Re: TLS Check Cn Question
David Mitchell wrote: currently I'm using the check_cert_cn option in my EAP-TLS setup. I think I may have the need to support two possible CN formats. Is there any way to do a conditional check? Your message contains the answer to that question. I don't think the eap.conf file is unlang interpreted so I don't think I can include full regexp or if-then conditionals can I? Is there some other way to accomplish this? The docs mention possibly doing this by checking TLS-Client-Cert-CN but I'm not sure where exactly I would do that. Thanks in advance, The CN is just a string. Check it like you would check any string. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two different sets of Group Authentication
Hi, Currently I am authenticating only One group of users in Cisco Switches group. Now, I have to add another VPN group and distinguish between two sets of group autentication , VPN Users, and Cisco switches. I'd like to control access to each of those separately (different AD Groups SIDs). Do i have to do somethinbg like creating two modules (ntlm_auth and ntlm_auth2) or two different mschap modules with respective ntlm_auth entries? Even then how would it differentiate between the two? Is defining huntgroups an option if using ntlm as Auth type? BR, Raheel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize only through a Postgres Query
Hi, I'm currently trying to implement an authorization process only, between a Cisco GGSN and Freeradius. My idea is for the freeradius to authenticate regardless of the MS (IMSI) and after authentication it Queries a Postgresql Database based upon IMSI to get the IP Pool that he will be used. On a previous post Phil Mayers explained how i could do the SQL query (Freeradius GGSN-Postgresql Based upon SELECT it will trigger a specific IP Pool). But my issue is that i'm not able to authenticate (regardless of the IMSI - No database query is required for this) and execute the SQL XLAT being (the SQL SELECT that will get the IP Pool name for the specific IMSI). So how can i set up the Freeradius to authenticate my attempts from the GGSN and grab the IMSI (from the Login data), execute the SQL XLAT and return in the reply the specific IP address (from the IPPool that was selected based on the SQL XLAT)? BR, Pedro Costa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize only through a Postgres Query
On 26/05/11 12:06, Pedro Costa wrote: But my issue is that i'm not able to authenticate (regardless of the IMSI - No database query is required for this) and execute the SQL XLAT being (the SQL SELECT that will get the IP Pool name for the specific IMSI). Why not? Be specific. Tell us what you tried, and how it failed. Better yet, gather tha output of radiusd -X when you make an attempt and read it carefully. If you can't spot the problem, post it to the list and we can make suggestions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac authenticaion failure
Hi Everyone, I tried to set up Mac Authentication per the the doc at freeradius.org. The client connects but the users don't. The folowing is the output from the debug mode in freeradius. Thanks for your help. eady to process requests. rad_recv: Access-Request packet from host 10.41.0.254 port 32768, id=107, length=135 User-Name = d8-a2-5e-c4-a4-58 Called-Station-Id = 00-3a-98-8e-ad-d0:USDOD Calling-Station-Id = d8-a2-5e-c4-a4-58 NAS-Port = 1 NAS-IP-Address = 10.41.0.254 NAS-Identifier = NCPSWIFI Airespace-Wlan-Id = 1 Service-Type = Call-Check Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = d8-a2-5e-c4-a4-58, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry d8-a2-5e-c4-a4-58 at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - d8-a2-5e-c4-a4-58 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 107 to 10.41.0.254 port 32768 Waking up in 4.9 seconds. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-authenticaion-failure-tp4428847p4428847.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debug STDOUT
[root@box ~]# /usr/sbin/radiusd -xx [root@box ~]# ps aux | grep radius radiusd 32539 0.0 0.1 148872 2672 ?Ssl 10:50 0:00 /usr/sbin/radiusd -xx root 32564 0.0 0.0 61220 752 pts/0R+ 10:50 0:00 grep radius For some reason I can't get radius -x to display to STDOUT. Any hints? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug STDOUT
Am 26.05.2011 um 16:54 schrieb Norman Zhang: [root@box ~]# /usr/sbin/radiusd -xx [root@box ~]# ps aux | grep radius radiusd 32539 0.0 0.1 148872 2672 ?Ssl 10:50 0:00 / usr/sbin/radiusd -xx root 32564 0.0 0.0 61220 752 pts/0R+ 10:50 0:00 grep radius For some reason I can't get radius -x to display to STDOUT. Any hints? You probably mean -X (upper case) See the man page of radiusd . Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS Check Cn Question
On May 26, 2011, at 1:25 AM, Alan DeKok wrote: David Mitchell wrote: currently I'm using the check_cert_cn option in my EAP-TLS setup. I think I may have the need to support two possible CN formats. Is there any way to do a conditional check? Your message contains the answer to that question. I don't think the eap.conf file is unlang interpreted so I don't think I can include full regexp or if-then conditionals can I? Is there some other way to accomplish this? The docs mention possibly doing this by checking TLS-Client-Cert-CN but I'm not sure where exactly I would do that. Thanks in advance, The CN is just a string. Check it like you would check any string. Well yes, that's true. I'm just not sure where the best place to put the check is since I don't believe eap.conf is unlang interpreted. Should it go into the sites-enabled/default post-auth section? That's really the piece that's not clear to me is where I can put the more sophisticated checks. I think I can write them once I have an idea of where to put them. Thanks in advance, -David Mitchell Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS Check Cn Question
David Mitchell wrote: Well yes, that's true. I'm just not sure where the best place to put the check is since I don't believe eap.conf is unlang interpreted. It's not. Should it go into the sites-enabled/default post-auth section? The comments and examples in the sites-enabled/default file are *already* in the post-auth section. What's the problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different Auth Methods based on client entries with ntlm_auth
Is there any way to perform a different authentication method based on the specific client entry (or group of entries) using the ntlm_auth method? We're implementing the ntlm_auth interface to AD, and need to specify the group to authenticate against differently for different classes of machines/devices. I've followed the instructions on http://deployingradius.com/documents/configuration/active_directory.html and it works great for one group when I add the option --require-membership-of=SomeGroup but I need a way to figure out how to specify that group name, perhaps based on the nastype, or some other variable I can set in the client configuration. Any ideas? Don O'Neil Senior Network Engineer SAIC - CCSD Network Operations (702) 351-7261 cell (702) 799-6174 fax 0099-5941 wan onei...@saic.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default accounting
Where does accounting logging primarily go by default? Can it be sent to a text file? Thanks in Advance, Timothy McNabb Network Administrator Velociter Wireless, Inc (209)838-1221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Copy accounting to a proxy and ignore reply
I'm running a farm of freeradius server 2.1.1, 16 with Suse Linux and 32 with Sun Solaris, and I need to proxy a copy of accounting packet to a pool of remote home server, without wait for reply/ack from remote servers, and without retries or failover, for performance reasons. The accounting packet ( +1000/sec) must go asap in one db of a pool di mysql servers before to be proxied, rejecting accounting if all the dbservers fails . It's possibile to do this with freeradius in a very efficient manner? Any idea for the better way to implement this configuration? I'm trying with a config like: accounting { redundant{ sqldb1 sqldb2 sqldb3 sqldb4 detail } if ( %{Called-Station-Id} == my.apn.domain ) { update control { Proxy-To-Realm := homeserver_pool } } linelog } .. but I'm thinking about using the internal radrelay in freeradius, proxying after copying acct to detail file, like: sites-available/copy-acct-to-home-server sites-available/robust-proxy-accounting sites-available/decoupled-accounting Best regards and thanks in advance, Sandro Magri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Default accounting
Hey, a Q I may be able to answer! It may depend a bit on distro, but typically: /usr/local/var/log/radius/radacct/%NAS-IP%/detail-mmdd. It is a text file. HTH G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Tim McNabb Sent: Thursday, May 26, 2011 5:24 PM To: freeradius-users@lists.freeradius.org Subject: Default accounting Where does accounting logging primarily go by default? Can it be sent to a text file? Thanks in Advance, Timothy McNabb Network Administrator Velociter Wireless, Inc (209)838-1221 font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Default accounting
By default, the accounting detail files are in: ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d which usually translates to: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d Read the raddb/modules/detail file for more information. Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freer adius.org] On Behalf Of Tim McNabb Sent: Thursday, May 26, 2011 3:24 PM To: freeradius-users@lists.freeradius.org Subject: Default accounting Where does accounting logging primarily go by default? Can it be sent to a text file? Thanks in Advance, Timothy McNabb Network Administrator Velociter Wireless, Inc (209)838-1221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New FreeRADIUS wiki - Help appreciated!
Dear Users, One of the largest complains with FreeRADIUS is the lack of comprehensive documentation. The current wiki @ wiki.freeradius.org has served its purpose, but has ultimately failed to provide an update to date, well organised source of documentation. The current major problems with the wiki are: * spam users - which meant we had to lock registration, and discouraged new users from contributing * exporting information - all pages are stored in an sql lite instance, which makes it hard to automatically roll pages into releases * formatting information - Information stored in the wiki is in the Media wiki format, whereas the documentation bundled with FreeRADIUS is either unformatted or in rst format. To try and solve these issues and glue everything together a bit more, i've been working with Alan DeKok to set up a new instance of Gollum. Gollum is a ruby on rails application which exposes a git repository as wiki site. Gollum can render files in many markup languages including plaintext, RST and Mediawiki format, which means we can import all current server documentation, all current wiki documentation and have them neatly presented in a single wiki site. Neat huh? But what about spam and registration? Well by default gollum doesn't authenticate anyone. But because it's a rails application we can drop in a library called 'OmniAuth' which uses Oauth to authenticate a bunch of providers. This allows us to leverage authentication and spam account prevention services of providers like GitHub, Facebook and Twitter. Unfortunately the new wiki isn't ready from primetime. The mediawiki page format renderer in gollum isn't perfect, so we need to convert those pages to RST as a priority. If you want to help out, please do the following: 1) Sign up for Facebook, Twitter or GitHub 2) Go to http://power.freeradius.org:4567 3) Pick a page where the MediaWiki format doesn't render correctly 4) Edit it 5) Change edit mode from MediaWiki to reStructuredText 6) Convert markup to RST (see here: http://docutils.sourceforge.net/docs/ref/rst/restructuredtext.html) 7) Save the page 8) Get warm fuzzy glow from contributing to open source Also please report any bugs here: https://github.com/github/gollum/issues?_pjax=truestate=open Many Thanks, Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
On Fri, May 27, 2011 at 7:29 AM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: If you want to help out, please do the following: 1) Sign up for Facebook, Twitter or GitHub 2) Go to http://power.freeradius.org:4567 http://power.freeradius.org:4567 is problematic from here (slow, and sometimes it gives connect errors) while the old wiki loads just fine. Is this a location problem (e.g. hosted on not-so-good datacenter), server problem (e.g. not enough RAM), or application problem (e.g. non-optimum sql queries)? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
On May 26, 2011, at 6:09 PM, Fajar A. Nugraha wrote: On Fri, May 27, 2011 at 7:29 AM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: If you want to help out, please do the following: 1) Sign up for Facebook, Twitter or GitHub 2) Go to http://power.freeradius.org:4567 http://power.freeradius.org:4567 is problematic from here (slow, and sometimes it gives connect errors) while the old wiki loads just fine. Is this a location problem (e.g. hosted on not-so-good datacenter), server problem (e.g. not enough RAM), or application problem (e.g. non-optimum sql queries)? I'm not sure why it appears slow from where you are, it's pretty speedy from Sacramento, California, and the Server is in France. Also the new wiki doesn't use SQL, as I mentioned in the previous post all data storage is GIT. I did just have to restart it to fix some issues with the login status bar at the top which was broken by an update to the Mustache markup library, which may explain the connection errors. Please let me know if you continue to experience slowness and connection errors. Thanks, Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
On Fri, May 27, 2011 at 8:22 AM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: On May 26, 2011, at 6:09 PM, Fajar A. Nugraha wrote: On Fri, May 27, 2011 at 7:29 AM, Arran Cudbard-Bell 2) Go to http://power.freeradius.org:4567 http://power.freeradius.org:4567 is problematic from here (slow, and sometimes it gives connect errors) while the old wiki loads just fine. I'm not sure why it appears slow from where you are, it's pretty speedy from Sacramento, California, and the Server is in France. Also the new wiki doesn't use SQL, as I mentioned in the previous post all data storage is GIT. I did just have to restart it to fix some issues with the login status bar at the top which was broken by an update to the Mustache markup library, which may explain the connection errors. Please let me know if you continue to experience slowness and connection errors. It's still slow. Using wget reveals something interesting though: - it's connected almost immediately - HTTP request sent, awaiting response... took over 10 seconds - once I got 200 OK, the content is transferred very quickly, so it's not connection speed problem. Does ruby (or apache, or whatever web frontend you use) perform reverse address lookup by default? If yes, it might explain the long response time somewhat. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
It's still slow. Using wget reveals something interesting though: - it's connected almost immediately - HTTP request sent, awaiting response... took over 10 seconds - once I got 200 OK, the content is transferred very quickly, so it's not connection speed problem. Does ruby (or apache, or whatever web frontend you use) perform reverse address lookup by default? If yes, it might explain the long response time somewhat. *sigh* webrick does indeed perform reverse lookup by default, what does that?! Had to update the entire ruby install to 1.9.2 to get the version of the library which allows you to disable it, but it is now disabled and I can the logs are no longer showing FQDNs. Could you try one last time and see if this was the issue you were running in to. Many thanks, Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
On Fri, May 27, 2011 at 9:26 AM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: It's still slow. Using wget reveals something interesting though: - it's connected almost immediately - HTTP request sent, awaiting response... took over 10 seconds - once I got 200 OK, the content is transferred very quickly, so it's not connection speed problem. Does ruby (or apache, or whatever web frontend you use) perform reverse address lookup by default? If yes, it might explain the long response time somewhat. *sigh* webrick does indeed perform reverse lookup by default, what does that?! Had to update the entire ruby install to 1.9.2 to get the version of the library which allows you to disable it, but it is now disabled and I can the logs are no longer showing FQDNs. Could you try one last time and see if this was the issue you were running in to. It works great now, thanks. So the current policy is: - anyone can register (via github etc) - any logged-in user can create/edit new page Is that correct? I'll try updating the FAQ with some new entries later. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
On May 26, 2011, at 7:41 PM, Fajar A. Nugraha wrote: On Fri, May 27, 2011 at 9:26 AM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: It's still slow. Using wget reveals something interesting though: - it's connected almost immediately - HTTP request sent, awaiting response... took over 10 seconds - once I got 200 OK, the content is transferred very quickly, so it's not connection speed problem. Does ruby (or apache, or whatever web frontend you use) perform reverse address lookup by default? If yes, it might explain the long response time somewhat. *sigh* webrick does indeed perform reverse lookup by default, what does that?! Had to update the entire ruby install to 1.9.2 to get the version of the library which allows you to disable it, but it is now disabled and I can the logs are no longer showing FQDNs. Could you try one last time and see if this was the issue you were running in to. It works great now, thanks. Glad its fixed. So the current policy is: - anyone can register (via github etc) - any logged-in user can create/edit new page Is that correct? I'll try updating the FAQ with some new entries later. That's correct. We may add group restrictions at some point if they're needed, but if there's no spam issues or edit wars then it's probably not necessary. -Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
Fajar A. Nugraha wrote: So the current policy is: - anyone can register (via github etc) - any logged-in user can create/edit new page Is that correct? I'll try updating the FAQ with some new entries later. Yes. By using OAuth, we can avoid the problem of managing users ourselves, and also tie edits to real people. That should avoid most of the spam issues. The wiki is also available via git, in case you want to do off-line editing. I'll move the DNS entries, and update the web server so that it becomes the new wiki.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS wiki - Help appreciated!
Fajar A. Nugraha wrote: Is this a location problem (e.g. hosted on not-so-good datacenter), server problem (e.g. not enough RAM), or application problem (e.g. non-optimum sql queries)? It's a quad-core 8G system with 1Tb of disk, and 1Gb connection to the net. I think it's fine. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copy accounting to a proxy and ignore reply
Sandro Magri wrote: I'm running a farm of freeradius server 2.1.1, 16 with Suse Linux and 32 with Sun Solaris, and I need to proxy a copy of accounting packet to a pool of remote home server, without wait for reply/ack from remote servers, and without retries or failover, for performance reasons. See http://git.freeradius.org/ Check out the v2.1.x branch, and look at raddb/modules/replicate. This will be in 2.1.11. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html