Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Keeps on running like Forest Gump. Stefan Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
run more than one radius on single machine
Dear, Its my requirement to run more than one radius on a single machine can anybody help me how to achieve this I am using CentOS 5.5 64bit, Oracle 10.2.0 , Freeradius 2.1.10 -- View this message in context: http://freeradius.1045715.n5.nabble.com/run-more-than-one-radius-on-single-machine-tp4769691p4769691.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Been running a week now, and the prerelease still looks good here as well. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run more than one radius on single machine
On Mon, Sep 5, 2011 at 3:44 PM, waq waqqay...@gmail.com wrote: Dear, Its my requirement to run more than one radius on a single machine Why? Using virtual servers is usually easier. They can listen to different IP/port, and have different configuration. See sites-available/inner-tunnel for example of using a listen section inside a virtual server. can anybody help me how to achieve this If you REALLY want to run run multiple instances of radiusd, then start by having separate configuration directory (e.g. /etc/raddb, /etc/raddb2, and so on) for each instance and call radiusd with -d parameter. And you'd also need to change some settings on radiusd.conf (e.g. raddbdir, run_dir, or possibly just name). And you need to make sure all of them bind to different IP/port/socket. Last time I tried this it works, but the startup script didn't work as expected (e.g. it kills both radiusd instances and only start one). Didn't have time to look more into it since I didn't need it anymore. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run more than one radius on single machine
On 05/09/11 10:06, Fajar A. Nugraha wrote: On Mon, Sep 5, 2011 at 3:44 PM, waqwaqqay...@gmail.com wrote: Dear, Its my requirement to run more than one radius on a single machine Why? Using virtual servers is usually easier. They can listen to different IP/port, and have different configuration. See sites-available/inner-tunnel for example of using a listen section inside a virtual server. There are some reasons. Fault isolation for one - although FreeRADIUS is pretty reliable, no software is perfect and if you have radius services of differing levels of criticality (e.g. vpn access == important, 802.1x access to local LAN == critical) you might want prevent one segfault from affecting another. We do this can anybody help me how to achieve this If you REALLY want to run run multiple instances of radiusd, then start by having separate configuration directory (e.g. /etc/raddb, /etc/raddb2, and so on) for each instance and call radiusd with -d That is one option. Another option is to use /etc/raddb/instance.conf as the config file, and start radiusd -n instance. This is what we do, and makes the config management easier if you share a lot of common code. parameter. And you'd also need to change some settings on radiusd.conf (e.g. raddbdir, run_dir, or possibly just name). And you need to make sure all of them bind to different IP/port/socket. Last time I tried this it works, but the startup script didn't work as expected (e.g. it kills both radiusd instances and only start one). Didn't have time to look more into it since I didn't need it anymore. We wrote an instance-aware init script for this. It wasn't hard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. I've committed a fix to the v2.1.x branch of git which should address this. hmm, latest GIT version checked out and compiled...still seems to do the same: Mon Sep 5 13:39:33 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 13:32:28 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac OSX FreeRadius EAP Authentication making progress - But still not there
I'd recommend you start poking at this to see why ntlm_auth is failing. Are you having Samba problems, is your machine part of whatever domain it's trying to authenticate against? I noticed there's no Domain in the User-Name field, whereas when I'm looking at Domain authentications, I usually see domain\username coming from the users. I'm not certain how that'll affect Samba's behavior, but it's worth double checking so that you're confident about it. - Jacob On 5 Sep 2011, at 00:26, DavidS wrote: [2011/09/04 21:07:10, 0, pid=1176] /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) could not obtain winbind domain name! Exec-Program output: Reading winbind reply failed! (0xc001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 5 Sep 2011, at 14:42, Alan Buxey wrote: Hi, munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. I've committed a fix to the v2.1.x branch of git which should address this. hmm, latest GIT version checked out and compiled...still seems to do the same: Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, hmm, latest GIT version checked out and compiled...still seems to do the same: Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... :-) must've gone to a private repo! :-) PS thanks to this thread I've tweaked some of my settings too - and i love that RANDOM idea. i'm wondering if theres any mileage in doing the same thing for Session-Time auth replies? for when a drove of people fireup their laptops/phones etc at start of lecture hours or when labs get booted up at same time with WoL ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 5 Sep 2011, at 15:06, Alan Buxey wrote: Hi, hmm, latest GIT version checked out and compiled...still seems to do the same: Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... :-) must've gone to a private repo! :-) ... and now a public repo, if you'd care to pull and try again. PS thanks to this thread I've tweaked some of my settings too - and i love that RANDOM idea. i'm wondering if theres any mileage in doing the same thing for Session-Time auth replies? for when a drove of people fireup their laptops/phones etc at start of lecture hours or when labs get booted up at same time with WoL ? WoL stuff certainly. Also when you get a Switch/AP reboot and a bunch of devices come online at the same time, so you don't hammer the server with a bunch of simultaneous re-auths. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, :-) must've gone to a private repo! :-) ... and now a public repo, if you'd care to pull and try again. hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 15:53:18 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
hi, probably want to change this line in radmin.c too printf(Copyright (C) 2008 The FreeRADIUS server project and contributors.\n); maybe change that string to a global that can be pulled in from an include? - this could then be used in other places where old copyright statements lurk alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: maybe change that string to a global that can be pulled in from an include? - this could then be used in other places where old copyright statements lurk Maybe. It's not a high priority. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 My guess is that the get peer id function is returning only *one* group. Munin is first part of the munin group, but secondly part of the radmin group. So... the sockets asks which group is connecting, and gets told munin. I'm not sure there's a clean solution to that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, My guess is that the get peer id function is returning only *one* group. Munin is first part of the munin group, but secondly part of the radmin group. So... the sockets asks which group is connecting, and gets told munin. I'm not sure there's a clean solution to that. hmm, it used to work - i guess the fix to fix the brokeness also broke this setup. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
FWIW, found this in ./freeradius-server-2.1.12/src/main/auth.c 502c502 #ifdef WITH_POXT_PROXY_AUTHORIZE --- #ifdef WITH_POST_PROXY_AUTHORIZE On Aug 29, 2011, at 7:13 AM, Alan DeKok wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Jim Madden wrote: FWIW, found this in ./freeradius-server-2.1.12/src/main/auth.c Whoops. Fixed that, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: hmm, it used to work - i guess the fix to fix the brokeness also broke this setup. I think the change is related to checking the peer ID on the new connection, rather than the old one. See commit f0e7064e58f712853c429dcb27e53861f1a9cde1 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional Dynamic VLAN
Hello Guys,
I need the following in a wireless environment, using 802.1X authentication
based on LDAP, need to do dynamic VLAN assignment.
Need to consult an LDAP attribute, and from this attribute to determine
which VLAN to send to my wireless controler.
I need something like this:
...
if ( habitantWirelessActive == FALSE ){
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 100
}
}else{
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 30
}
}
...
habitantWirelessActive the attribute is the LDAP, each user has this
attribute in a Boolean set to TRUE or FALSE.
How can I make this check?
Another question is about where I make this verification, the correct
location is the session post-auth?
I thank the attention.
João
--
João Paulo de Lima Barbosa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com writes: Alan Buxey wrote: hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 My guess is that the get peer id function is returning only *one* group. Munin is first part of the munin group, but secondly part of the radmin group. So... the sockets asks which group is connecting, and gets told munin. I assume that's because the function uses the sockopt SO_PEERCRED Return the credentials of the foreign process connected to this socket. This is only possible for connected AF_UNIX stream sockets and AF_UNIX stream and datagram socket pairs created using socketpair(2); see unix(7). The returned credentials are those that were in effect at the time of the call to connect(2) or socketpair(2). Argu‐ ment is a ucred structure. This socket option is read-only. So how about just running 'sg radiusd radmin'? Would that work? And be an acceptable workaround? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
This is an issue for us as well. It seems in our case, the NAS retransmits the
start packet 60 seconds later and this has an impact on the acctuniqueid as
shown in the example below:
Tue Aug 30 13:32:49 2011
Event-Timestamp = Aug 30 2011 13:32:48 EDT
User-Name = u...@example.com
NAS-IP-Address = 69.72.31.155
NAS-Identifier = mtar-apx01.1dial.com
Ascend-Owner-IP-Addr = 0.0.0.0
NAS-Port = 4652
Ascend-NAS-Port-Format = 4
NAS-Port-Type = Async
Service-Type = Framed-User
Class = 0x4241534943495350
Acct-Status-Type = Start
Acct-Delay-Time = 0
Acct-Session-Id = 592238627
Acct-Authentic = RADIUS
Ascend-Auth-Delay = 1580
Ascend-Data-Rate = 21600
Ascend-Xmit-Rate = 4
Ascend-Modem-PortNo = 92
Ascend-Modem-SlotNo = 14
Ascend-Modem-ShelfNo = 1
Calling-Station-Id = ...
Ascend-Calling-Id-Type-Of-Num = Unknown
Ascend-Calling-Id-Number-Plan = Unknown
Ascend-Calling-Id-Presentatn = Allowed
Ascend-Calling-Id-Screening = 40
Called-Station-Id = ...
Ascend-Data-Svc = Switched-Voice-Bearer
Framed-Protocol = PPP
Framed-IP-Address = 208.103.135.234
Proxy-State = 0x3138
Proxy-State = 0x313435
Proxy-State = 0x323034
Realm = example.com
Acct-Unique-Session-Id = 547e6cd62913bca0
Timestamp = 1314725569
Tue Aug 30 13:33:49 2011
Event-Timestamp = Aug 30 2011 13:32:48 EDT
User-Name = u...@example.com
NAS-IP-Address = 69.72.31.155
NAS-Identifier = mtar-apx01.1dial.com
Ascend-Owner-IP-Addr = 0.0.0.0
NAS-Port = 4652
Ascend-NAS-Port-Format = 4
NAS-Port-Type = Async
Service-Type = Framed-User
Class = 0x4241534943495350
Acct-Status-Type = Start
Acct-Delay-Time = 60
Acct-Session-Id = 592238627
Acct-Authentic = RADIUS
Ascend-Auth-Delay = 1580
Ascend-Data-Rate = 21600
Ascend-Xmit-Rate = 4
Ascend-Modem-PortNo = 92
Ascend-Modem-SlotNo = 14
Ascend-Modem-ShelfNo = 1
Calling-Station-Id = ...
Ascend-Calling-Id-Type-Of-Num = Unknown
Ascend-Calling-Id-Number-Plan = Unknown
Ascend-Calling-Id-Presentatn = Allowed
Ascend-Calling-Id-Screening = 40
Called-Station-Id = ...
Ascend-Data-Svc = Switched-Voice-Bearer
Framed-Protocol = PPP
Framed-IP-Address = 208.103.135.234
Proxy-State = 0x3230
Proxy-State = 0x3832
Proxy-State = 0x3934
Realm = example.com
Acct-Unique-Session-Id = 0041ee21d0b1c6b1
Timestamp = 1314725629
As with many companies using load balancing, it may not be good to use
Client-IP-Address to key on as this changed 60 seconds later.
Default in modules/acct_unique:
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port
}
The man page for rlm_acct_unique shows:
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port
}
Anyone know when this was changed?
- Original Message -
From: Arran Cudbard-Bell a.cudba...@gmail.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Saturday, June 18, 2011 7:50:49 AM
Subject: Re: different acctuniqueids with common keys?
On Jun 18, 2011, at 1:26 PM, and...@sybaweb.com wrote:
On Sat, 18 Jun 2011 07:39:53 +0200, Arran Cudbard-Bell wrote:
As Alan says it's the NAS not including a consistent set of
Attribute and or values.
The key attributes per the config (acct_unique { key = User-Name,
Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port
}) *are* consistent in the radacct table yet the value of acctuniqueid is
not. I suppose the missing values could have been populated later.
Um yes. Especially if you're using interim updates.
-Arran
Arran Cudbard-Bell
RM-RF Limited - Security consultation and contracting
VoIP: +1 916-436-1352 Cell: +44 7854041841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
On 06/09/2011 00:36, Rob Turner wrote:
Default in modules/acct_unique:
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
The man page for rlm_acct_unique shows:
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port
}
Anyone know when this was changed?
Apparently, a long time ago:
https://github.com/alandekok/freeradius-server/commits/master/raddb/modules/acct_unique
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module Not Returning the Error Message
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is no known good password found as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message. +++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
On 6 Sep 2011, at 06:04, James J J Hooper wrote:
On 06/09/2011 00:36, Rob Turner wrote:
Default in modules/acct_unique:
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
The man page for rlm_acct_unique shows:
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port
}
Anyone know when this was changed?
Apparently, a long time ago:
https://github.com/alandekok/freeradius-server/commits/master/raddb/modules/acct_unique
See policy.conf on the master branch for an acctuniqueid scheme which sucks
less... This will be the default for new 3.x configs as the policy overloads
the module.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Module Not Returning the Error Message
On Tue, Sep 6, 2011 at 11:41 AM, Det Det det.explo...@yahoo.com wrote:
Hi,
The expiration module works but it is not returning the error message.
Everytime I include the Expiration attribute and set date accordingly. The
user is denied login. The reason is because the account expired and NOT
because there is no known good password found as shown below. How to tell
RADIUS to stop processing anything after expiration check? I suspect it
proceeds the rest of the checks and so the error message has been
overwritten by other modules' error message.
+++[sql2] returns ok
++- redundant-load-balance group redundant_load_balance_sql returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Works for me. From modules/expiration: It should be included in the
*end* of the authorize section in order to handle user Expiration (or
just uncomment expiration line in sites-available/default). The debug
log should show something like this
[expiration] Checking Expiration time: '2011 Sep 6 03:00:00'
[expiration] Account has expired
[expiration]expand: Password Has Expired - Password Has Expired
++[expiration] returns userlock
Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]):
[testuser] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 242 to 127.0.0.1 port 52990
Reply-Message += Password Has Expired\r\n
If it doesn't, then either:
- you're using an old FR version with some bugs regarding expiration
on it, in which case you should upgrade, or
- you didn't list expiration in authorize section, or
- you didn't have Expiration attribute for your user (in users
file/sql/whatever)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
