Re: FR 2.1.9 Compiling error
RaidenII wrote: /home/tony/freeradius-server-2.1.9/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /usr/lib/libltdl.so -lssl -lcrypto -ldl .libs/modules.o: In function `setup_modules': /home/tony/freeradius-server-2.1.9/src/main/modules.c:1358: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' .. Added -DIE_LIBTOOL_DIE to CFLAGS, still has this error. Hmm... try: $ ./configure --enable-ltdl-install That may help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MYSQL tables
Natr Brazell wrote: I've set up FR2 to log acct data to mysql and that appears to be working. I'm curious about how to enable the logging of specific attributes that are being sent by the NAS. Specifically: Edit the schema queries. As you can see in the Accounting-Request packet above There is a NAS-Identifier and a Juniper-Interactive-Command entry. Those attributes are not being logged (nor do I think I'd want them) in my radacct file. Is there a way to have radius automatically populate an accountingactivity table (history file if you will)? Sure. Edit the configuration to make it do that. The queries are in a configuration file for a reason: they can be edited. Or this there a manual way say in postauth to send those attributes to a mysql table via script when an Accounting-Request packet is received. postauth is not used for Accounting-Request packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
Which doesn't match the error message you showed above. here is *no* ATTRIBUTE line having an option. I'm sorry, I paste my actual dictionary... $ cat /usr/share/freeradius/dictionary.rinuex # -*- text -*- # # dictionary.rinuex # # # Mayo de 2010 # Marco Jaraíz mjar...@unex.es # Ana Gallardo aigalla...@unex.es # VENDORRinuex35782 BEGIN-VENDORRinuex # Código para indicar la causa del Access-Reject ATTRIBUTECodigo-Reject8integerRinuex VALUE Codigo-RejectCredenciales-Erroneas3 VALUE Codigo-RejectCuenta-Bloqueada-Intentos-Reject4 VALUE Codigo-RejectImposible-Contactar-Backend5 VALUE Codigo-RejectError-Dominio6 VALUE Codigo-RejectCuenta-Expirada7 VALUE Codigo-RejectCuenta-Inactiva8 VALUE Codigo-RejectRadius-OK9 END-VENDORRinuex Please be *consistent*. OK, sorry and thanks for your time. Ana Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditions for executing module
Hello,
FR 2.1.9 and novice in FR module programming. :)
How to define some conditions in users/acct_users file when to use
our module? It is quite heavy and we'd like to avoid its execution in
as many cases as possible.
I tried such configuration in users. Idea comes from
http://freeradius.org/radiusd/doc/Autz-Type
DEFAULT Auth-Type := Ourclient, Calling-Station-Id == 333
DEFAULT Auth-Type := Accept
And adding this to sites-enabled/default:
Auth-Type Ourclient {
ourclient
}
But rlm_files complains about unknown value for Auth-Type. Should I
just define this new Auth-Type in dictionary (then which range of
values is for local use?) or there is more elegant solution?
Regards,
Mindaugas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about configurable module fail-over
Hello,
I have Freeradius 2.1.8.
I want to return an error code if my freeradius can't contact with the
backend.
Here is my authorize section:
authorize {
. . .
switch %{Realm} {
case 'temp.unex.es' {
sql {
fail = 1
}
if (!fail (%D %{control:Expiration-Init})) {
update reply {
Codigo-Reject := Cuenta-Inactiva
}
reject
}
}
case 'unex.es' {
ldap {
fail = 1
}
}
case {
update reply {
Codigo-Reject := Error-Dominio
}
reject
}
}
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
expiration {
userlock = 1
}
if (userlock) {
update reply {
Codigo-Reject := Cuenta-Expirada
}
}
pap
}
My problem is when Freeradius can't contact ldap. Here is my debug info:
rad_recv: Access-Request packet from host X.X.X.X port 48454, id=116,
length=56
User-Name = usua...@unex.es
User-Password = 1631
server rinuex {
. . .
++- entering switch %{Realm} {...}
+++- entering case unex.es {...}
[ldap] performing user authorization for usuario
[ldap] expand: %{Stripped-User-Name} - usuario
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -
(cn=usuario)
[ldap] expand: ou=saser,dc=unex,dc=es - ou=saser,dc=unex,dc=es
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to X.X.X.X, authentication 0
[ldap] bind as cn=...
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
[ldap] returns fail
+++- case unex.es returns fail
++- switch %{Realm} returns fail
} # server rinuex
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++[reply] returns noop
++? if (%{reply:Codigo-Reject})
expand: %{reply:Codigo-Reject} - Credenciales-Erroneas
? Evaluating (%{reply:Codigo-Reject}) - TRUE
++? if (%{reply:Codigo-Reject}) - TRUE
++- entering if (%{reply:Codigo-Reject}) {...}
+++- if (%{reply:Codigo-Reject}) returns noop
++- group REJECT returns noop
[sql] expand: %{Stripped-User-Name} - usuario
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -
usuario
[sql] sql_set_user escaped user -- 'usuario'
[sql] expand: INSERT INTO radpostauth
(username, mac, client, reply, authdate,codreject)
VALUES ( '%{User-Name}',
LOWER('%{Calling-Station-Id}'),
'%C', '%{reply:Packet-Type}', NOW(),
'%{reply:Codigo-Reject}') - INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject) VALUES
( 'usua...@unex.es', LOWER(''),
'CAU2', 'Access-Reject', NOW(),
'Credenciales-Erroneas')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject) VALUES
( 'usuario
@unex.es', LOWER(''), 'CAU2',
'Access-Reject', NOW(), 'Credenciales-Erroneas')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} - usua...@unex.es
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 116 to X.X.X.X port 48454
Codigo-Reject = Credenciales-Erroneas
I need help. Thank you and sorry for y english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
Ana Gallardo wrote: I'm sorry, I paste my actual dictionary... $ cat /usr/share/freeradius/dictionary.rinuex ... BEGIN-VENDORRinuex Which says all of the following attributes are for this vendor # Código para indicar la causa del Access-Reject ATTRIBUTECodigo-Reject8integerRinuex Which *duplicates* the vendor name. Do one of the following: a) delete the vendor name from the ATTRIBUTE line b) delete the BEGIN/END-VENDOR lines Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
James J J Hooper wrote: OK - GDB log attached. This is from git branch v2.1.x, up to and including 0e9ae1698ba55b16b149 (Cleaned up debug output to be readable - about 7 hours ago), but with c703fd595cb86f51e309 (Install cryptpasswd as radcrypt) reverted as it wouldn't 'make install' with this [see note below]. OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
Josip Rodin wrote: That code has indeed changed from 2.1.8 to 2.1.9, and it may be a simple bug - there is no existence check for request-packet before its dereference in the new CoA-related condition. There is an existence check for it below, but by then it's too late. It looks like that branching could do with some more reordering. Yes. The code to fix a CoA bug caused another one. sigh The server is quickly getting to the point where it's doing so much that any small change can have large implications. The solution is to start re-organizing the code in the server core, and simplifying it. When 2.0 cam out, the code was much simpler than 1.x for the same functionality. Three years later, added functionality makes the code more complicated again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about configurable module fail-over
Ana Gallardo wrote:
I want to return an error code if my freeradius can't contact with the
backend.
Here is my authorize section:
authorize {
. . .
switch %{Realm} {
...
}
if (fail) {
That won't work, unfortunately. The return codes of *modules* can be
over-written. The return code of a switch statement cannot be.
This issue is largely due to the fact that the configuration files
have had functionality piled on top of old code. We want to be
backwards compatible, so breaking existing systems isn't an option. But
this limits the capabilities of the new functions.
In short: re-write the rules so that you don't use switch.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
$ cat /usr/share/freeradius/dictionary.rinuex ... BEGIN-VENDORRinuex Which says all of the following attributes are for this vendor OK # Código para indicar la causa del Access-Reject ATTRIBUTECodigo-Reject8integerRinuex Which *duplicates* the vendor name. Do one of the following: a) delete the vendor name from the ATTRIBUTE line b) delete the BEGIN/END-VENDOR lines I choose to delete the BEGIN/END-VENDOR lines for compatibility with Authen::Radius perl package. Thank you very much. Everything it's ok now. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
--On Thursday, June 10, 2010 10:10:05 +0200 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: OK - GDB log attached. This is from git branch v2.1.x, up to and including 0e9ae1698ba55b16b149 (Cleaned up debug output to be readable - about 7 hours ago), but with c703fd595cb86f51e309 (Install cryptpasswd as radcrypt) reverted as it wouldn't 'make install' with this [see note below]. OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. Hi Alan, Thanks for the swift fix - It's much happier now. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLAN info disappears
Dear FR users, I've configured FR2 (2.1.8) to authenticate users from the users file, and I ran into a strange problem. In the first case, I've configured it to direct a user to VLAN 129: user1 Cleartext-Password := Default1234 Tunnel-type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 129, Termination-Action = RADIUS-Request User authentication works fine, but the user isn't directed to the correct VLAN, the switch port remains at its default VLAN. Debug log: http://pastebin.ca/1880327 In the second case, I've turned off 802.1X on the client, then I've set it's MAC address in the users file (of cource, mab is enabled on my Cisco switch): 000bcd0a Cleartext-Password := 000bcd0a Tunnel-type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 129, Termination-Action = RADIUS-Request Authentication works, the PC is directed to its VLAN. What did I do wrong? Can you help me solve this issue? Thanks in advance. Regards, Andras - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik Dissconect
Hi all I found the calc_replydigest function in radius.c always return 2 (digest_cmp failed) Since this function is new in code , then its the problem and the diff. with version 1.x For fixing my problem, I just by pass this test for PW_DISCONNECT_ACK (not a good idea I know but what else I can do?) and now its fine for my problem. I see the code for another messages (for ex: PW_AUTHENTICATION_REQUEST) you just ignore the code, so why this one(PW_DISCONNECT_ACK) must be checked? if some one want to do timing attack then can use this message(PW_AUTHENTICATION_REQUEST) so by checking just some message its not safe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
On Thu, Jun 10, 2010 at 10:12:13AM +0200, Alan DeKok wrote: Josip Rodin wrote: That code has indeed changed from 2.1.8 to 2.1.9, and it may be a simple bug - there is no existence check for request-packet before its dereference in the new CoA-related condition. There is an existence check for it below, but by then it's too late. It looks like that branching could do with some more reordering. Yes. The code to fix a CoA bug caused another one. sigh The server is quickly getting to the point where it's doing so much that any small change can have large implications. The solution is to start re-organizing the code in the server core, and simplifying it. When 2.0 cam out, the code was much simpler than 1.x for the same functionality. Three years later, added functionality makes the code more complicated again. The Change of Authorization code hasn't really found its place, it looks a bit like a hack. Maybe it's the WITH_COA defines that make it look so. But more generally, after reading through the proxy code, I see it as a something of an unadjusted citizen :) yet CoA builds upon it and just ends up creating a bigger mess. The server started as a simple server that just responded to outside clients, whereas these two functions really want it to behave more like a client. I know that's a big readjustment :) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom dns servers.
Hello, I want set dns servers from freeradius server for some user groups. (with guest ACL user's i want set custom dns, for redirecting all queries to one server) How can I realize this? It is possible to set dns server for virtual-template from freeradius? I use cisco nas. Thanks to all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Wed, May 19, 2010 at 03:01:47PM +0200, Alan DeKok wrote: Fajar A. Nugraha wrote: The enthusiasm seems big enough. So how would this work? http://freeradius.org/doc/community.html It doesn't seem to be particularly enthusiastic any more. But that's what happens in the real world :) A non-trivial documentation format is a stringent documentation format. And also obviously humans suck :) In the meantime I've done some work fixing the Wiki. I invite everyone watching to have a look, it's now... no longer stuck in 2007. :) If you don't have an account or can't be bothered to edit, just shout here... -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: github wiki
On Fri, May 28, 2010 at 10:32:23AM +0200, Alan DeKok wrote: 2-3 years ago the Wiki started being over-whelmed with spammers. The spam detection in MediaWiki didn't help, so the simplest solution was to make the Wiki request only for signups. I think it might be useful if we had an automated method of requesting an account. With a modern captcha system so that spambots don't inundate the queue. Fortunately it looks like something like that already exists nowadays: http://www.mediawiki.org/wiki/Extension:ConfirmAccount Can you add that please? It would probably help revive the wiki a bit. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic VLANs for many switches
Hi! We've a quite big network and I want to assign VLANs dynamically based on the MAC address, as backend I want to uses a SQL database. My problem now is that the VLAN IDs on different access switch stacks (used Layer2 switches) are different for the same network area, e.g. on switch1 vlan 123 is used for printers and on switch2 vlan124 is used for printers. The reason for this is the Layer3 switch (which we use as a distribution switch of the building) needs to be part of all VLANs and we can't use one VLAN for a building as the subnet would get too big. A other requirement is that a device can roam between different access switches(=floors and buildings), so the VLAN the switch port should get set needs to be different, based on which switch is making the request. This problem is easily solvable if I can use VLAN names in Tunnel-Private-Group-ID tags, as I would set the name always e.g. to printervlan. But in RFC 3580 is written: Note that the VLANID is 12-bits, taking a value between 1 and 4094, inclusive. Since the Tunnel-Private-Group-ID is of type String as defined in [RFC2868], for use with IEEE 802.1X, the VLANID integer value is encoded as a string. So what is the recommended solution if I can use only the numerical IDs. Thx for your help! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik Dissconect
f0rud wrote: I found the calc_replydigest function in radius.c always return 2 (digest_cmp failed) Since this function is new in code , then its the problem and the diff. with version 1.x The digest_cmp is failing because the packet is wrong. Try the old code from an earlier version of radius.c. It will *also* fail to authenticate the packet. For fixing my problem, I just by pass this test for PW_DISCONNECT_ACK (not a good idea I know but what else I can do?) and now its fine for my problem. Or, you could ask the NAS vendor to implement RADIUS properly. I see the code for another messages (for ex: PW_AUTHENTICATION_REQUEST) you just ignore the code, Uh... no. It does not do that. so why this one(PW_DISCONNECT_ACK) must be checked? if some one want to do timing attack then can use this message(PW_AUTHENTICATION_REQUEST) so by checking just some message its not safe. That is not true. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN info disappears
Andras Dosztal wrote: I've configured FR2 (2.1.8) to authenticate users from the users file, and I ran into a strange problem. In the first case, I've configured it to direct a user to VLAN 129: .. User authentication works fine, but the user isn't directed to the correct VLAN, the switch port remains at its default VLAN. Debug log: http://pastebin.ca/1880327 There is nothing you can do to the RADIUS server to fix this. Find out why the NAS is ignoring the response of the server, and fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use radacct...
Hi All, Can anybody explain with example that, how to use radacct command. I compiled freeradius-client code and got the radacct executable. What is the prerequisite to execute this command. What command line arguments we need to pass with this command to send a Accounting-Request. Please explaing with example. Thanks Regards Arjun prasad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLANs for many switches
PENZ Robert robert.p...@tirol.gv.at wrote: We've a quite big network and I want to assign VLANs dynamically based on the MAC address, as backend I want to uses a SQL database. My problem now is that the VLAN IDs on different access switch stacks (used Layer2 switches) are different for the same network area, e.g. on switch1 vlan 123 is used for printers and on switch2 vlan124 is used for printers. The reason for this is the Layer3 switch (which we use as a distribution switch of the building) needs to be part of all VLANs and we can't use one VLAN for a building as the subnet would get too big. A other requirement is that a device can roam between different access switches(=floors and buildings), so the VLAN the switch port should get set needs to be different, based on which switch is making the request. This problem is easily solvable if I can use VLAN names in Tunnel-Private-Group-ID tags, as I would set the name always e.g. to printervlan. But in RFC 3580 is written: Note that the VLANID is 12-bits, taking a value between 1 and 4094, inclusive. Since the Tunnel-Private-Group-ID is of type String as defined in [RFC2868], for use with IEEE 802.1X, the VLANID integer value is encoded as a string. So what is the recommended solution if I can use only the numerical IDs. Thx for your help! This is not a FreeRADIUS question, it is a NAS question and whether your NAS supports VLAN *names* rather than just numbers. For the record, Cisco switches do support the use of names (if you have put it in your VLAN database), and their thick and thin AP's do too. YMMV with other venduhs though. To be honest, the time it took you to send this email, you could have actually tested it on your equipment...*sigh*. Regards -- Alexander Clouter .sigmonster says: Snow Day -- stay home. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom dns servers.
Nadir Aliyev na...@ultel.net wrote: I want set dns servers from freeradius server for some user groups. (with guest ACL user's i want set custom dns, for redirecting all queries to one server) How can I realize this? It is possible to set dns server for virtual-template from freeradius? I use cisco nas. Then I recommend you go to http://www.cisco.com/ as this is *not* a FreeRADIUS question. Regards -- Alexander Clouter .sigmonster says: Push where it gives and scratch where it itches. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: dynamic VLANs for many switches
Hi! This is not a FreeRADIUS question, it is a NAS question and whether your NAS supports VLAN *names* rather than just numbers. I'm looking for a way to work with switches that do not support VLAN Names, and therefore I believe it is a free radius question. E.g. It would be possible for me to create a table with the VLAN IDs and the NAS IPs, so that freeradius could match them and send the correct VLAN ID, but I don't know how to use the NAS IP for such an lookup. Or maybe there is a better way to do it. For the record, Cisco switches do support the use of names (if you have put it in your VLAN database), and their thick and thin AP's do too. YMMV with other venduhs though. To be honest, the time it took you to send this email, you could have actually tested it on your equipment...*sigh*. I don't know the vendor of the switches so far as it is a running public tendering procedure (hope that's the correct English term for it) where I was not able to require it as MUST feature, but I need to make the planning for migration and implementation of dynamic VLANs now. ;-( Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik Dissconect
On Thu, 2010-06-10 at 14:12 +0200, Alan DeKok wrote:
f0rud wrote:
I found the calc_replydigest function in radius.c always return 2
(digest_cmp failed) Since this function is new in code , then its the
problem and the diff. with version 1.x
The digest_cmp is failing because the packet is wrong.
Try the old code from an earlier version of radius.c. It will *also*
fail to authenticate the packet.
Thats the problem, version 1.1.8 have no problem!(This time I check this
myself. with the code from download page.)
For fixing my problem, I just by pass this test for PW_DISCONNECT_ACK
(not a good idea I know but what else I can do?) and now its fine for my
problem.
Or, you could ask the NAS vendor to implement RADIUS properly.
In Mikrotik forum they said to ask your team (not to me they said this
is radclient problem.) thats I love : infinite loop :))
I see the code for another messages (for ex: PW_AUTHENTICATION_REQUEST)
you just ignore the code,
Uh... no. It does not do that.
So check this at radius.c about line 2110
/*
* Calculate and/or verify digest.
*/
switch(packet-code) {
int rcode=0;
char buffer[32];
case PW_AUTHENTICATION_REQUEST:
case PW_STATUS_SERVER:
/*
* The authentication vector is random
* nonsense, invented by the client.
*/
break;
and after this break, the function return 0 that means OK , so where the
code take care of this messages digest?
so why this one(PW_DISCONNECT_ACK) must be
checked? if some one want to do timing attack then can use this
message(PW_AUTHENTICATION_REQUEST) so by checking just some message its
not safe.
That is not true.
This timing attack (I read the comment on the code) so bypassing this
function (rad_verify) means some one can do this attack, and If yo don't
believe me, check the code, any PW_AUTHENTICATION_REQUEST package will
pass this function.
so what difference, and why this pass exist at all when there is some
exception?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oracle and stored procedure error
Hi,
We are trying to use oracle as a backend but we are having problems.
For example here is my radiusd -X output:
[sql] expand: EXEC ra_authentication_check '%{SQL-User-Name}',
'%{User-Password}' - EXEC ra_authentication_check '8008', ''
rlm_sql_oracle: query failed in sql_select_query: ORA-24333: zero
iteration count
From sqlplus I can run EXEC ra_authentication_check '8008', ''
without error on the same machine and with the same user defined in
sql.conf but when radiusd runs that query I get
ORA-24333: zero iteration count
error. If some one here in this list have an idea about that and
kindly share his/her opinion about this I will really appreciate that.
Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik Dissconect
f0rud wrote: Thats the problem, version 1.1.8 have no problem!(This time I check this myself. with the code from download page.) OK... you haven't said which version of FreeRADIUS you're using. Let me guess: it's not 2.1.9. I see the code for another messages (for ex: PW_AUTHENTICATION_REQUEST) you just ignore the code, Uh... no. It does not do that. So check this at radius.c about line 2110 sigh Please read the text you post to the list. case PW_AUTHENTICATION_REQUEST: case PW_STATUS_SERVER: /* * The authentication vector is random * nonsense, invented by the client. */ What do you think that means? and after this break, the function return 0 that means OK , so where the code take care of this messages digest? It doesn't. It's not *supposed* to. Read the RFCs. This timing attack (I read the comment on the code) so bypassing this function (rad_verify) means some one can do this attack, Nonsense. The timing attack is being able to tell the difference between comparing 8, or 16 bytes for equality. Bypassing the function means it always compares *zero* bytes for equality. How do you do a timing attack by telling the difference between comparing zero, or zero bytes for equality? The answer is: you don't. and If yo don't believe me, check the code, any PW_AUTHENTICATION_REQUEST package will pass this function. so what difference, and why this pass exist at all when there is some exception? I suggest reading the code *and* the RFCs before leaping to conclusions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLANs for many switches
PENZ Robert robert.p...@tirol.gv.at wrote: This is not a FreeRADIUS question, it is a NAS question and whether your NAS supports VLAN *names* rather than just numbers. I'm looking for a way to work with switches that do not support VLAN Names, and therefore I believe it is a free radius question. E.g. It would be possible for me to create a table with the VLAN IDs and the NAS IPs, so that freeradius could match them and send the correct VLAN ID, but I don't know how to use the NAS IP for such an lookup. Or maybe there is a better way to do it. Right, my apologies then. Yes it is possible, you could use a large unlang switch statement[1] (if you do not have too many VLAN's) and key it to a 'grouping' field[2] in your clients.conf. There are other ways to do this, but this is the first one that comes to mind. Cheers [1] http://freeradius.org/radiusd/man/unlang.html [2] http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html -- Alexander Clouter .sigmonster says: BOFH excuse #254: Interference from lunar radiation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Updating the Wiki
Hello, I would appreciate to get an account on the wiki. Best regards, Fred MAISON - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing local auth (freeradius server 2.1.9)
Hello,
I've tried the doc, the wiki, and the ML archives but I can't find an
answer to what must be a simple configuration thing.. I've compiled
freeradius server 2.1.9 and only added two simples lines to $confdir/user:
mrichard Cleartext-Password := qwerty
mrichard2 Cleartext-Password := qwerty
When starting radiusd -X (yes, I've looked at the output) and testing
these 2 most simple accounts with radtest, the first one fails while the
second one works. The difference being that there's a mrichard account on
the box in /etc/passwd while mrichard2 only exists in radiusd's config.
Hence the output differences when calling radtest thelogin qwerty localhost
666 testing123 (cut) :
for mrichard:
+- entering group PAP {...}
[pap] login attempt with password qwerty
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
for mrichard2:
+- entering group PAP {...}
[pap] login attempt with password qwerty
[pap] Using clear text password qwerty
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 79 to 127.0.0.1 port 60023
Of course, the first account works if I use the OS level password
associated with it.
After a bit of searching I found a reference in the ML archives to
$confdir/sites-enabled/default and saw unix in there with the description
saying it caches the hashes from /etc/passwd and its accompanying shadow.
I've commented those lines and restarted the daemon. Now I get this in the
PAP output for both users:
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
I must be missing something rather obvious.. But how can I totally disable
the lookup of OS accounts ?
Thanks
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN info disappears
How could it be, when it passes the same information in both cases (the only difference is the username/password)? Is it possible that the switch interprets the reply differently for dot1x and mab authentication? I know it's rather Cisco related issue than RADIUS, but maybe someone experienced it before. Regards, Andras On Thu, 10 Jun 2010 14:13:40 +0200, Alan DeKok al...@deployingradius.com wrote: There is nothing you can do to the RADIUS server to fix this. Find out why the NAS is ignoring the response of the server, and fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius is unable to read NAS table in mysql db
Hi.
Sorry 'cause i'm late. Some troubles.
Well i worked as following explained to perform a test (problem we talk
about) but also to check if password would have been passed encrypted in the
internet.
||
*|NAS-USG100|*( *USGWAN* -79.xxx.xxx.xxx )---(INTERNET)(78.yyy.yyy.yyy)
*RADIUS*
||
( *USGLAN*:172.16.68.253)
|
(WEB-HTTPS)
|
|
172.16.68.16
I mirrored both of WAN ports of USG, say WAN1 and WAN2 and had something to
give to wireshark :-)
I open Web LogIN page of USG and provide fake user and password (not present
on ActiveDirectory or local USBdb), say gigino / 12345678
*I obtaint this (USG)*
79.xxx.xxx.xxx78.yyy.yyy.yyyRADIUSAccess-Request(1)
AVP: l=8 t=User-Name(1): gigino
AVP: l=18 t=User-Password(2): *Encrypted*- Yippie
AVP: l=6 t=NAS-IP-Address(4): 172.16.68.10 - (PDC of my internal
domain)
AVP: l=10 t=NAS-Identifier(32): weblogin
AVP: l=6 t=NAS-Port(5): 20915
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
AVP: l=6 t=Service-Type(6): Authenticate-Only(8)
AVP: l=14 t=Calling-Station-Id(31): 172.16.68.16
*
. . . on remote radius server i obtain*
Ready to process requests.
rad_recv: Access-Request packet from host 79.xxx.xxx.xxx ...
User-Name = gigino
User-Password = gigino
NAS-IP-Address = 172.16.68.10
NAS-Identifier = weblogin
NAS-Port = 20915
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 172.16.68.16
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = gigino, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
--
I presumed NAS-IP-Address: 172.16.68.253
What do you think?
Thank in advance.
___
Sono solo un passeggero del volo e mi credevo pilota . . .
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Removing local auth (freeradius server 2.1.9)
Someone will correct me if I am wrong, but I believe that is the unix
entry under sites-available/default.
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Martin Richard
Sent: Thursday, June 10, 2010 11:32 AM
To: freeradius-users@lists.freeradius.org
Subject: Removing local auth (freeradius server 2.1.9)
Hello,
I've tried the doc, the wiki, and the ML archives but I can't find an
answer to what must be a simple configuration thing.. I've compiled
freeradius server 2.1.9 and only added two simples lines to $confdir/user:
mrichard Cleartext-Password := qwerty
mrichard2 Cleartext-Password := qwerty
When starting radiusd -X (yes, I've looked at the output) and testing
these 2 most simple accounts with radtest, the first one fails while the
second one works. The difference being that there's a mrichard account on
the box in /etc/passwd while mrichard2 only exists in radiusd's config.
Hence the output differences when calling radtest thelogin qwerty localhost
666 testing123 (cut) :
for mrichard:
+- entering group PAP {...}
[pap] login attempt with password qwerty
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
for mrichard2:
+- entering group PAP {...}
[pap] login attempt with password qwerty
[pap] Using clear text password qwerty
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 79 to 127.0.0.1 port 60023
Of course, the first account works if I use the OS level password
associated with it.
After a bit of searching I found a reference in the ML archives to
$confdir/sites-enabled/default and saw unix in there with the description
saying it caches the hashes from /etc/passwd and its accompanying shadow.
I've commented those lines and restarted the daemon. Now I get this in the
PAP output for both users:
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
I must be missing something rather obvious.. But how can I totally disable
the lookup of OS accounts ?
Thanks
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius is unable to read NAS table in mysql db
Hi.
Sorry 'cause i'm late. Some troubles.
Well i worked as following explained to perform a test (problem we talk
about) but also to check if password would have been passed encrypted in
the internet.
||
|NAS-USG100|( USGWAN -79.xxx.xxx.xxx )---(INTERNET)(78.yyy.yyy.yyy)
RADIUS
||
( USGLAN:172.16.68.253)
|
(WEB-HTTPS)
|
|
172.16.68.16
I mirrored both of WAN ports of USG, say WAN1 and WAN2 and had something to
give to wireshark :-)
I open Web LogIN page of USG and provide fake user and password (not
present on ActiveDirectory or local USBdb), say gigino / 12345678
I obtaint this (USG)
79.xxx.xxx.xxx 78.yyy.yyy.yyy RADIUS Access-Request(1)
AVP: l=8 t=User-Name(1): gigino
AVP: l=18 t=User-Password(2): Encrypted - Yippie
AVP: l=6 t=NAS-IP-Address(4): 172.16.68.10 - (PDC of my internal
domain)
AVP: l=10 t=NAS-Identifier(32): weblogin
AVP: l=6 t=NAS-Port(5): 20915
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
AVP: l=6 t=Service-Type(6): Authenticate-Only(8)
AVP: l=14 t=Calling-Station-Id(31): 172.16.68.16
. . . on remote radius server i obtain
Ready to process requests.
rad_recv: Access-Request packet from host 79.xxx.xxx.xxx ...
User-Name = gigino
User-Password = gigino
NAS-IP-Address = 172.16.68.10
NAS-Identifier = weblogin
NAS-Port = 20915
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 172.16.68.16
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = gigino, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
--
I presumed NAS-IP-Address: 172.16.68.253
What do you think?
tim What do I think? The USG is sending the RADIUS request and is setting
the NAS-IP-Address attribute to the IP Address of the PDC. FreeRADIUS uses
the source IP address of the RADIUS packet to determine the IP address of
the NAS, not the NAS-IP-Address attribute. The IP addresses in the
clients.conf file and the nas table in MySQL are checked using the source IP
address of the RADIUS packet.
So, you can either ignore this or talk to Facetime about configuring RADIUS
client.
Based on your messages, everything seems to work.
Congratulations!
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Tue 18 May 2010, Alan DeKok wrote: Nyamul Hassan wrote: Not meaning any disrespect to the paid offer, you could also reconsider to put up the current documentation in a Wiki style webpage, and from there everyone can work on the text that they think needs reworking. We already have a Wiki. Few people edit it. We already have a publicly available doc directory. Few people submit changes. Putting the existing docs into a Wiki won't magically make people submit changes. We're looking for an editor. All we want is someone who can organize and format the existing documentation. There is no need for in depth knowledge of RADIUS. There is no need for to write *new* documentation. That is work which is normally seen as not fun. But it's needed. Therefore, the offer to pay for services rendered. Yes. I'll second Alan on this. It was my idea to setup the wiki, and I spent a LOT of time on it for a year or so, but have unfortunately not seen as much input from the community as we will have liked. (Although there are a notable few people who have done some work at various times... You know who your are..Thanks.) If there is only going to be a small group of people editing the docs, git and RST work much better than a wiki, and save maintaing both mediawiki and an SQL server :-) -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Tue 18 May 2010, Alan DeKok wrote: Nyamul Hassan wrote: Not meaning any disrespect to the paid offer, you could also reconsider to put up the current documentation in a Wiki style webpage, and from there everyone can work on the text that they think needs reworking. We already have a Wiki. Few people edit it. We already have a publicly available doc directory. Few people submit changes. Putting the existing docs into a Wiki won't magically make people submit changes. We're looking for an editor. All we want is someone who can organize and format the existing documentation. There is no need for in depth knowledge of RADIUS. There is no need for to write *new* documentation. That is work which is normally seen as not fun. But it's needed. Therefore, the offer to pay for services rendered. Yes. I'll second Alan on this. It was my idea to setup the wiki, and I spent a LOT of time on it for a year or so, but have unfortunately not seen as much input from the community as we will have liked. (Although there are a notable few people who have done some work at various times... You know who your are..Thanks.) If there is only going to be a small group of people editing the docs, git and RST work much better than a wiki, and save maintaing both mediawiki and an SQL server :-) What file format is the documentation in and roughly how big is it? I'm a technical writer and I'm interested. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Thu, Jun 10, 2010 at 09:07:32PM +0300, Peter Nixon wrote: We already have a Wiki. Few people edit it. We already have a publicly available doc directory. Few people submit changes. Yes. I'll second Alan on this. It was my idea to setup the wiki, and I spent a LOT of time on it for a year or so, but have unfortunately not seen as much input from the community as we will have liked. If there is only going to be a small group of people editing the docs, git and RST work much better than a wiki, and save maintaing both mediawiki and an SQL server :-) IMHO you saw little input because you had a wiki that was rendered practically dead for three years. There was nothing there even just to tell newbies that there *is* a procedure to get an account, let alone anything that would actually entice them to edit. Similarly, keeping docs in another, even less trivially accessible format, will not alleviate this problem - it stands to reason that it can only make it worse. Paying people to overcome that problem could make things even. Yet, it will be that much harder to get an account and submit changes because it will require a little bit more toolset learning for users and a little bit more interaction from the admins. That's why I mentioned that ConfirmAccount mediawiki extension - it will reduce the amount of bother for the admins, while still allowing the users to use minimal necessary skills to do their edits. Obviously I have nothing against people also working on documentation in git, whether paid or not - the rule in documentation is that duplication is not something frowned upon by default (unlike with software). -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updating the Wiki
On Thu, Jun 10, 2010 at 05:27:47PM +0200, Fred MAISON wrote: I would appreciate to get an account on the wiki. I've created it now, you should be getting an automated e-mail. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik Dissconect
On Thu, 2010-06-10 at 16:39 +0200, Alan DeKok wrote: f0rud wrote: Thats the problem, version 1.1.8 have no problem!(This time I check this myself. with the code from download page.) OK... you haven't said which version of FreeRADIUS you're using. Let me guess: it's not 2.1.9. No its exactly 2.1.9 from GIT(last update 1 or 2 days ago after you fix some problem.) and I'm happy with ignoring the check. so leave it be. And after that, in this case radius should be client and NAS is server. so there is no harm at all. (as long as the NAS do its job and disconnect user, its ok) thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Jun 10, 2010, at 11:38 AM, Josip Rodin wrote: On Thu, Jun 10, 2010 at 09:07:32PM +0300, Peter Nixon wrote: We already have a Wiki. Few people edit it. We already have a publicly available doc directory. Few people submit changes. Yes. I'll second Alan on this. It was my idea to setup the wiki, and I spent a LOT of time on it for a year or so, but have unfortunately not seen as much input from the community as we will have liked. If there is only going to be a small group of people editing the docs, git and RST work much better than a wiki, and save maintaing both mediawiki and an SQL server :-) IMHO you saw little input because you had a wiki that was rendered practically dead for three years. There was nothing there even just to tell newbies that there *is* a procedure to get an account, let alone anything that would actually entice them to edit. Similarly, keeping docs in another, even less trivially accessible format, will not alleviate this problem - it stands to reason that it can only make it worse. Paying people to overcome that problem could make things even. Yet, it will be that much harder to get an account and submit changes because it will require a little bit more toolset learning for users and a little bit more interaction from the admins. That's why I mentioned that ConfirmAccount mediawiki extension - it will reduce the amount of bother for the admins, while still allowing the users to use minimal necessary skills to do their edits. Obviously I have nothing against people also working on documentation in git, whether paid or not - the rule in documentation is that duplication is not something frowned upon by default (unlike with software). My idea was to install an extension to the wiki that allowed rendering of RST. The documentation would be kept up to date on the wiki, and at official release time those pages would be pulled in from the wiki and bundled with the rest of FreeRADIUS. Advantaged are: - Easy to edit - No learning curve for GIT - Still maintains blame information - Instant feedback with the preview function when testing out syntax - One source for all documentation - Documentation available without downloading package or src bundle. People are far more likely to contribute if the barrier to entry is low. The reason for the wikis zombie like status is, as other people have stated that there is no official procedure to request an account, and no automated account creation. I remember the issues with spam, so auto account creation is out. Maybe have a a registration mailing list where people can pick requests off and create the accounts manually? The barrier to get an account has to be sufficiently high that spammers won't go through the hassle and sufficiently low that people will still contribute. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
It looks like a good set of volunteers wanting to help. My suggestion is to convert the docs to Restructured text: http://docutils.sourceforge.net/rst.html Looks very straight forward. :) I'll be creating a github account for myself later this evening and will start getting my hands dirty after that. Best Regards, Johannes R-E PS. By the way; for the sake of not duplicating effort does Peter Nixon want to lead the way on this or is it just a simple free-for-all? Hi Johannes Please feel free to take the lead. While you may of course use the RST viewer built into github, its better if you install Sphinx (http://sphinx.pocoo.org/) as you will then be able to build the RST into html format locally on your machine with: make html Additionally, if you install rst2pdf you will be able to use: make pdf I would do the work in this order: 1) checkout freeradius 2) Rename existing files in doc dir to have a .rst extension (eg. git mv proxy proxy.rst) 3) make html (in doc dir) 4) Fix any warnings output by sphinx 5) make html 6) Check what the output looks like (eg. firefox _build/html/index.html) and clean up anything that needs it. 7) Repeat for the next file. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing local auth (freeradius server 2.1.9)
Martin Richard wrote: When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a mrichard account on the box in /etc/passwd while mrichard2 only exists in radiusd's config. Hence the output differences when calling radtest thelogin qwerty localhost 666 testing123 (cut) : As the debug log shows, it's using the Unix password for the user, rather than the password from the users file. After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw unix in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow. Not exactly. It looks up the user in /etc/passwd, and if found, adds the password as the known good password. I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Does the files module say that they were found in the users file? I must be missing something rather obvious.. But how can I totally disable the lookup of OS accounts ? Delete unix from raddb/sites-enabled/default, section authorize Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: github wiki
On Thu, Jun 10, 2010 at 10:09:40PM +0300, Peter Nixon wrote: On Fri 28 May 2010, Josip Rodin wrote: On Thu, May 27, 2010 at 06:00:48PM +0200, Alan DeKok wrote: Thanks, but we already *have* a Wiki. I would really prefer to not add yet *another* location for documentation. Yes... the existing Wiki has a number of out-of-date pages. I will, annoyingly enough :) again use this as an opportunity to ask for an account on the wiki in order to be able to help fixing these. (It's uncommon to call a mediawiki installation a wiki and have a strict policy of forbidding volunteers from editing, even known ones.) Just for everyone's info, we have solved my slackness in creating wiki accounts for newcommers by making Josip the new Wiki admin :-) Yes. Let me use this opportunity to publicly thank you for that unexpectedly kind act :) But right now I'm not a solution, just a workaround - I too will eventually get tired and lag, because the account addition process is still tedious administrivia. Please do check out that extension I've mentioned - that could actually become a solution :) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem running 'radiusd -X'
Hi,
I have a problem running the 'radiusd -X'. The error messages are as the
following:
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/raddb/certs/server.pem
certificate_file = /etc/raddb/certs/server.pem
CA_file = /etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /etc/raddb/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
make: *** [random] Error 1
Exec-Program output:
Exec-Program: returned: 2
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module eap
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap.
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
}
}
Errors initializing modules
I have not changed the eap.conf, but the problem seems from that configure
file. I am wondering what the problem is.
Cheers, Henry
_
Want to be a Space Travel Agent? If it exists, you'll find it on SEEK
http://clk.atdmt.com/NMN/go/157639089/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Jun 10, 2010, at 12:11 PM, Josip Rodin wrote: On Thu, Jun 10, 2010 at 11:59:57AM -0700, Arran Cudbard-Bell wrote: That's why I mentioned that ConfirmAccount mediawiki extension - it will reduce the amount of bother for the admins, while still allowing the users to use minimal necessary skills to do their edits. My idea was to install an extension to the wiki that allowed rendering of RST. The documentation would be kept up to date on the wiki, and at official release time those pages would be pulled in from the wiki and bundled with the rest of FreeRADIUS. But does that kind of a software actually exist? Yes: http://www.mediawiki.org/wiki/Extension:RstToHtml ... The barrier to get an account has to be sufficiently high that spammers won't go through the hassle and sufficiently low that people will still contribute. Once again, that's exactly what Extension:ConfirmAccount tries to do. We don't need to reinvent anything, just get it installed and see if it works. Well i'm up for a trial re-opening, but i'm not sure about Peter Nixon and Alan DeKok. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
Arran Cudbard-Bell wrote: My idea was to install an extension to the wiki that allowed rendering of RST. The documentation would be kept up to date on the wiki, and at official release time those pages would be pulled in from the wiki and bundled with the rest of FreeRADIUS. Ok. The RST format looks a lot easier than the Wiki format. Advantaged are: - Easy to edit - No learning curve for GIT - Still maintains blame information - Instant feedback with the preview function when testing out syntax - One source for all documentation - Documentation available without downloading package or src bundle. People are far more likely to contribute if the barrier to entry is low. The reason for the wikis zombie like status is, as other people have stated that there is no official procedure to request an account, and no automated account creation. I remember the issues with spam, so auto account creation is out. Maybe have a a registration mailing list where people can pick requests off and create the accounts manually? Yes. The barrier to get an account has to be sufficiently high that spammers won't go through the hassle and sufficiently low that people will still contribute. We're also not in the business of account management. Someone like github.com is. If they had a Wiki that was RST *and* backed by git, it would be a clear winner. But people have been asking since 2008, and it's still not ready. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
bjloc...@lockie.ca wrote: What file format is the documentation in and roughly how big is it? Text. Not a lot, but organized fairly poorly. I'm a technical writer and I'm interested. Try: http://freeradius.org/doc/community.html Or, just convert the existing txt to rst, and send them as an attachment to the mailing list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik Dissconect
f0rud wrote: No its exactly 2.1.9 from GIT(last update 1 or 2 days ago after you fix some problem.) and I'm happy with ignoring the check. so leave it be. Well... 2.1.9 works with 1.1.8. So something is broken on your local system if they behave differently. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with 'radiusd -X'
Hi,
I have a problem running 'radiusd -X'. The version I used is
freeradius-server-2.1.9. The followings are error messages:
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/raddb/certs/server.pem
certificate_file = /etc/raddb/certs/server.pem
CA_file = /etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /etc/raddb/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
make: *** [random] Error 1
Exec-Program output:
Exec-Program: returned: 2
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module eap
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap.
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
}
}
Errors initializing modules
Can someone please point it out to me what could be the problem?
Thanks
_
Want to be a Space Travel Agent? If it exists, you'll find it on SEEK
http://clk.atdmt.com/NMN/go/157639089/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
On 10/06/2010 22:20, Alan Buxey wrote: Hi, OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. hmm, this is interesting...James, do you use COA at all? we dont but this code is still in there and we havent had such a crash. could this be an issue that gets masked by a newer version of GCC (ours are generally CentOS 5.5 boxes...) - we have around 2,200 simultaneous users using 802.1X during the working day currently so show stopping bugs generally get seen No - we don't use COA on these boxes [yet]. How many of your users are home, and how many visiting (or do you do any other proxying)? - Proxy replies seem to have been the trigger for that code path bug. We seem to have a steady hundred or so users that get proxied up to the ORPS: http://www.wireless.bris.ac.uk/gfx/random/eduroamvisitors.png -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem running 'radiusd -X'
Hi, I have a problem running the 'radiusd -X'. The error messages are as the following: default new install from source? the EAP part needs some certs being made.see this bit: make_cert_command = /etc/raddb/certs/bootstrap this runs /etc/raddb/certs/bootstrap script to make some temporary basic/fake certs for testing. perhaps the user/group that radiusd is being run as cannot run the script. run the script manually and see what happens alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Thu, Jun 10, 2010 at 11:59:57AM -0700, Arran Cudbard-Bell wrote: That's why I mentioned that ConfirmAccount mediawiki extension - it will reduce the amount of bother for the admins, while still allowing the users to use minimal necessary skills to do their edits. My idea was to install an extension to the wiki that allowed rendering of RST. The documentation would be kept up to date on the wiki, and at official release time those pages would be pulled in from the wiki and bundled with the rest of FreeRADIUS. But does that kind of a software actually exist? - Still maintains blame information Truth be told, mediawiki history isn't like git blame, but it's sufficiently close. Sorry for nitpicking :) People are far more likely to contribute if the barrier to entry is low. I'd perhaps rephrase that by saying that when people are unlikely to contribute, anything done to raise the barrier to entry has an amplified negative effect on the already low likelihood that a contribution will be actually made. The reason for the wikis zombie like status is, as other people have stated that there is no official procedure to request an account, and no automated account creation. I remember the issues with spam, so auto account creation is out. Maybe have a a registration mailing list where people can pick requests off and create the accounts manually? The barrier to get an account has to be sufficiently high that spammers won't go through the hassle and sufficiently low that people will still contribute. Once again, that's exactly what Extension:ConfirmAccount tries to do. We don't need to reinvent anything, just get it installed and see if it works. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Thu, Jun 10, 2010 at 10:44:27PM +0200, Alan DeKok wrote: We're also not in the business of account management. Someone like github.com is. If they had a Wiki that was RST *and* backed by git, it would be a clear winner. But people have been asking since 2008, and it's still not ready. OK, so to clarify, if we installed Extension:ConfirmAccount on the FR Wiki, we would not reenter the annoying account management business, nor jeopardize any live content; but we would lower the bar of entry for more people to contribute. Coupled with Extension:RstToHtml, that could become a decent origin for the not-so-volatile copy in freeradius-server git. The process of copying wouldn't be trivial (probably?), but for a hired editor it wouldn't be much of a problem either. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On Jun 10, 2010, at 2:48 PM, Josip Rodin wrote: On Thu, Jun 10, 2010 at 10:44:27PM +0200, Alan DeKok wrote: We're also not in the business of account management. Someone like github.com is. If they had a Wiki that was RST *and* backed by git, it would be a clear winner. But people have been asking since 2008, and it's still not ready. OK, so to clarify, if we installed Extension:ConfirmAccount on the FR Wiki, we would not reenter the annoying account management business, nor jeopardize any live content; but we would lower the bar of entry for more people to contribute. Coupled with Extension:RstToHtml, that could become a decent origin for the not-so-volatile copy in freeradius-server git. The process of copying wouldn't be trivial (probably?), but for a hired editor it wouldn't be much of a problem either. If media wiki is anything like pmwiki, the source files are very easy to parse (just flat files with some metadata in the header). -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: github wiki
On Fri 28 May 2010, Josip Rodin wrote: On Thu, May 27, 2010 at 06:00:48PM +0200, Alan DeKok wrote: Thanks, but we already *have* a Wiki. I would really prefer to not add yet *another* location for documentation. Yes... the existing Wiki has a number of out-of-date pages. I will, annoyingly enough :) again use this as an opportunity to ask for an account on the wiki in order to be able to help fixing these. (It's uncommon to call a mediawiki installation a wiki and have a strict policy of forbidding volunteers from editing, even known ones.) Just for everyone's info, we have solved my slackness in creating wiki accounts for newcommers by making Josip the new Wiki admin :-) -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing local auth (freeradius server 2.1.9)
Hi, When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a mrichard account on the box in /etc/passwd while mrichard2 only exists in radiusd's config. Hence the output differences when calling radtest thelogin qwerty localhost 666 testing123 (cut) : you've massively edited the output of the debug and missed the most important line that says [unix] returns updated or somesuch - however: After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw unix in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow. I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users: ...you are on the right track. but once again, a few lines of the debug isnt enough. there is plenty in the debug that says whats wrong etc. obviously you are editing the right config files because its broken what was working in a different fashion before. you need to remove unix from the 3 sections in the default file. then passwords wont be read. but you need to ensure that files is called before pap in the authorize section alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
bjloc...@lockie.ca wrote: What file format is the documentation in and roughly how big is it? Text. Not a lot, but organized fairly poorly. I'm a technical writer and I'm interested. Try: http://freeradius.org/doc/community.html Or, just convert the existing txt to rst, and send them as an attachment to the mailing list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, I'll look at it this weekend. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN info disappears
Andras Dosztal wrote: How could it be, when it passes the same information in both cases (the only difference is the username/password)? Is it possible that the switch interprets the reply differently for dot1x and mab authentication? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
Hi, OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. hmm, this is interesting...James, do you use COA at all? we dont but this code is still in there and we havent had such a crash. could this be an issue that gets masked by a newer version of GCC (ours are generally CentOS 5.5 boxes...) - we have around 2,200 simultaneous users using 802.1X during the working day currently so show stopping bugs generally get seen alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
On 10/06/2010 22:42, James J J Hooper wrote: On 10/06/2010 22:20, Alan Buxey wrote: Hi, OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. hmm, this is interesting...James, do you use COA at all? we dont but this code is still in there and we havent had such a crash. could this be an issue that gets masked by a newer version of GCC (ours are generally CentOS 5.5 boxes...) - we have around 2,200 simultaneous users using 802.1X during the working day currently so show stopping bugs generally get seen No - we don't use COA on these boxes [yet]. How many of your users are home, and how many visiting (or do you do any other proxying)? - Proxy replies seem to have been the trigger for that code path bug. We seem to have a steady hundred or so users that get proxied up to the ORPS: http://www.wireless.bris.ac.uk/gfx/random/eduroamvisitors.png ORPS = NRPS (brain error) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
On 06/10/10 16:44, Alan DeKok wrote: Arran Cudbard-Bell wrote: My idea was to install an extension to the wiki that allowed rendering of RST. The documentation would be kept up to date on the wiki, and at official release time those pages would be pulled in from the wiki and bundled with the rest of FreeRADIUS. Ok. The RST format looks a lot easier than the Wiki format. I'm trying to get this installed: http://catherinedevlin.blogspot.com/2009/08/enthoughts-restructuredtext-editor.html Advantaged are: - Easy to edit - No learning curve for GIT - Still maintains blame information - Instant feedback with the preview function when testing out syntax - One source for all documentation - Documentation available without downloading package or src bundle. People are far more likely to contribute if the barrier to entry is low. The reason for the wikis zombie like status is, as other people have stated that there is no official procedure to request an account, and no automated account creation. I remember the issues with spam, so auto account creation is out. Maybe have a a registration mailing list where people can pick requests off and create the accounts manually? Yes. The barrier to get an account has to be sufficiently high that spammers won't go through the hassle and sufficiently low that people will still contribute. We're also not in the business of account management. Someone like github.com is. If they had a Wiki that was RST *and* backed by git, it would be a clear winner. But people have been asking since 2008, and it's still not ready. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radtest with MS-CHAPv2?
Ntradping http://www.novell.com/coolsolutions/tools/14377.html I believe this is the tool you are looking for. Ben -Original Message- From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Wednesday, June 09, 2010 3:21 PM To: FreeRadius users mailing list Subject: Re: radtest with MS-CHAPv2? Andrew Chiarello wrote: Is there any cli tool I can use to send an MS-CHAPv2 test? No. There's a Windows tool, but I forget the name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radmin
Hello, I have to debug some problem from a specific NAS and so I'd like to use the debug condition' of radmin. conditionnal debug is really a great feature for helping quickly find out problems. Unfortunately it just doens't work and everythings is debuged and not only packet matching the condition. Here what i did: radmindebug condition '(NAS-IP-Address == 1.2.3.4)' radmin debug level 4 radmin show debug level 4 radmin show debug condition (NAS-IP-Address == 202.3.238.209) Unfortunately, when looking at the log file I seen stuf like this: ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 302458251,Client-IP-Address = 192.168.110.45,NAS-IP-Address = 42.123.21.78,Acct-Session-Id = 0001003F28000B60-4C11A0B6,User-Name = a4nj...@toto' Does anybody uses this feature of radmin successfully? Is it supposed to be stable? Thx -- Alexandre Chapellon alexandre.chapel...@mana.pf Mana SAS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct
Hi All, Can anybody explain with example that, how to use radacct command. I compiled freeradius-client code and got the radacct executable. What is the prerequisite to execute this command. What command line arguments we need to pass with this command to send a Accounting-Request. Please explaing with example. Thanks Regards Arjun prasad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius is unable to read NAS table in mysql db
Ok. Thank you so much! It's coming time to turn all winradius server in freeradius units :-) Now let's working on PEAP . . . so i argue, we'll have to talk again! :-) Gtrz Superataru, -- ___ Sono solo un passeggero del volo e mi credevo pilota . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct
Arjun Prasad wrote: Hi All, Can anybody explain with example that, how to use radacct command. radclient is more capable. Use it instead. And there is documentation for radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin
Alexandre Chapellon wrote: Here what i did: radmindebug condition '(NAS-IP-Address == 1.2.3.4)' This sets the debugging on for packets matching that criterie. radmin debug level 4 This sets the *global* debug level to 4. Does anybody uses this feature of radmin successfully? Is it supposed to be stable? Yes. Don't set the global debug level. debug condition sets the debug level to 2 for *just* those requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
