Re: about FreeRadius+radiusmanager+mikrotik
Tanjil Ahmed wrote: > > after few mins he can able to login.. pls help me to solve this > problem! > ...only if you help us to help you. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself http://wiki.freeradius.org/index.php/FAQ#But_it_worked_with_another_RADIUS_server.21 You so far have not: * shown any signs of reading the documentation * shown any signs of reading the FAQ * shown any signs of doing any research into your problem * produce any *useful* debug after being asked What might be handy for us is: * what your NAS sends in an Access-Request * what you are expecting to send back as a reply * the debug output for a successful request * your config file(s) You are so far doing the same as a regular end user shouting "DOES NOT WORK FIX IT NOW!!?!?" and refusing to provide any information at all about: 1. what are you trying to do (Access-Accept looks like?) 2. how are you trying to do it (config/debug) 3. what are you expecting to happen (where you think the debug goes wrong, SQL, LDAP, files queries) 4. what is actually happening (RADIUS response, if any) Please, throw is a freeking bone here...try starting with the documentation, Google and the FreeRADIUS mailing list archives. Regards -- Alexander Clouter .sigmonster says: What this country needs is a good five cent microcomputer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
hi, looks like your client is trying to use the wrong CA as part of the authentication. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about FreeRadius+radiusmanager+mikrotik
Thanks for your quick Reply
here is my Error
rad_recv: Access-Request packet from host 10.10.0.2 port 48125, id=171,
length=136
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 8744
NAS-Port-Type = Ethernet
User-Name = "mizanes"
Calling-Station-Id = "00:24:1D:38:E5:FB"
NAS-Port-Id = "LAN"
CHAP-Challenge = 0x58f516ecc01066e4524585ede64dc571
CHAP-Password = 0x010ceed8f43b50abf1ca288b61c15ccf1f
NAS-Identifier = "ISP"
NAS-IP-Address = 10.10.0.2
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "mizanes", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 2
[files] expand: /usr/local/bin/rmauth "%{NAS-IP-Address}"
"%{User-Name}" "%{Calling-Station-Id}" -> /usr/local/bin/rmauth "10.10.0.2"
"mizanes" "00:24:1D:38:E5:FB"
++[files] returns ok
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 0
++[sql] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->mizanes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 171 to 10.10.0.2 port 48125
Finished request 14.
Going to the next request
after few mins he can able to login.. pls help me to solve this problem!
On Thu, May 5, 2011 at 2:32 AM, Garber, Neal
wrote:
> > some of my user trying to login Mikrotik but they cant first time..
>
> You may find that it will be easier for people to help you if you provide
> specific details about the problems you are having and what you've done in
> an attempt to fix the problems.
>
> You should start by doing Internet searches to see if someone else had the
> same problem(s) and what was done to fix it. If you can't find anything
> relevant, post the debug output of a failure.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: about FreeRadius+radiusmanager+mikrotik
> some of my user trying to login Mikrotik but they cant first time.. You may find that it will be easier for people to help you if you provide specific details about the problems you are having and what you've done in an attempt to fix the problems. You should start by doing Internet searches to see if someone else had the same problem(s) and what was done to fix it. If you can't find anything relevant, post the debug output of a failure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
I think the configuration is correct, because I have an Access-Accept when I use an eapol_test to test my server locally (localhost client). But when I use wpa_supplicant with the same configuration in an other host using ubuntu 10.10, I have the error I have mentionned. 2011/5/4 Phil Mayers > On 05/04/2011 08:27 PM, Khalid Staili wrote: > >> I am using freeradius in a wired network. Th authentication protocol I'm >> using is PEAP. >> I have configured the server like described in many different sites, but >> I have a problem. This is the debug output I have : >> > > Most "sites on the internet" are wrong. Ignore them. > > Follow the instructions on the FreeRADIUS site. > > > > [peap] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error >> TLS Alert read:fatal:decrypt error >> TLS_accept:failed in SSLv3 read client certificate A >> rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 >> alert decrypt error >> SSL: SSL_read failed inside of TLS (-1), TLS session fails. >> TLS receive handshake failed during operation >> > > Yikes. > > What is the client? > > It looks like you've got broken crypto somehow. Are you sure you haven't > mangled your certificate & key? > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about FreeRadius+radiusmanager+mirkotik
Dear All im really need help bout those issues some of my user trying to login Mikrotik but they cant first time.. Radius Server Reject thier query after fewmins they can able to login anybody can pls email with best configure of radiusd.conf of freeradius-server-2.1.8-dmamod-2 Note:im using Radius manager for billing ,Free Radius 2.1.8,mikrotik pppoe server thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-PEAP] PEAP Authentication failed
On 05/04/2011 08:27 PM, Khalid Staili wrote: I am using freeradius in a wired network. Th authentication protocol I'm using is PEAP. I have configured the server like described in many different sites, but I have a problem. This is the debug output I have : Most "sites on the internet" are wrong. Ignore them. Follow the instructions on the FreeRADIUS site. [peap] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert read:fatal:decrypt error TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation Yikes. What is the client? It looks like you've got broken crypto somehow. Are you sure you haven't mangled your certificate & key? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
On 05/04/2011 08:46 PM, Tanjil Ahmed wrote: Hi all is there anybody can tell me why my mikrotik ppp user sometimes authenticate fail on free radius? Please don't hijack an existing thread. Start a new one. how to fix it? after few mins it will be oke... You need to give us more information. See the FAQ for "it still doesn't work" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
Hi all is there anybody can tell me why my mikrotik ppp user sometimes authenticate fail on free radius? how to fix it? after few mins it will be oke... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EAP-PEAP] PEAP Authentication failed
I am using freeradius in a wired network. Th authentication protocol I'm
using is PEAP.
I have configured the server like described in many different sites, but I
have a problem. This is the debug output I have :
rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=192,
length=204
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "kskhaled"
User-Name = "kskhaled"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-1f-fe-02-58-80"
Calling-Station-Id = "00-26-55-b7-7c-bf"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x02ad016b736b68616c6564
Message-Authenticator = 0x74cb8a1036cbc1836786bc29d6d0f75e
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 160 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 192 to 192.168.0.1 port 1024
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "22"
EAP-Message = 0x01a100061920
Message-Authenticator = 0x
State = 0x5a2fd5015a8ecc31b9ba37ff7858d5ab
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=193,
length=314
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "kskhaled"
User-Name = "kskhaled"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-1f-fe-02-58-80"
Calling-Station-Id = "00-26-55-b7-7c-bf"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x5a2fd5015a8ecc31b9ba37ff7858d5ab
EAP-Message =
0x02a100691980005f160301005a015603014dc19e9f979a3af96e33b19d0c62732513034307abf20b2a001cf13bda8125ab2800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff0201040023
Message-Authenticator = 0x27bfd0a5516047d0700ade8abfb74e62
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 161 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0035], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0615], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 193 to 192.168.0.1 port 1024
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "22"
EAP-Message =
0x01a2040019c0076f1603010035023103014dc19e9fcc1c052070b54096a0918e33a7adb2f7d48503cf2305061f12f94cb539010009ff0100012316030106150b00061100060e00025f3082025b308201c4020101300d06092a864886f70d0101040500308194310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b733129302706092a864886f70d010901161a6672656572616469757340656e73692d626f75726765732e66723110300e06035504071307426f75726765733110300e06035504081307426f7572676573310b3009060355040613024652311330110603550403130a667265
EAP-Message =
0x65726164697573301e170d3131303530323230343135385a170d3132303530313230343135385a3057310b30090603550406130246523110300e06035504081307426f7572676573310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b73311330110603550403130a6672656572616469757330819f300d06092a864886f70d010101
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0
On 04/05/2011 11:37, Phil Mayers wrote:
On 04/05/11 10:42, James J J Hooper wrote:
Hi All,
Sorry for the sketchy details
We got an
ASSERT FAILED xlat.c[1048]: outlen > 0
with a PEAP user. The bit of the -X I have is as below, and the soh
virtual server config is attached. I have no further details at the
moment because the client has gone away (and I've disabled SoH in the
EAP module config in case they come back and knock it over again while
I'm away).
The same set-up has been fine with many other SoH clients previously.
Can anyone point me in the right direction? The only think that came
to mind was the packet getting a bit big with all those attributes?
From what I can tell, that's a pretty hard error condition to produce.
xlat.c:1048 is inside xlat_copy, which is the default "escaping" function
when radius_xlat is called with a NULL final argument.
The assert means that there was no room left in the output buffer, but the
very first check inside the while() loop in radius_xlat is:
while (*p) {
/* Calculate freespace in output */
freespace = outlen - (q - out);
if (freespace <= 1)
break;
A quick look at the code gives me the impression it should be pretty hard
to trigger this error condition; I can't see how freespace < 1 ever allows
xlat_copy to be called.
[updated] returns updated
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~
/^%{config:policy.mac-addr}$/i) returns updated
+++ ... skipping else for request 750: Preceding "if" was taken
++- policy create.uob-stripped-mac returns updated
The above policy: where is that? It's clearly not in your SoH virtual
server - is this the inner-tunnel stuff? Can we see the config? I suspect
something in the SoH is triggering this when it dumps the AVPs.
Both inner and outer configs start:
--
server eduroamlocal-inner {
authorize {
create.uob-stripped-mac
preprocess
--
server eduroamlocal {
authorize {
create.uob-stripped-mac
preprocess
--
where create.uob-stripped-mac is:
--
create.uob-stripped-mac {
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~
/^%{config:policy.mac-addr}$/i) {
update request {
UOB-Stripped-MAC :=
"%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
}
updated
}
else {
noop
}
}
--
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0
On 04/05/2011 11:24, Phil Mayers wrote:
On 04/05/11 10:42, James J J Hooper wrote:
[updated] returns updated
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~
/^%{config:policy.mac-addr}$/i) returns updated
+++ ... skipping else for request 750: Preceding "if" was taken
++- policy create.uob-stripped-mac returns updated
Is that all? It jumps straight from the above to dumping the SoH packet?
Yes
SoH-Supported = yes
SoH-MS-Machine-OS-vendor = Microsoft
SoH-MS-Machine-OS-version = 6
SoH-MS-Machine-OS-release = 0
SoH-MS-Machine-OS-build = 6000
SoH-MS-Machine-SP-version = 0
SoH-MS-Machine-SP-release = 0
SoH-MS-Machine-Processor = x86
SoH-MS-Machine-Name = "AlexanderPC"
SoH-MS-Correlation-Id = 0x81aa82cd69f946f2bae142fd0fbfcc3e01cc09847027078c
SoH-MS-Machine-Role = client
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
Ok, something has gone wildly wrong there Unless they really do have 3
firewall, 7 AV and 8 anti-spyware products installed!
Indeed - We all know how messed up clients can get, so this one is
probably due for some TLC (if I can get them to come in).
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=0 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1
up2date=0 enabled=0"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=0 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "auto-updates ok action=install by-policy=1"
SoH-MS-Windows-Health-Status = "security-updates error no-wsus-srv"
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "abc...@bris.ac.uk"
Calling-Station-Id = "00:1b:77:xx:xx:xx"
Called-Station-Id = "00:3a:98:9d:17:30:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.17.107.207
NAS-Identifier = "wism7"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "448"
ASSERT FAILED xlat.c[1048]: outlen > 0
Config bits:
server eduroamlocal-soh {
authorize {
if (SoH-Supported == no) {
update config {
Auth-Type = Accept
}
}
else {
detail-bsql
What's the config for this module?
As below i.e. a plain old detail module
update config {
Auth-Type = Accept
}
detail detail-bsql {
detailfile =
${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log
detailperm = 0600
header = "%t"
}
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nexus Configurations
On May 4, 2011, at 4:48 AM, Darren Shaw wrote: > Good Morning > > I am new to this forum and to the workings of FreeRadius and I have a query > around the Cisco Nexus family. > > Currently we have all our switches and routers authentication to FreeRadius > and all seems to be working. The problem comes when I want to authenticate my > Nexus 7K and 5K’s. The 7Ks and 5Ks will authenticated me but the Nexus puts > me in an operator role and not in an administrator’s role. > > According to Cisco I have to place the following into > > /usr/local/etc/raddb/sites-available/default > > Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\"" > Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\"" > Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\"" > Cisco-AVPair = "shell:roles*\"network-admin\"" This is what I'm adding to the replies for Nexus 5K's. I don't have any 7K's but I'd be surprised if they were any different. I have not tried to send two roles so I can't confirm the syntax for that. Cisco-AVPair += "shell:roles=network-admin", Service-Type := Administrative-User, -David Mitchell > > > The current service type is = Administrative –User > > I have tried each AVPair and nothing works. Has anyone else had this issue? > > If anyone has any advice I would be really grateful. > > Thanks > > > > Rgds > Darren Shaw > The Network Team > Computing Services > University of Huddersfield > Queensgate > Huddersfield > HD1 3DH > > TEL: 01484 471317 > MOBILE: 07792 773807 > > > > > > --- > This transmission is confidential and may be legally privileged. If you > receive it in error, please notify us immediately by e-mail and remove it > from your system. If the content of this e-mail does not relate to the > business of the University of Huddersfield, then we do not endorse it and > will accept no liability. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
On 04/05/11 09:37, Daniele Albrizio wrote: On 03/05/11 21:41, Alexander Clouter wrote: Daniele Albrizio wrote: I suspect the "cacertfile" attribute is not correctly re-instantiated and only the value of the first request is used to check against when instantiating a new ldaps connection. Without a doubt the chaining is not working on your LDAP servers. What What I suspect is that this is not working with ANY ldap servers as long as you have multiple ldaps backend configured and ldap servers are secured by SSL certificates signed by different CAs is the full output of: openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts http://pastebin.com/kyb34c9M for the first http://pastebin.com/Kqd12KQL for the second You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text Yes, perhaps the problem is not whether the verification is successful or not (it works on each server only if we are in the first ldaps conection n a freshly started freeradius), but what happens if the Nth request with N != 1st goes to the other ldap server. This Nth request fails with TLS: peer cert untrusted or revoked (0x42) but it is configured correctly. I suspect this could be a bug in the way multiple CA cert attribute of subsequent requests are handled in freeradius code. FreeRADIUS just calls: ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, ...) ...and similar in rlm_ldap.c:ldap_connect Interestingly, the 1st argument is NULL, not the LDAP* instance which has been created higher up, meaning those options are being (re)set globally, not per-connection. I wonder if that's the problem? You could try: perl -pe 's/(ldap[_a-z0-9]+)\(\s*NULL,/\1(ld,/g' src/modules/rlm_ldap/rlm_ldap.c ...which will change the above to: ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, ...) i.e. they'll be set on the connection created, not globally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nexus Configurations
Good Morning I am new to this forum and to the workings of FreeRadius and I have a query around the Cisco Nexus family. Currently we have all our switches and routers authentication to FreeRadius and all seems to be working. The problem comes when I want to authenticate my Nexus 7K and 5K's. The 7Ks and 5Ks will authenticated me but the Nexus puts me in an operator role and not in an administrator's role. According to Cisco I have to place the following into /usr/local/etc/raddb/sites-available/default Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\"" Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\"" Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\"" Cisco-AVPair = "shell:roles*\"network-admin\"" The current service type is = Administrative -User I have tried each AVPair and nothing works. Has anyone else had this issue? If anyone has any advice I would be really grateful. Thanks Rgds Darren Shaw The Network Team Computing Services University of Huddersfield Queensgate Huddersfield HD1 3DH TEL: 01484 471317 MOBILE: 07792 773807 --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0
On 04/05/11 10:42, James J J Hooper wrote:
Hi All,
Sorry for the sketchy details
We got an
ASSERT FAILED xlat.c[1048]: outlen > 0
with a PEAP user. The bit of the -X I have is as below, and the soh
virtual server config is attached. I have no further details at the
moment because the client has gone away (and I've disabled SoH in the
EAP module config in case they come back and knock it over again while
I'm away).
The same set-up has been fine with many other SoH clients previously.
Can anyone point me in the right direction? The only think that came
to mind was the packet getting a bit big with all those attributes?
From what I can tell, that's a pretty hard error condition to produce.
xlat.c:1048 is inside xlat_copy, which is the default "escaping"
function when radius_xlat is called with a NULL final argument.
The assert means that there was no room left in the output buffer, but
the very first check inside the while() loop in radius_xlat is:
while (*p) {
/* Calculate freespace in output */
freespace = outlen - (q - out);
if (freespace <= 1)
break;
A quick look at the code gives me the impression it should be pretty
hard to trigger this error condition; I can't see how freespace < 1 ever
allows xlat_copy to be called.
Thanks,
James
[updated] returns updated
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~
/^%{config:policy.mac-addr}$/i) returns updated
+++ ... skipping else for request 750: Preceding "if" was taken
++- policy create.uob-stripped-mac returns updated
The above policy: where is that? It's clearly not in your SoH virtual
server - is this the inner-tunnel stuff? Can we see the config? I
suspect something in the SoH is triggering this when it dumps the AVPs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0
On 04/05/11 10:42, James J J Hooper wrote:
Hi All,
Sorry for the sketchy details
We got an
ASSERT FAILED xlat.c[1048]: outlen > 0
with a PEAP user. The bit of the -X I have is as below, and the soh
virtual server config is attached. I have no further details at the
moment because the client has gone away (and I've disabled SoH in the
EAP module config in case they come back and knock it over again while
I'm away).
The same set-up has been fine with many other SoH clients previously.
Can anyone point me in the right direction? The only think that came
to mind was the packet getting a bit big with all those attributes?
Thanks,
James
[updated] returns updated
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~
/^%{config:policy.mac-addr}$/i) returns updated
+++ ... skipping else for request 750: Preceding "if" was taken
++- policy create.uob-stripped-mac returns updated
Is that all? It jumps straight from the above to dumping the SoH packet?
SoH-Supported = yes
SoH-MS-Machine-OS-vendor = Microsoft
SoH-MS-Machine-OS-version = 6
SoH-MS-Machine-OS-release = 0
SoH-MS-Machine-OS-build = 6000
SoH-MS-Machine-SP-version = 0
SoH-MS-Machine-SP-release = 0
SoH-MS-Machine-Processor = x86
SoH-MS-Machine-Name = "AlexanderPC"
SoH-MS-Correlation-Id = 0x81aa82cd69f946f2bae142fd0fbfcc3e01cc09847027078c
SoH-MS-Machine-Role = client
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
Ok, something has gone wildly wrong there Unless they really do have
3 firewall, 7 AV and 8 anti-spyware products installed!
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=0 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1
up2date=0 enabled=0"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=0 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "auto-updates ok action=install by-policy=1"
SoH-MS-Windows-Health-Status = "security-updates error no-wsus-srv"
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "abc...@bris.ac.uk"
Calling-Station-Id = "00:1b:77:xx:xx:xx"
Called-Station-Id = "00:3a:98:9d:17:30:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.17.107.207
NAS-Identifier = "wism7"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "448"
ASSERT FAILED xlat.c[1048]: outlen > 0
Config bits:
server eduroamlocal-soh {
authorize {
if (SoH-Supported == no) {
update config {
Auth-Type = Accept
}
}
else {
detail-bsql
What's the config for this module?
update config {
Auth-Type = Accept
}
detail detail-bsql {
detailfile =
${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log
detailperm = 0600
header = "%t"
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0
Hi All,
Sorry for the sketchy details
We got an
ASSERT FAILED xlat.c[1048]: outlen > 0
with a PEAP user. The bit of the -X I have is as below, and the soh virtual
server config is attached. I have no further details at the moment because
the client has gone away (and I've disabled SoH in the EAP module config in
case they come back and knock it over again while I'm away).
The same set-up has been fine with many other SoH clients previously.
Can anyone point me in the right direction? The only think that came to
mind was the packet getting a bit big with all those attributes?
Thanks,
James
[updated] returns updated
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~
/^%{config:policy.mac-addr}$/i) returns updated
+++ ... skipping else for request 750: Preceding "if" was taken
++- policy create.uob-stripped-mac returns updated
SoH-Supported = yes
SoH-MS-Machine-OS-vendor = Microsoft
SoH-MS-Machine-OS-version = 6
SoH-MS-Machine-OS-release = 0
SoH-MS-Machine-OS-build = 6000
SoH-MS-Machine-SP-version = 0
SoH-MS-Machine-SP-release = 0
SoH-MS-Machine-Processor = x86
SoH-MS-Machine-Name = "AlexanderPC"
SoH-MS-Correlation-Id =
0x81aa82cd69f946f2bae142fd0fbfcc3e01cc09847027078c
SoH-MS-Machine-Role = client
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=0 enabled=1"
SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=0"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1
up2date=0 enabled=0"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=0 enabled=1"
SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0
up2date=1 enabled=1"
SoH-MS-Windows-Health-Status = "auto-updates ok action=install
by-policy=1"
SoH-MS-Windows-Health-Status = "security-updates error no-wsus-srv"
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "abc...@bris.ac.uk"
Calling-Station-Id = "00:1b:77:xx:xx:xx"
Called-Station-Id = "00:3a:98:9d:17:30:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.17.107.207
NAS-Identifier = "wism7"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "448"
ASSERT FAILED xlat.c[1048]: outlen > 0
--
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--
Config bits:
server eduroamlocal-soh {
authorize {
if (SoH-Supported == no) {
update config {
Auth-Type = Accept
}
}
else {
detail-bsql
update config {
Auth-Type = Accept
}
detail detail-bsql {
detailfile =
${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log
detailperm = 0600
header = "%t"
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
On 03/05/11 21:41, Alexander Clouter wrote: > Daniele Albrizio wrote: >> >> I suspect the "cacertfile" attribute is not correctly re-instantiated >> and only the value of the first request is used to check against when >> instantiating a new ldaps connection. >> > Without a doubt the chaining is not working on your LDAP servers. What What I suspect is that this is not working with ANY ldap servers as long as you have multiple ldaps backend configured and ldap servers are secured by SSL certificates signed by different CAs > is the full output of: > > openssl s_client -connect myAD.ds.units.it:636 -showcerts > openssl s_client -connect myopenldap.units.it:636 -showcerts http://pastebin.com/kyb34c9M for the first http://pastebin.com/Kqd12KQL for the second > You can pipe the server cert (cut'n'paste on stdin) through the > following to see the useful parts of the certs: > > openssl x509 -noout -text Yes, perhaps the problem is not whether the verification is successful or not (it works on each server only if we are in the first ldaps conection n a freshly started freeradius), but what happens if the Nth request with N != 1st goes to the other ldap server. This Nth request fails with TLS: peer cert untrusted or revoked (0x42) but it is configured correctly. I suspect this could be a bug in the way multiple CA cert attribute of subsequent requests are handled in freeradius code. > You probably will find if you change those tls 'demands' to 'never' > things work, but then it kinda is self defeating :) Obviously, I don't want that :) -- Daniele ALBRIZIO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
