Re: inner vs outer User-Name
Kenneth Grady wrote: > Is there any way to authorize a user using the inner-tunnel User-Name > and not the outer? Yes. Use the inner-tunnel virtual server. > I get an outer User-Name of anonymous and a reject when searching for > authorized users in an ldap group. Because you're doing the LDAP group check in the outer tunnel... not the inner tunnel. > Mon Feb 8 12:53:21 2010 >Packet-Type = Access-Request >User-Name = "anonymous" Why are you posting these packets? The documentation specifically asks for *other* information. It does not ask for pieces of a "detail" file. > /etc/raddb/sites-available/default Have you tried using raddb/sites-available/inner-tunnel? It's documented as the "inner tunnel" configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modify realm in authenticate section
cd wrote: > is it possible to modify realm like this ? This is a solution, not a problem. Yes, it's possible to put that in the config files. But i have no idea why you would do that, what it will do. Please explain the problem you're trying to solve. That's usually a lot more productive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help getting rid "Info: WARNING: Child is hung for request" message
José Manuel wrote: > I have upgraded recently one of my servers to 2.1.8 (RHEL 5), and am > seeing thousands of messages like this in a day. It looks the message > was introduced with patch no. 139c45b4c51c945414b53ece36bbeb42edb1b2a7 > from November 29. The message was *changed* in that commit: http://github.com/alandekok/freeradius-server/commit/139c45b4c51c945414b53ece36bbeb42edb1b2a7 The message is generated when the child thread takes more than 5 minutes to process a request. This is generally considered bad. > I'm wondering what parameters should I tune to get these messages > disappear (and the possible underlying problem fixed, of course). Find out which module is blocking. Edit the line to say: ... radlog(L_INFO, "WARNING: Child is hung for request %d in component %s module %s.", request->number, request->component, request->module); ... and then re-compile && re-install. Odds are you have a TCP issue between the RADIUS and LDAP servers. FreeRADIUS is calling the LDAP module, which tries to connect to LDAP over TCP. If the TCP connection is down (i.e. blocked by a firewall), then the OS doesn't know, and neither does the LDAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_caching with freeradius (2.1.7 or 2.1.8)
Max Mazur wrote: > After module was compliled, it can not be loaded. How did you compile it? > Error: /etc/raddb/modules/caching[44]: Failed to link to module > 'rlm_caching': file not found > Error: /etc/raddb/sites-enabled/default[11]: Failed to find module > "caching". > > But as far as I can see using strace, file realy exists, and "not found > error" is "fake" error. It's a real error. It's just that it's not printing out a *useful* error. The "file not found" on a library load means that either rlm_caching wasn't found (which it was), OR a library needed by rlm_caching wasn't found. So... rlm_caching needs a library that your dynamic linker can't find. Where is it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Proxy Accounting
Jeremy Brown wrote: > I'm trying to setup a FreeRadius server to act as a proxy for another > DNS server, and this seems straightforward enough from the > documentation, however I also want the FreeRadius proxy to send > accounting information to another Radius server. That's not very clear. You want to send accounting data to *two* destinations? If so, see: raddb/sites-available/copy-acct-to-home-server Configure one (or more) of them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy on Fail.. Or intelligent proxy...Or Utilize multiple acocunt directories
Larry Ross wrote: > I am looking at configuring FR to Auth accounts across multiple account > directories. Basically I would like FR to take in PAP queries, attempt > Auth against krb, then if that comes back as a fail, try a secondary > Radius server (Eduroam…) or module (Shibboleth). That's hard. > We are looking at this as we foresee collisions occurring between > accounts residing within other universities and our local guest accounts > (which use email address as the principal). The simple answer is "don't have colliding usernames". Use email addresses for logins, *especially* for roaming users from other universities. Having colliding usernames is very bad for a number of reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.8 works fine in DEBUG mode
Amal Janardhanan wrote: > But in in normal mode, I am getting the following error. > > Mon Feb 8 17:29:20 2010 : Info: Ready to process requests. > Mon Feb 8 17:29:59 2010 : Error: WARNING: Unresponsive child for > request 0, in module python component authorize > Mon Feb 8 17:30:00 2010 : Info: WARNING: Child is hung for request 0. Your python script is hanging. You can run daemon mode PLUS debugging. See "man radiusd": radiusd -fxx -l stdout Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 2.1.8 works fine in DEBUG mode
Hi, I am using freeradius version 2.1.8. All the installation and everything went fine. Freeradius is able to accept and process the request in DEBUG mode. But in in normal mode, I am getting the following error. Mon Feb 8 17:29:20 2010 : Info: Ready to process requests. Mon Feb 8 17:29:59 2010 : Error: WARNING: Unresponsive child for request 0, in module python component authorize Mon Feb 8 17:30:00 2010 : Info: WARNING: Child is hung for request 0. Mon Feb 8 17:30:00 2010 : Info: WARNING: Child is hung for request 0. Mon Feb 8 17:30:01 2010 : Info: WARNING: Child is hung for request 0. Mon Feb 8 17:30:01 2010 : Info: WARNING: Child is hung for request 0. Mon Feb 8 17:30:03 2010 : Info: WARNING: Child is hung for request 0. Please let me know how I can solve this ? Thanks Amal- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + PostgreSQL + MD5 Passwords
On 9 February 2010 01:54, John Dennis wrote: > On 02/08/2010 01:58 AM, Alan DeKok wrote: >> >> Phillip Smith wrote: >>> >>> I forgot to mention in my first post that this is >>> freeradius-1.1.3-1.5.el5_4 on CentOS 5.4. Do I need 2.1.8 for this MD5 >>> stuff to work? >> >> Yes. >> >>> I'd prefer to be able to use the distro's packages, but >>> if I have to compile it to make it work then I don't really have a >>> choice ;-) >> >> See http://freeradius.org/download.html > > Current 2.1.8 builds for RHEL5/CentOS are available here: > > http://wiki.freeradius.org/Red_Hat_FAQ Well would you look at that... With the correct version, everything "just works" like it's supposed to... Can't believe I wasted a whole day because of such a stupid mistake!! Thanks again guys! :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy on Fail.. Or intelligent proxy...Or Utilize multiple acocunt directories
Good afternoon all; I am looking at configuring FR to Auth accounts across multiple account directories. Basically I would like FR to take in PAP queries, attempt Auth against krb, then if that comes back as a fail, try a secondary Radius server (Eduroam...) or module (Shibboleth). We are looking at this as we foresee collisions occurring between accounts residing within other universities and our local guest accounts (which use email address as the principal). Any ideas where and with what I should start testing with (as in create virtual servers an d pass a single success and fail on multi fail..) Thank you Larry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
inner vs outer User-Name
Is there any way to authorize a user using the inner-tunnel User-Name and not the outer? I get an outer User-Name of anonymous and a reject when searching for authorized users in an ldap group. If they convolute the configuration for the device with an outer User-Name of a person in the ldap group, it authorizes them, and they can authenticate using Kerberos. Mon Feb 8 12:53:21 2010 Packet-Type = Access-Request User-Name = "anonymous" ... Mon Feb 8 12:53:21 2010 Packet-Type = Access-Accept Reply-Message = "case WAREHOUSE" Reply-Message = "not authorized for mygroup" Message-Authenticator = 0x User-Name = "duser" ... Mon Feb 8 14:08:11 2010 Packet-Type = Access-Request User-Name = "duser" ... Mon Feb 8 14:08:11 2010 Packet-Type = Access-Accept Reply-Message = "case WAREHOUSE" Reply-Message = "Warehouse mygroup" Message-Authenticator = 0x User-Name = "duser" /etc/raddb/sites-available/default ... case "WAREHOUSE" { update reply { reply-message += "case WAREHOUSE" } #EMPLOYEE { # need to use the inner-tunnel User-Name #} if ( EMPLOYEE-Ldap-Group == "mygroup" ) { update reply { reply-message += "Warehouse mygroup" } } else { update reply { reply-message += "not authorized for mygroup" } #update config { # Auth-Type := Reject #} } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Client Behind a NAT Router
Disconnect request uses port UDP port 3799 or 1700, may be you mapped all the ports of Public IP interface to Radius server. On Mon, Feb 8, 2010 at 6:03 PM, Fahd Kasri wrote: > No need for it to be mapped to the client? I'm asking because I'm not sure > how the mechanism works. > > Thank you very much for the info. > > 2010/2/8 Rahul Panwar > > If you are using Disconnect request you can map its port also to the >> server. >> >> >> On Mon, Feb 8, 2010 at 4:32 AM, Fahd Kasri wrote: >> >>> How about for disconnecting users? >>> >>> http://wiki.freeradius.org/index.php/Packet_of_Disconnect >>> >>> 2010/2/6 Rahul Panwar >>> >>> Map udp port 1812 for authentication & 1813 for accounting with Radius server. No need to redirect any port to the client only map (redirect) the ports to server. Client always request to server. On Sun, Feb 7, 2010 at 12:39 AM, Fahd Kasri wrote: > Hi, > > Suppose I have a client that's behind a NAT router and uses a > Freeradius server that's on another network. What ports (if any) should be > redirected to the client in order to have full functionality? > > Thanks. > > -- > Fahd > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >>> >>> >>> >>> -- >>> Fahd Kasri >>> Directeur Technique >>> Weblib >>> http://www.weblib.eu >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > -- > Fahd Kasri > Directeur Technique > Weblib > http://www.weblib.eu > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + PostgreSQL + MD5 Passwords
On 02/08/2010 01:58 AM, Alan DeKok wrote: Phillip Smith wrote: I forgot to mention in my first post that this is freeradius-1.1.3-1.5.el5_4 on CentOS 5.4. Do I need 2.1.8 for this MD5 stuff to work? Yes. I'd prefer to be able to use the distro's packages, but if I have to compile it to make it work then I don't really have a choice ;-) See http://freeradius.org/download.html Current 2.1.8 builds for RHEL5/CentOS are available here: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Client Behind a NAT Router
No need for it to be mapped to the client? I'm asking because I'm not sure how the mechanism works. Thank you very much for the info. 2010/2/8 Rahul Panwar > If you are using Disconnect request you can map its port also to the > server. > > > On Mon, Feb 8, 2010 at 4:32 AM, Fahd Kasri wrote: > >> How about for disconnecting users? >> >> http://wiki.freeradius.org/index.php/Packet_of_Disconnect >> >> 2010/2/6 Rahul Panwar >> >> Map udp port 1812 for authentication & 1813 for accounting with Radius >>> server. No need to redirect any port to the client only map (redirect) the >>> ports to server. Client always request to server. >>> >>> On Sun, Feb 7, 2010 at 12:39 AM, Fahd Kasri wrote: >>> Hi, Suppose I have a client that's behind a NAT router and uses a Freeradius server that's on another network. What ports (if any) should be redirected to the client in order to have full functionality? Thanks. -- Fahd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> >> >> -- >> Fahd Kasri >> Directeur Technique >> Weblib >> http://www.weblib.eu >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Fahd Kasri Directeur Technique Weblib http://www.weblib.eu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Run user defined scripts on client connect and disconnect
If I am understanding your needs, this script does NOT perform user authentication. In that case, I THINK you want to trigger based upon accounting records being sent to radius. To do this, you need to use the ../etc/raddb/acct_users file. Here is an example that we have been using for a session ending... DEFAULT Acct-Status-Type == Stop Exec-Program-Wait = "%{exec:/usr/local/sbin/acctstop.sh}", Fall-Through = no From memory, I believe the counterpart to this is the "Acct-Status-Type == Start " (verify that). Ensure you script provides a return code of 0. I THINK they matter... Good Luck! -craig - Original Message - From: "Josh Willmarth" To: "FreeRadius users mailing list" Sent: Sunday, February 07, 2010 2:44 AM Subject: Re: Run user defined scripts on client connect and disconnect Hello, I looked at the included modules and read a lot of documentation, but I seem to be missing the general concept. Could someone please give me a detailed run down of which files to edit (and what to edit) in order to execute a shell script during accounting and post-auth? This would be greatly appreciated. Thank you, Josh Willmarth On Thu, Feb 4, 2010 at 11:34 PM, Alan DeKok wrote: Josh Willmarth wrote: I have a radius server setup with version 2.1.8. Is there a way that I can have custom scripts run each time a user successfully connects to and disconnects from my radius server? If so, what environment variables can be passed to these scripts? Sorry if I missed this in the documentation, but I was unable to find the exact answer I am looking for. See raddb/modules/exec Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4842 (20100206) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4847 (20100208) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invitation to connect on LinkedIn
LinkedIn Eduardo Gui requested to add you as a connection on LinkedIn: -- Glen, I'd like to add you to my professional network on LinkedIn. - Eduardo Accept invitation from Eduardo Gui http://www.linkedin.com/e/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I1792994305_2/1BpC5vrmRLoRZcjkkZt5YCpnlOt3RApnhMpmdzgmhxrSNBszYOnPkMcPgVej8VdP59bQFom54RtTFvbPcOc3gUc3oRc34LrCBxbOYWrSlI/EML_comm_afe/ View invitation from Eduardo Gui http://www.linkedin.com/e/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I1792994305_2/39vdj0Pd3AVczATckALqnpPbOYWrSlI/svi/ -- DID YOU KNOW that LinkedIn can find the answers to your most difficult questions? Post those vexing questions on LinkedIn Answers to tap into the knowledge of the world's foremost business experts: http://www.linkedin.com/e/ask/inv-23/ -- (c) 2010, LinkedIn Corporation- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Proxy Accounting
Hi Everyone, I'm trying to setup a FreeRadius server to act as a proxy for another DNS server, and this seems straightforward enough from the documentation, however I also want the FreeRadius proxy to send accounting information to another Radius server. I haven't seen any documentation on how to do this and I'm sure there is a simple way to configure this. Any help or pointers to some documentation would be much appreciated. Best Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Client Behind a NAT Router
If you are using Disconnect request you can map its port also to the server. On Mon, Feb 8, 2010 at 4:32 AM, Fahd Kasri wrote: > How about for disconnecting users? > > http://wiki.freeradius.org/index.php/Packet_of_Disconnect > > 2010/2/6 Rahul Panwar > > Map udp port 1812 for authentication & 1813 for accounting with Radius >> server. No need to redirect any port to the client only map (redirect) the >> ports to server. Client always request to server. >> >> On Sun, Feb 7, 2010 at 12:39 AM, Fahd Kasri wrote: >> >>> Hi, >>> >>> Suppose I have a client that's behind a NAT router and uses a Freeradius >>> server that's on another network. What ports (if any) should be redirected >>> to the client in order to have full functionality? >>> >>> Thanks. >>> >>> -- >>> Fahd >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > -- > Fahd Kasri > Directeur Technique > Weblib > http://www.weblib.eu > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 2.0.5 to 2.1.8
Henry C. wrote: > I'd like to upgrade an existing setup from version 2.0.5 to 2.1.8. > > Are there any gotchas/config changes/problems that I need to be aware of? > > For example, will the existing config files be OK, or will they require > tweaks 'n things? They should mostly be OK. There are some changes, but they are minor compared to the difference between 1.x and 2.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from 2.0.5 to 2.1.8
Greetings, I'd like to upgrade an existing setup from version 2.0.5 to 2.1.8. Are there any gotchas/config changes/problems that I need to be aware of? For example, will the existing config files be OK, or will they require tweaks 'n things? Any comments are appreciated. Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modify realm in authenticate section
hi is it possible to modify realm like this ? and then use the realm in users file ..see below Auth-Type ldap { group { ldap_admin { reject = 1 ok = return } if (ok) { update reply { Realm:="admin" } } ldap_peda { reject = 1 ok = return } if (ok) { update reply { Realm:="pedago" } } } } users file DEFAULT Realm=="pedago" Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-ID=20, Reply-Message="ok_hostpeda" DEFAULT Realm=="admin" Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-ID=10, Reply-Message="ok_hostadmin" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help getting rid "Info: WARNING: Child is hung for request" message
Hi, I have upgraded recently one of my servers to 2.1.8 (RHEL 5), and am seeing thousands of messages like this in a day. It looks the message was introduced with patch no. 139c45b4c51c945414b53ece36bbeb42edb1b2a7 from November 29. I'm wondering what parameters should I tune to get these messages disappear (and the possible underlying problem fixed, of course). The auth backend is an openldap directory, but I have disregarded any timeout issues by running the server in debug mode. Here are some of the values I guess could be related with the cause of these messages: --- - radiusd.conf: max_request_time = 30 cleanup_delay = 5 max_requests = 1024 thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } - proxy.conf proxy server{ retry_delay = 5 } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 11812 secret = X response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } --- I'd appreciate some light on this issue. Except for the message, the server is behaving correctly. thanks in advance, jose manuel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Too many closing braces / Errors reading
Teguh Kurniawan wrote: > I was change it to default and give some change. But I've got another > error message below : > > /usr/local/etc/raddb/sites-enabled/default[159]: Failed to find module "sql". > /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing > authorize section. > > what should I do ? Configure the "sql" module. See sql.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + PostgreSQL + MD5 Passwords
On 8 February 2010 17:58, Alan DeKok wrote: > Phillip Smith wrote: >> I forgot to mention in my first post that this is >> freeradius-1.1.3-1.5.el5_4 on CentOS 5.4. Do I need 2.1.8 for this MD5 >> stuff to work? > > Yes. Doh! Sorry to bother you with this waste of time then... I'll upgrade. Thanks for being patient with me :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Too many closing braces / Errors reading
> You edited the configuration files, and broke them. > > Go back to the default configuration, and make *small* edits. > > Alan DeKok. I was change it to default and give some change. But I've got another error message below : /usr/local/etc/raddb/sites-enabled/default[159]: Failed to find module "sql". /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. what should I do ? Thank you, Teguh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_caching with freeradius (2.1.7 or 2.1.8)
Hi! I have some strange problems with freeradius (2.1.7 or 2.1.8) and rlm_caching. After module was compliled, it can not be loaded. Error: /etc/raddb/modules/caching[44]: Failed to link to module 'rlm_caching': file not found Error: /etc/raddb/sites-enabled/default[11]: Failed to find module "caching". But as far as I can see using strace, file realy exists, and "not found error" is "fake" error. # strace radiusd -XXX 2>&1 | grep rlm_cach open("/usr/lib/freeradius/rlm_caching.la", O_RDONLY) = 3 read(3, "# rlm_caching.la - a libtool lib"..., 4096) = 1006 open("/usr/lib/freeradius/rlm_caching-2.1.7.so", O_RDONLY) = 3 open("/usr/lib/freeradius/rlm_caching-2.1.7.so", O_RDONLY) = 3 access("/usr/lib/freeradius/rlm_caching.so", R_OK) = 0 open("/usr/lib/freeradius/rlm_caching.so", O_RDONLY) = 3 write(1, "Mon Feb 8 09:46:27 2010 : Error"..., 122Mon Feb 8 09:46:27 2010 : Error: /etc/raddb/modules/caching[44]: Failed to link to module 'rlm_caching': file not found (it possible bug in error message as I can ubderstand) All other modules loaden normally. Any ideas what I have to check? Best regards, Max Mazur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html