure this type on Internet,but there > are some differences > between different vesions. >My freeradius version is:*2.1.7* >Please tell me the specific steps to configure the freeradius.Which > files do I need to modify and > how?Thank you very much! (a) install the server (b) run it in debugging mode to get the default certificates (c) add a "known good" password (e.g. see the FAQ) (d) TTLS + EAP-MD5 will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: STILL Trying to get tunneling to work
Mike Bernhardt wrote: > ERROR: Failed to create a new socket for proxying requests. > ERROR: Failed inserting request into proxy hash. Install 2.1.8 when it comes out. That should be tomorrow, or maybe Wednesday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers file to include multiple MAC addresses??
On 21/12/2009 09:15, Alan Buxey wrote: > Hi, > > >>> yep - but a user could just as easily log in with the user-name of >>> 00:11:22:33:44:55 ;-) >>> >>> >> Not when you say !EAP-Message too :) >> > ...and how does that stop, lets just say for example, some user coming > along with 802.1X configured on their wired interface and logging it > with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-) > Last time I checked EAP-MD5-Response was still carried in the EAP-Message attribute, and the documentation in the wiki suggests that the username and Calling-Station-ID are canonicalized and compared before attempting Mac-Auth, so you need to fake the mac-address in your EAPOL frames too. >> Although it does nothing about the legacy guff, it stops new guff >> connecting. >> > thats true in so much that it controls those things...but lets more evil > people on due to it being a nice new hole. oh well. > > Well no. You need to know the Mac-Address of a target machine before you can connect to the network/VLAN. In order to find out the Mac-Address you need to physically locate yourself at a terminal, if you can physically locate yourself at a terminal, you generally have access to the network connection of the terminal anyway. The only thing it lets you do which you could do before, is to do your cracking in a cafe instead of in a cluster room :). The real danger is someone gaining access to the uplink from one your switches... which is why 802.1X-REV/Mac-Sec is so frickin awesome! -Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers?file to include multiple MAC addresses??
On 21/12/2009 09:05, Alexander Clouter wrote: > Arran Cudbard-Bell wrote: > >>> >>> the real answer is to get the vendors to sort their cheap shoddy kit out ;-) >>> >> >> Ahem *Vendor :P - - Sorry I have to do it or they beat me :( >> >> > dare I ask why you do not use you new 'formal' email address? ;) > Because i'm not on site, they've not worked out how to do webmail outside of the intranet, and they've disabled the entourage connector in exchange. arran.cudbard-b...@popular british manufacturer of tomatoe and brown sauce.com Should be back for January *sigh*. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Server not setting attributes on reply
I think we're getting too far into the detail and losing sight of the problem I was trying to report initially. I'd expect the only difference between the proxying to a remote server, and proxying to a virtual server to be efficency / ports used, not functionality, aka it's more efficnt to use virtual_server= rather than define a remote radius server, then have the virtual server listen on odd numbered ports on localhost. There seems to be a functionality difference when proxied to a virtual server. Tim Alan Buxey wrote: > Hi, > >> Not the default virtual server. The test virtual server >> The flow is client -> default virtual server acting as a proxy -> test >> virtual server >> If the test virtual server is configured as a remote radius server >> then things work great. If it's configured as a virtual server using >> the "virtual_server=name" then things break. > > test virtual server not setting the options byt he looks of it... > post-auth is called in that virtual server - so how should it be > getting/setting > that attribute? > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Server not setting attributes on reply
I think we're getting too far into the detail and losing sight of the problem I was trying to report initially. I'd expect the only difference between the proxying to a remote server, and proxying to a virtual server to be efficency / ports used, not functionality, aka it's more efficnt to use virtual_server= rather than define a remote radius server, then have the virtual server listen on odd numbered ports on localhost. There seems to be a functionality difference when proxied to a virtual server. Tim 2009/12/21 Alan Buxey : > Hi, > >> Not the default virtual server. The test virtual server >> The flow is client -> default virtual server acting as a proxy -> test >> virtual server >> If the test virtual server is configured as a remote radius server >> then things work great. If it's configured as a virtual server using >> the "virtual_server=name" then things break. > > test virtual server not setting the options byt he looks of it... > post-auth is called in that virtual server - so how should it be > getting/setting > that attribute? > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Server not setting attributes on reply
Hi, > I think we're getting too far into the detail and losing sight of the > problem I was trying to report initially. > > I'd expect the only difference between the proxying to a remote server, > and proxying to a virtual server to be efficency / ports used, not > functionality, aka it's more efficnt to use virtual_server= rather > than define a remote radius server, then have the virtual server > listen on odd numbered ports on localhost. > > There seems to be a functionality difference when proxied to a virtual server. well, looking from the log, your virtual_server doesnt appear to set any attribute in its post-auth stage. calling the right thing or SQL table? my initial thought was your attr_filter wasnt allowing that attribute through from the virtual_server (much like it would strip it out if the domain/realm wasnt allowed - check pre-proxy and post-proxy parts) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
