Using EAP-PEAT as authentiction type. How to save None-cleartext password?
Hello, I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1. OS: Linux Enterprise Server 6.1 Radius: free radius server 2.1.11 Database: Mysql The users are using WIFI devices connect to the WIFI network. The authentiction type is being used is EAP-PEAP. Can you please give some advise, to save none-cleartext password in MySQL database radcheck table? Thanks! Tom- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using encrypted passwords in users file
Hey, thanks, I get it. But could you detail in a few steps the procedure of generating the hash from a new password, so I could change it ? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Using-encrypted-passwords-in-users-file-tp4758890p4761351.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS/PEAP authentication problem(can not reply correct attribute)
Hi Alan Thank you,it can reply correct attribute. some more question pls. 1.sometimes it can login while sometimes failure, it is random. I am using the same user/password for PEAP authentication and totally the same configuration both server and client PC/user. 2.after user success login, sometimes it will re-authentication automatically. It seems client issue the authentication itself but I wonder. 3.looking for the log below,it seems finish authentication by FR but the result is failure. why sending Access-Challenge to NAS(192.168.21.223) after success? * rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 Auth-Type := Local Service-Type := Framed-User Framed-IP-Address := 255.255.255.254 Framed-IP-Netmask := 255.255.255.0 Bandwidth-Max-Up := 2097152 Bandwidth-Max-Down := 2097152 Redirection-URL := http://speedtest.net; Idle-Timeout := 60 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0xe8e6189faa5581198681e65eab0a0270 MS-MPPE-Recv-Key = 0x0ea859d9cf1789a14e71ea9f41cfa8e0 EAP-Message = 0x030c0004 Message-Authenticator = 0x User-Name = gary [peap] Got tunneled reply RADIUS code 2 Auth-Type := Local Service-Type := Framed-User Framed-IP-Address := 255.255.255.254 Framed-IP-Netmask := 255.255.255.0 Bandwidth-Max-Up := 2097152 Bandwidth-Max-Down := 2097152 Redirection-URL := http://speedtest.net; Idle-Timeout := 60 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0xe8e6189faa5581198681e65eab0a0270 MS-MPPE-Recv-Key = 0x0ea859d9cf1789a14e71ea9f41cfa8e0 EAP-Message = 0x030c0004 Message-Authenticator = 0x User-Name = gary [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 117 to 192.168.21.223 port 1812 EAP-Message = 0x010d00261900170301001bb702fe1896d6726825ec785647a34e3d8126e49337f16e73596446 Message-Authenticator = 0x State = 0x2f1a077a27171e8af826d2444a0b0c36 Finished request 79. Going to the next request Waking up in 2.8 seconds. Cleaning up request 71 ID 109 with timestamp +1967 Cleaning up request 72 ID 110 with timestamp +1967 Cleaning up request 73 ID 111 with timestamp +1967 Cleaning up request 74 ID 112 with timestamp +1967 Cleaning up request 75 ID 113 with timestamp +1967 Cleaning up request 76 ID 114 with timestamp +1967 Waking up in 0.8 seconds. Cleaning up request 77 ID 115 with timestamp +1968 Cleaning up request 78 ID 116 with timestamp +1968 Waking up in 1.0 seconds. Cleaning up request 79 ID 117 with timestamp +1969 WARNING: !! WARNING: !! EAP session for state 0x2f1a077a27171e8a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Ready to process requests. *** Best Regards Gary - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, September 01, 2011 8:48 PM Subject: Re: EAP-TLS/PEAP authentication problem(can notreply correctattribute) gary wrote: I do not define my private attribute while I follow the WISPr such as Bandwidth-Max-Up and Bandwidth-Max-Down. It is no problem that I use UAM method(user login with login page by user name/password) and freeradius can reply correct attribute. But when I use PEAP authentication,after user login it can not reply correct attribute that I configure in the radgroupreply table. Can anyone give some idea? See use_tunneled_reply in raddb/eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco 3825 authentication error
Dom dvers...@tekcorner.ca writes: [pap] WARNING! No known good password found for the user. Looks good so far, but you need to tell freeradius the password for this user... E.g. by adding something like this to the users file: aew...@domain.com Cleartext-Password := password or configure some database backend or whatever. It's all in the docs :-) Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using EAP-PEAT as authentiction type. How to save None-cleartext password?
EAP-PEAT, is that the Irish version of EAP-PEAP?
Can you please give some advise, to save none-cleartext password in MySQL
database radcheck table?
Well you have two choices Cleartext-Password or NT-Password. Those are the only
two that will work with the MSCHAPv2 inner.
Just add the NT-Password attribute to radcheck with the := operator. Or you can
add it as a reply item and copy it to the control list with
update control {
NT-Password := %{reply:NT-Password}
}
As for generating the hashes
http://www.arsitech.com/cryptography/windows/password/
Or I think theres a utility included with samba for doing it. If you're using
PHP I have a function I wrote ages ago to generate NT passwords to do a
transparent conversion using our web login script. Let me know if it'd be
useful and i'll dig it out.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Error in PEAP configuration
Hi, I encountered this error when starting radiusd –X trying to make it work with peap. Can you help me fix this or give me an idea how to? Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. FreeRADIUS has been compiled without SSL support - this means that it was built without the required OpenSSL development libraries present - is this a version from your distro, or a home-built version? == Installation of Freeradius 2.14: that line... == $ wget [2]ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz doesnt match this. any WHY oh WHY are you using sucha hideously out of date version? why would you go, on this present day to the download site and get a version from years ago? $ ./configure --with-openssl --with-openssl-includes=/usr/local/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ did you do that via grep WARN ? if so, you'll see it complain OR you have another copy of FreeRADIUS on your server that was built incorrectly. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius with mysql issue
Hi All, Need help a bit, I've several freeradius (2.x) servers with mysql as backend running for several services. Lately I noticed there is 1 of the radius who will accept any password so long the user account is exist in radcheck. Still trying to trace where the problem is, and would appreciate if someone can share with me is any. Cheers, CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
On 2 Sep 2011, at 10:29, cktan wrote: Hi All, Need help a bit, I've several freeradius (2.x) servers with mysql as backend running for several services. Lately I noticed there is 1 of the radius who will accept any password so long the user account is exist in radcheck. Still trying to trace where the problem is, and would appreciate if someone can share with me is any. Ok, so what type of authentication are you doing? Can you post the debug log and org virtual server config... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? Regards CK On 09/02/2011 04:29 PM, cktan wrote: Hi All, Need help a bit, I've several freeradius (2.x) servers with mysql as backend running for several services. Lately I noticed there is 1 of the radius who will accept any password so long the user account is exist in radcheck. Still trying to trace where the problem is, and would appreciate if someone can share with me is any. Cheers, CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
Hi, OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? it should be := and in fact it should be Cleartext-Password := (though thats if you are running a reasonably up to date FR version) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 CK On 09/02/2011 05:27 PM, Alan Buxey wrote: Hi, OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? it should be := and in fact it should be Cleartext-Password := (though thats if you are running a reasonably up to date FR version) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
Tested on 3rd FR (same 2.1.7-7), both OP (:= ==) work fine. would it be my configuration error? Hereby confirmed op == is working fine but not for :=. Any different to use := or ==? CK On 09/02/2011 05:36 PM, cktan wrote: I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 CK On 09/02/2011 05:27 PM, Alan Buxey wrote: Hi, OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? it should be := and in fact it should be Cleartext-Password := (though thats if you are running a reasonably up to date FR version) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
Hi, I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 well, thats wrong - and do you have fail-through = yes ? if so, then it'll fall through if things are wrong alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
On 2 Sep 2011, at 11:36, cktan wrote: I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 If you want an answer it helps to actually listen to responses from list members... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
You broke the server... somehow... On 9/2/2011 11:36 AM, cktan wrote: I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 CK On 09/02/2011 05:27 PM, Alan Buxey wrote: Hi, OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? it should be := and in fact it should be Cleartext-Password := (though thats if you are running a reasonably up to date FR version) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alexander Clouter a...@digriz.org.uk wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... 24 hours later, still churning happily. Running 2.1.12 (bfe2c025). Cheers -- Alexander Clouter .sigmonster says: The only constant is change. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfaulting with rlm_perl
I'm beginning the process of replacing a home-grown RADIUS server with freeradius, a good idea on many many fronts. The server will interact with our backend databases in order to determine attributes to inject into the access-accept messages. For initial development, I've begun work on a perl script that is interacting with freeradius 2.1.10. I'm a little alarmed that a malfunctioning perl script can segfault the entire server. I was hoping that freeradius could compartmentalize a failing script, restarting it as necessary. Admittedly, during development, my scripts are not production-ready, and there are lots of safety checks that simply aren't there. But I'm worried that, going into production, we'll discover an unexpected corner-case that crashes our entire radius infrastructure (not a good thing). Is the best practice simply to make sure you're scripts are bullet-proof? Or is there a more stable method of interacting with an external resource? I chosen rlm_perl because the script didn't need to be instantiated every time (as with rlm_exec), but perhaps we'd be better off relying on rlm_exec if it is more tolerant of corner-case failures. Thanks, Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding multivalued attributes in control list.
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
[ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341
[ldap] hessoRoleMemberKey - Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++? if (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
? Evaluating (control:HESSO-MEMBER-KEY =~
/RORG-HEFR-EIFR-INTR-INFO-.-RSM/) - FALSE
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
- FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ )
? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) - FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) - FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ )
? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) - TRUE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) - TRUE
+++- entering elsif (control:HESSO
Re: Segfaulting with rlm_perl
On 09/02/2011 09:43 AM, Norman Elton wrote: I'm beginning the process of replacing a home-grown RADIUS server with freeradius, a good idea on many many fronts. The server will interact with our backend databases in order to determine attributes to inject into the access-accept messages. For initial development, I've begun work on a perl script that is interacting with freeradius 2.1.10. I'm a little alarmed that a malfunctioning perl script can segfault the entire server. I was hoping that freeradius could compartmentalize a failing script, restarting it as necessary. Admittedly, during development, my scripts are not production-ready, and there are lots of safety checks that simply aren't there. But I'm worried that, going into production, we'll discover an unexpected corner-case that crashes our entire radius infrastructure (not a good thing). Is the best practice simply to make sure you're scripts are bullet-proof? Or is there a more stable method of interacting with an external resource? I chosen rlm_perl because the script didn't need to be instantiated every time (as with rlm_exec), but perhaps we'd be better off relying on rlm_exec if it is more tolerant of corner-case failures. Of course a script error shouldn't segfault the server. It would have been much more useful if you had explained what the script error was and a stack trace from the segfault. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
Of course a script error shouldn't segfault the server. It would have been much more useful if you had explained what the script error was and a stack trace from the segfault. Oh, I've experienced lots of them! So many, in fact, that I figured it was a common and well understood occurrence. Let me come up with an easily reproducible example and I'll post the relevant information. Thanks Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach
unlang construct or perl.
Plus the way you're doing policies is weird. Why don't you just use the policy
module (policy.conf)? It'd be way more memory efficient if you're using the
same policy multilple times, and you gain the ability to overload module
calls...
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
[ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341
[ldap] hessoRoleMemberKey - Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++? if (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
? Evaluating (control:HESSO-MEMBER-KEY
Re: Question regarding multivalued attributes in control list.
Thanks Arran for those answers,
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach
unlang construct or perl.
hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
i'll simply fall back to rlm_perl. But not on a friday evening, it will
wait till monday!
Plus the way you're doing policies is weird. Why don't you just use the
policy module (policy.conf)? It'd be way more memory efficient if you're
using the same policy multilple times, and you gain the ability to overload
module calls...
You're right, i'll move this in the policy file, didn't think about it.
Regards,
Olivier B.
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
[ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341
[ldap] hessoRoleMemberKey - Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 16:25, Olivier Beytrison wrote:
Thanks Arran for those answers,
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach
unlang construct or perl.
hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
i'll simply fall back to rlm_perl. But not on a friday evening, it will
wait till monday!
Tentative yes :)
It'll only get truly production ready if people test it and report the bugs.
But yes, it's good enough to build configs on, and good enough to test.
If you do a git-clone then you can establish basic version control with
something like:
#!/bin/bash
cd /usr/local/src/freeradius
git pull
make clean
hash=`git log -n 1 --pretty=format:%h`
./configure --prefix=/usr/local/freeradius-$hash --enable-developer
make
make install
rm /usr/local/freeradius
ln -s /usr/local/freeradius-$hash /usr/local/freeradius
Once you find a commit that does all you want, stick with it until there's an
official 3.x release and then upgrade. For certain fixes you'll be able to use
git cherry-pick to pull in individual commits.
-Arran
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class
Re: Pre release of 2.1.12
It is running on one of my production servers. So far no problems, but it has only run for q few hours. Sent from Verizon Wireless - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco 3825 authentication error
Dom dvers...@tekcorner.ca writes: That is why I am so confused. I do have this user in the users file and even tested authentication using NTradping and it works fine going directly from the Internet to the radius server. However when I try to authenticate via the LNS I see this error. any idea's. Well, you did have [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok so it's possible you have a default entry without fall-through, which matches some attribute in the LNS request but not in the NTradping. Difficult to know for sure without seeing the entry at line 172 of the users file, and knowing whether your user is defined before or after this line. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
Hi, Oh, I've experienced lots of them! So many, in fact, that I figured it was a common and well understood occurrence. Let me come up with an easily reproducible example and I'll post the relevant information. 2.1.11 is out...and 2.1.12 is almost ready for release - does your system behave in the same way with 2.1.11? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, okay7k auths through so far and all fine so far.for auths.. however, i have noticed a bug/change of bahviour which doesnt seem right. Fri Sep 2 17:15:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:16 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:29 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 GID 101 is munin. munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
Alan Buxey a.l.m.bu...@lboro.ac.uk writes: Oh, I've experienced lots of them! So many, in fact, that I figured it was a common and well understood occurrence. Let me come up with an easily reproducible example and I'll post the relevant information. 2.1.11 is out...and 2.1.12 is almost ready for release - does your system behave in the same way with 2.1.11? Valid question of course, but do note that there aren't *any* changes to rlm_perl in those versions. Only a few new lines of documentation in the example script: bjorn@canardo:/usr/local/src/git/freeradius$ git diff --stat release_2_1_10..v2.1.x src/modules/rlm_perl/ src/modules/rlm_perl/example.pl | 13 + 1 files changed, 13 insertions(+), 0 deletions(-) And FWIW, we've been using rlm_perl extensively with 2.1.10 without any segfaults. But then again, that might just be because we write bug free perl code :-) Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
On Fri, Sep 02, 2011 at 07:16:26PM +0200, Bjørn Mork wrote: Alan Buxey a.l.m.bu...@lboro.ac.uk writes: Oh, I've experienced lots of them! So many, in fact, that I figured it was a common and well understood occurrence. Let me come up with an easily reproducible example and I'll post the relevant information. 2.1.11 is out...and 2.1.12 is almost ready for release - does your system behave in the same way with 2.1.11? Are you using a pre-built package for freeradius or one that you have built yourself? Perl can pull in so many different libraries that version differences can result in segfaults. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
2.1.11 is out...and 2.1.12 is almost ready for release - does your system
behave in the same way with 2.1.11?
Are you using a pre-built package for freeradius or one that you have
built yourself?
I am using RedHat's pre-built packages, both FreeRADIUS and Perl. I
have not tried newer versions, but it should be pretty straightforward
to test.
And FWIW, we've been using rlm_perl extensively with 2.1.10 without any
segfaults. But then again, that might just be because we write bug free
perl code :-)
Oh I have no doubt that people are using rlm_perl trouble-free. I'm
just a little concerned that a bug has the capability to crash the
entire server. In development, not a big deal. In fact, it encourages
good error recovery. But I'd rather not wake up in the middle of the
night and find my entire RADIUS infrastructure has died due to an
unexpected corner case. Usernames with unicode characters particularly
terrify me.
Of course a script error shouldn't segfault the server. It would have been
much more useful if you had explained what the script error was and a stack
trace from the segfault.
I don't have a stack trace yet, but I've got an easily reproducible
test case. This is on RedHat 6, using FreeRadius 2.1.10-5, perl
5.10.1-119, x86_64 architecture. From a fresh install, I cleared out
sites-enabled and created a single enabled server:
server srv-perl-crash {
authorize {
preprocess
update control {
Auth-Type := Accept
}
perl
}
authenticate {
noop
}
post-auth {
noop
}
preacct {
noop
}
accounting {
noop
}
}
I route localhost to that server:
client 127.0.0.1 {
shortname = localhost
secret = mysecret
virtual_server = srv-perl-crash
}
And I define a very simple example.pl:
use strict;
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $i = 1/0;
return RLM_MODULE_OK;
}
Obviously, a division by zero is a bad thing. But one would expect
FreeRadius to stay online. I fire up the server, and test it with:
radtest -x foo bar 127.0.0.1 1812 mysecret
At first, it gives an error, but survives:
rlm_perl: perl_embed:: module = /etc/raddb/example.pl , func =
authorize exit status= Illegal division by zero at
/etc/raddb/example.pl line 58.
I receive an Access-Reject, and things are fine. I send a second
request, and I get:
rlm_perl: perl_embed:: module = /etc/raddb/example.pl , func =
authorize exit status= Illegal division by zero at
/etc/raddb/example.pl line 58.
Segmentation fault
And the server dies. Uh oh!
Like I said, I will work on a stack trace. Just wanted to get this out
on the list while it's fresh in my mind.
Norman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 29/08/2011 15:13, Alan DeKok wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. All seems good so far. -James radmin show version FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Aug 30 2011 at 01:08:47 radmin show uptime Up since Thu Sep 1 04:02:20 2011 radmin stats client auth requests419006 responses 432061 accepts 56219 rejects 4154 challenges 371688 dup 44 invalid 0 malformed 0 bad_signature 0 dropped 65 unknown_types 0 radmin stats client acct requests93500 responses 93499 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
I've used GDB to generate a stack trace, specifically using the
instructions on http://freeradius.org/radiusd/doc/bugs.
For this particular test case, I configured as I described above, but
instead of a stripped-down example.pl, I just the one provided, but
put my $i = 1/0; in the test_call subroutine towards the bottom of
the script.
This was reproduced using 2.1.11.
Let me know if there is additional information I can provide, thanks!
Norman
=
Starting program: /usr/local/sbin/radiusd -d /usr/local/etc/raddb -X
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x75d8a02a in rlmperl_call (instance=value optimized out,
request=0x8a5b30,
function_name=0x781670 authorize) at rlm_perl.c:725
725 exitstatus = POPi;
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.25.el6_1.3.x86_64 nss-softokn-freebl-3.12.9-3.el6.x86_64
perl-5.10.1-119.el6.x86_64 perl-libs-5.10.1-119.el6.x86_64
* 1 Thread 0x77fef700 (LWP 29993) 0x75d8a02a in
rlmperl_call (instance=value optimized out,
request=0x8a5b30, function_name=0x781670 authorize) at rlm_perl.c:725
Thread 1 (Thread 0x77fef700 (LWP 29993)):
#0 0x75d8a02a in rlmperl_call (instance=value optimized
out, request=0x8a5b30,
function_name=0x781670 authorize) at rlm_perl.c:725
_sv = 0x411
sp = 0x967f50
inst = value optimized out
vp = value optimized out
exitstatus = 0
count = 1
n_a = 70
rad_reply_hv = 0x9519d0
rad_check_hv = 0x908a40
rad_config_hv = 0x0
rad_request_hv = 0x914aa0
rad_request_proxy_hv = 0x942640
rad_request_proxy_reply_hv = 0x951c10
interp = 0x967f50
#1 0x0041af53 in call_modsingle (component=1, c=value optimized out,
request=value optimized out) at modcall.c:297
myresult = value optimized out
#2 modcall (component=1, c=value optimized out, request=value
optimized out) at modcall.c:670
myresult = value optimized out
stack = {pointer = 1, priority = {0 repeats 32 times},
result = {0 repeats 32 times},
children = {value optimized out repeats 32 times}, start = {
value optimized out repeats 32 times}}
parent = 0x785c90
child = 0x7b0a80
sp = 0x7b0a80
if_taken = 0
was_if = 0
#3 0x00417b33 in indexed_modcall (comp=1, idx=0,
request=0x8a5b30) at modules.c:737
rcode = value optimized out
list = 0x785c90
server = value optimized out
#4 0x00408646 in rad_authenticate (request=0x8a5b30) at auth.c:579
namepair = value optimized out
check_item = value optimized out
auth_item = 0x8a5d50
module_msg = value optimized out
tmp = value optimized out
result = value optimized out
password = 0x4349da
autz_retry = 0 '\000'
autz_type = value optimized out
#5 0x0042796e in radius_handle_request (request=0x8a5b30,
fun=0x4083e0 rad_authenticate)
at event.c:3780
No locals.
#6 0x0041ed3d in thread_pool_addrequest (request=0x8a5b30,
fun=0x4083e0 rad_authenticate)
at threads.c:874
No locals.
#7 0x00428fee in event_socket_handler (xel=value optimized
out, fd=value optimized out,
ctx=0x7b1380) at event.c:3425
listener = 0x7b1380
fun = 0x4083e0 rad_authenticate
request = 0x8a5b30
#8 0x77bd343b in fr_event_loop (el=0x7b1e60) at event.c:413
ef = value optimized out
i = value optimized out
rcode = 1
maxfd = 12
when = {tv_sec = 1314989256, tv_usec = 664777}
wake = value optimized out
read_fds = {fds_bits = {1024, 0 repeats 15 times}}
master_fds = {fds_bits = {7424, 0 repeats 15 times}}
#9 0x0041be24 in main (argc=value optimized out,
argv=value optimized out) at radiusd.c:408
rcode = value optimized out
argval = value optimized out
spawn_flag = 0
dont_fork = 1
flag = 0
act = {__sigaction_handler = {sa_handler = 0x41c100 sig_fatal,
sa_sigaction = 0x41c100 sig_fatal}, sa_mask = {__val =
{0 repeats 16 times}},
sa_flags = 0, sa_restorer = 0}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
Use a wrapper around the demon, eg 'monit' ? Around the radiusd daemon? Nope. Running it from bash, or in this case, from within gdb. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote:
I've put some pre releases of 2.1.12 on the web site:
http://git.freeradius.org/pre/
Please let me know if there are any problems. If not, this can become
2.1.12.
Something handy to add if it is not too late.
We suffered a power failure today which caused our 802.1X/MAC-auth
clients to surge their accounting traffic. All due to the following in
post-auth:
# defaults
update reply {
[snipped]
Acct-Interim-Interval := 3600
}
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
This would give me Acct-Interim-Interval set to 1hr+-10mins.
As it is set now, I just got 1MB of journal recorded to file accounting
data landing on my systems :)
Cheers
--
Alexander Clouter
.sigmonster says: The chief cause of problems is solutions.
-- Eric Sevareid
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
This would give me Acct-Interim-Interval set to 1hr+-10mins.
As it is set now, I just got 1MB of journal recorded to file accounting
data landing on my systems :)
Are you suggesting adding a rand xlat? I guess it'd be useful to add some fuzz
to interim update intervals. But there are many other options for fuzz other
than rand. For example...
if(%{%{NAS-IP-Address}:-%{Packet-Src-Ip-Address}} =~
/([0-9]{1,3})[.]([0-9]{1,3})$/){
update control {
Tmp-Integer-0 = %{expr:((%{1}*1000)+%{2})%%2000}
}
}
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
On Friday, September 2, 2011, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: I meant that if you use eg monit then you can have a service recovery rather than a corner case killing off your radius daemon in middle of night Oh, definitely. We'd do that as a failsafe anyway. My main question is whether this is failing by design? If so, is there a best practice to avoid the crash (or something like monit to recover from a crash)? And, if not, is it a resolvable bug? Thanks, Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfaulting with rlm_perl
Norman Elton wrote: Oh, definitely. We'd do that as a failsafe anyway. My main question is whether this is failing by design? The intention is to *not* crash. But... FreeRADIUS is dependent on the libraries it uses. If they misbehave, then there's little we can do. If so, is there a best practice to avoid the crash (or something like monit to recover from a crash)? And, if not, is it a resolvable bug? Write Perl scripts that work, or track down exactly *why* it's crashing. The server runs as one process with multiple threads. So a crash takes down the entire server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
40,000 authentications in about 6 and a half hours. I use eap, eap-peap, ldap, mschap, files, sql (mysql), proxy, and postauth mostly. No problems. The files and sql modules are where I have my wildest modifications, but that is that not much compared to what some people on this list are doing. I use the eap cach and configure the eap/mschap with send_error = yes. No problems seen. My first impression is that the server is doing a cleaner job of managing child processes. My platform is CentOS 5.6 with standard packages except Samba and Freeradius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers [1] http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html -- Alexander Clouter .sigmonster says: An algorithm must be seen to be believed. -- D. E. Knuth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 23:16, Alexander Clouter wrote: Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers Shhh we need more guinea pigs, I mean users... Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
Thanks, I ended up deleting all the recently created files in /etc/raddb/certs and issuing the bootstrap command. I did have to mkdir /var/run/radiusd after I saw an error about a file radiusd was looking for there, but it works fine afterwards. On Thu, Sep 1, 2011 at 11:53 PM, Alan DeKok al...@deployingradius.com wrote: Chad Rebuck wrote: Can someone point me in the right direction on figuring this out? I'm running Arch linux and I installed via pacman -S freeradius. I didn't edit any config files yet. It's supposed to build the various cert files the first time it's booted. If that isn't happening properly, go to raddb/certs and poke around there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
