Cannot control attribute ordering via "rlm_perl"

[Claude Brown]

Hi,

First, the version I'm using:

# freeradius -v
freeradius: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, [...]


I'm trying to control the attribute-ordering when using "rlm_perl". Thus far my 
experience is that this is not possible. My theory is that this is due to the 
hash-tables used as the interface between the C and Perl worlds.

Here is a small example that demonstrates the problem. I've turned on the 
"users" and "perl" modules in the authorize section (in that order). These are 
the important bits from the "users" file and the "example.pl" file.

(from the "users" file) 
steve   Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,
WiMAX-Packet-Data-Flow-Id = 1,
WiMAX-Service-Data-Flow-Id = 1,
WiMAX-Service-Profile-Id = 2

(from the "example.pl")
sub authorize
{
   return RLM_MODULE_NOOP;
}


The debug log of the server is below. The interesting bits are (a) the 
"rlm_perl: Added pair" and (b) the attribute-order in the packet that the 
server sends in reply - the order is changed.

The ordering is important to for me as I want those three WiMAX attributes 
packed inside a parent attribute "WiMAX-Packet-Flow-Descriptor". If I turn off 
the "perl" module (or place it before the "files" module) the packing works as 
expected.

I put all this down to the attribute-list being rebuilt (by rlm_perl) from the 
%RAD_REPLY table. The hash-table has no concept of ordering, so it ends up 
randomised.

The above is a contrived example - what I really want to do is add those three 
WiMAX attributes in my perl script.  But due to the ordering problems I think I 
am wasting my time and need to come up with another solution.

Can anyone see how I can control the ordering of attributes coming out of the 
perl script?

Thanks,

Claude Brown.
Vividwireless.



rad_recv: Access-Request packet from host 127.0.0.1 port 50265, id=2, length=63
User-Name = "steve"
User-Password = "testing"
Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry steve at line 76
++[files] returns ok
GOT CLONE -1588651264 0x1a0e160
rlm_perl: Added pair User-Name = steve
rlm_perl: Added pair User-Password = testing
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58
rlm_perl: Added pair WiMAX-Service-Data-Flow-Id = 1
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-Routing = Broadcast-Listen
rlm_perl: Added pair WiMAX-Packet-Data-Flow-Id = 1
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Framed-Filter-Id = std.ppp
rlm_perl: Added pair Framed-IP-Address = 172.16.3.33
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair WiMAX-Service-Profile-Id = 2
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair Cleartext-Password = testing
++[perl] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [steve] (from client localhost port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 2 to 127.0.0.1 port 50265
WiMAX-Service-Data-Flow-Id = 1
Service-Type = Framed-User
Framed-Routing = Broadcast-Listen
WiMAX-Packet-Data-Flow-Id = 1
Framed-Protocol = PPP
Framed-Filter-Id = "std.ppp"
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Compression = Van-Jacobson-TCP-IP
WiMAX-Service-Profile-Id = 2
Framed-MTU = 1500
Finished request 0.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message in freeradius

[gary]

Hi 
One more question.
How about if user name is wrong? eg: send reply message "user name not found"


Best Regards
Gary
 
  - Original Message - 
  From: Arran Cudbard-Bell 
  To: Dagia Dorjsuren ; FreeRadius users mailing list 
  Sent: Wednesday, October 05, 2011 10:34 PM
  Subject: Re: Reply-Message in freeradius




  On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:


Hello,  How to add Reply-Message in freeradius? anyone advise me pls.For 
example : I would like to send "Your username or password is wrong" message to 
NAS if the someone to access to my freeradius via wrong password from that 
NASraddb/sites-available/default


  post-auth {


  Post-Auth-Type REJECT {
  update reply {
  Reply-Message = "Your password is wrong, prepare to be eaten by flying 
monkeys."
  }
  }
  }


  Arran Cudbard-Bell
  a.cudba...@freeradius.org

  Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !




--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: password in EAP request

[Alan Buxey]

Hi,

>In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username
>of the EAP request message. How can I get the password of the
>EAP request? $RAD_REQUEST{'User-Password'} won't return the password.

it certainly wont for PEAPv0/MSCHAPv2 which is what your request looks
like - hint, its a challenge response mechanism, the password is never disclosed

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: password in EAP request

[Tim Sylvester]

In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of
the EAP request message. How can I get the password of the
EAP request? $RAD_REQUEST{'User-Password'} won't return the password.

[] You can't. RADIUS Access-Request packets that use EAP do not send
the password to the RADIUS server. The only attributes you can access are
the ones sent in the RADIUS request, which are listed below in the debug
output.

 

rad_recv: Access-Request packet from host 24.26.79.31 port 50168, id=207,
length=185
User-Name = "test"
NAS-IP-Address = 10.0.0.31
NAS-Identifier = "belair"
NAS-Port = 0
Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x"
Calling-Station-Id = "00-26-4A-FC-EB-B2"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0xce81437fce8047c9464d6ff62d386d00
Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rewriting wimax calling-station-id with perl

[Johan Meiring]

On 2011/10/05 08:15 PM, James T Mugauri wrote:

Hi,

As you are undoubtedly aware, the ubuntu/debian package of freeradius comes
without the wimax module (despite having the wimax module) installed. My own
attempts to compile/install/build deb package for ubuntu always die with the
infamous "undefined reference to `lt_preloaded_symbols'" that apparently has
even Alan opting to forsake libtool.




Which version of debian do you need packages for?

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782


Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:

http://www.pcservices.co.za/disclaimer.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

password in EAP request

[Alex rsm]

Hi,

In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of the 
EAP request message. How can I get the password of the
EAP request? $RAD_REQUEST{'User-Password'} won't return the password.



rad_recv: Access-Request packet from host 24.26.79.31 port 50168, id=207, 
length=185
User-Name = "test"
NAS-IP-Address = 10.0.0.31
NAS-Identifier = "belair"
NAS-Port = 0
Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x"
Calling-Station-Id = "00-26-4A-FC-EB-B2"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0xce81437fce8047c9464d6ff62d386d00
Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
User-Name=test
User-password=
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: State = 0xce81437fce8047c9464d6ff62d386d00
rlm_perl: RAD_REQUEST: Calling-Station-Id = 00-26-4A-FC-EB-B2
rlm_perl: RAD_REQUEST: Called-Station-Id = 
00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
rlm_perl: RAD_REQUEST: Message-Authenticator = 
0x5feafac09a6cce51d36958efc628f397
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: NAS-Identifier = belair
rlm_perl: RAD_REQUEST: EAP-Message = 0x020100060319
rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: RAD_REQUEST: EAP-Type = NAK
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.0.31
rlm_perl: RAD_REQUEST: NAS-Port = 0
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair State = 0xce81437fce8047c9464d6ff62d386d00
rlm_perl: Added pair Calling-Station-Id = 00-26-4A-FC-EB-B2
rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
rlm_perl: Added pair Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair NAS-Identifier = belair
rlm_perl: Added pair EAP-Message = 0x020100060319
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair EAP-Type = NAK
rlm_perl: Added pair NAS-IP-Address = 10.0.0.31
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rewriting wimax calling-station-id with perl

[Alan DeKok]

James T Mugauri wrote:
> 
> As you are undoubtedly aware, the ubuntu/debian package of freeradius
> comes without the wimax module (despite having the wimax module)
> installed. My own attempts to compile/install/build deb package for
> ubuntu always die with the infamous "undefined reference to
> `lt_preloaded_symbols'" that apparently has even Alan opting to forsake
> libtool.

  That's in part because libtool changed their API in incompatible ways.
 Libtool && libltdl have weird incestuous dependencies.  And to make it
even better, they don't bother checking for consistency.  So you can use
incompatible versions and it will give you weird cryptic error messages.

> If so, would anyone here be able to mash up a few lines of perl code to
> this end? Please? I, unfortunately am not familiar enough with c to
> translate the logic behind the code above flawlessly.

  I'm not familiar enough with Perl, sorry.

  But why worry about a "deb" package?  Just install it from source.
That works.

> On 10/05/2011 02:10 PM, freeradius-users-requ...@lists.freeradius.org

  *Please* edit your posts to remove the unnecessary text.  It's just nice.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius dhcp

[Alan DeKok]

Alexandre Chapellon wrote:
> That works. I want to know if there is any *standardized* way to specify
> the NAS the DHCP server to relay the DHCP request to, using attributes
> in the radius Access-Accept?

  No.

> I have found dhcp dictionnary (talking about gateway DHCP to RADIUS) but
> am not sure it is intended to do that.
> 
> If not does anybody knows if it's possible with redback xxxSE BRAS?

  See dictionary.redback.  Other than that... nope.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius dhcp

[Alexandre Chapellon]

Hello,

I have a setup where th user initiates DHCP request to the NAS. The NAS 
then tries to authenticate the user using regular radius requests 
(basicilly Access-Request with username=macaddr). If authenticated the 
NAS relay the dhcp request to a dhcp server


That works. I want to know if there is any *standardized* way to specify 
the NAS the DHCP server to relay the DHCP request to, using attributes 
in the radius Access-Accept?
I have found dhcp dictionnary (talking about gateway DHCP to RADIUS) but 
am not sure it is intended to do that.


If not does anybody knows if it's possible with redback xxxSE BRAS?

Regards.
--


Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rewriting wimax calling-station-id with perl

[James T Mugauri]

e:

Phil Mayers wrote:

I guess that's ok, in that it stops an unresponsive realm
blocking other realms, but wouldn't another solution be to add
a config item to the detail reader to drop packets which are>X
seconds old?

if (Acct-Delay-Time>3600) { ok } else { ... do proxy  }


Ah ha! Clever. I had forgotten the detail reader created/updated
that attribute. Yay FreeRADIUS!

It's a bad way of doing it. At least with replicate every accounting
packet has a chance... Using Acct-Delay-Time you'll end up dumping
anywhere between 1-15 seconds accounting data for all realms if one
realm is unreachable.

Whereas with rlm_replicate, you risk dropping arbitrary accounting
packets because there is no retry. There is no ideal solution, because
radius accounting was never designed for the kind of loosely-coupled
federation that is Eduroam.

For me, since most Eduroam sites don't care about receiving federated
accounting, my primary concern is for my server to carry on functioning,
and that means the detail file should not grow without bound. I don't
really care how that happens - as long as it does.



--

Message: 4
Date: Wed, 5 Oct 2011 13:06:33 +0200
From: Alejandro Gandara
Subject: Mac access mixed ldap access same NAS
To: FreeRadius users mailing list

Message-ID:

Content-Type: text/plain; charset="iso-8859-1"

Hi list,

does someone know if Its possible mix MAC auth with ldap AUTH in the same
NAS.

I mean, I have multiple connection to one NAS but a few users will access
through mac address, and others will access trhough auth ldap + passwords.

Nowadays Ive configured ldap access but I dont know how to configure
freeradius to allow connect a few users(16-20) trhough mac auth.

As always thanks you very much for your time and peacence.

Regards,

Alejandro G?ndara
Junior System Administrator
-- next part --
An HTML attachment was scrubbed...
URL:<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111005/89d60099/attachment.html>

--

Message: 5
Date: Wed, 5 Oct 2011 18:12:15 +0700
From: "Fajar A. Nugraha"
Subject: Re: MySQL and FreeRADIUS environment
To: FreeRadius users mailing list

Message-ID:

Content-Type: text/plain; charset=ISO-8859-1

On Wed, Oct 5, 2011 at 4:57 PM, tonimanel
  wrote:

Hi again,

How can I do freeradius replication with radrelay? Do you know any tutorial
or howto?

Have you READ the suggested documentation? For example, Alan said
"Also, raddb/sites-available/copy-acct-to-home-server"

I also wrote earlier rerarding FR-managed replication: "In this setup
the user data needs to be synced manually though."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trying to configure Cisco WLC 5500 for radius auth

[Phil Mayers]

On 05/10/11 15:49, Jefferson Davis wrote:

Hi all,

Trying to configure our cisco WLC's to play nice with freeradius...
Looking for some pointers to get the two of them talking. Will have
windows, linux, and personal devices like smartphones connecting, though
I suspect the bulk will be smartphones. I would rather not hand out the
PSK to users as I know this will get loose.

I have set up a WLAN for this but it does not seem to be talking to
freeradius. Will the traffic be coming from the WLC or the designated
WLAN for the SSID?


This is not a FreeRADIUS question - you should ask on a Cisco list; and 
your question is way too vague.


What does "play nice with FreeRADIUS" mean?

Are you trying to setup a WPA-Enterprise (username/password 
authenticated) WLAN? Or an open WLAN with web auth? Or an open wlan with 
MAC-based auth?


You need to read the documentation for your WLC.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Alan Buxey]

>Roll on RADSEC.

Ha ha ha  coffee everywhere now. Thanks for the laugh the 
uptake of IPv6  and DNSSEC looks absolutely ravenous and rapid compared to that 
of DNSSEC.

I've had a couple of sites ask about it and go no further (they are running 
RADIUS servers that can do RADSEC without being prerelease/beta) is this the 
configuration required (minimal) or the prescribed eduroam method of coming on 
board? I dont know.
Maybe its the giant hole in stats caused when the proxies no longer see end 
site traffic...and the onus on sites to provide stats...

either way even with RADSEC , when a site is down or non responsive you'll 
still have a backup of accounting data for them

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Trying to configure Cisco WLC 5500 for radius auth

[Jefferson Davis]

Hi all, 

Trying to configure our cisco WLC's to play nice with freeradius... Looking for 
some pointers to get the two of them talking. Will have windows, linux, and 
personal devices like smartphones connecting, though I suspect the bulk will be 
smartphones. I would rather not hand out the PSK to users as I know this will 
get loose. 

I have set up a WLAN for this but it does not seem to be talking to freeradius. 
Will the traffic be coming from the WLC or the designated WLAN for the SSID? 

Would very much appreciate any pointers. I've got it working as far as 
authenticating my switches and routers. Saved us probably $10k plus. 

-- 



Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 
661.392.0681 (fax) 
http://district.standard.k12.ca.us 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (No subject)

[Alan Buxey]

ldconfig -v ??

alan
--
Message may be brief as it has been sent from my mobile

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re:

[Fajar A. Nugraha]

On Wed, Oct 5, 2011 at 9:32 PM, Alex rsm  wrote:
> Hi,
>
> I just installed freeradius 2.1.12 on ubuntu server from src file and got
> the following error:
>
> # radiusd -X
> radiusd: error while loading shared libraries:
> libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file
> or directory

run ldconfig.

... of if you prefer using prebuilt package, see
https://launchpad.net/~freeradius/+archive/stable

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message in freeradius

[Fajar A. Nugraha]

On Wed, Oct 5, 2011 at 9:23 PM, Dagia Dorjsuren  wrote:
> Hello,
>
>   How to add Reply-Message in freeradius? anyone advise me pls.

post-auth {
...
  update reply {
Reply-Message = "Your message here\r\n"
  }
...
}

>
> For example : I would like to send "Your username or password is wrong"
> message to NAS if the someone to access to my freeradius via wrong password
> from that NAS

That's tricky. Checking for reject is easy enough (see example in the
default post-auth section).  Checking WHY the rejection happens (e.g.
account expire, wrong password) is not easy.

One workaround is to add your reply-message only when no there is no
previous message (which is what "=" does. See "man unlang").

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message in freeradius

[Arran Cudbard-Bell]

On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:

> Hello,
> 
>   How to add Reply-Message in freeradius? anyone advise me pls.
> 
> For example : I would like to send "Your username or password is wrong" 
> message to NAS if the someone to access to my freeradius via wrong password 
> from that NAS
> 
raddb/sites-available/default

post-auth {

Post-Auth-Type REJECT {
update reply {
Reply-Message = "Your password is wrong, prepare to be 
eaten by flying monkeys."
}
}
}

Arran Cudbard-Bell
a.cudba...@freeradius.org

Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[no subject]

[Alex rsm]

Hi,

I just installed freeradius 2.1.12 on ubuntu server from src file and got the 
following error:

# radiusd -X
radiusd: error while loading shared libraries: libfreeradius-radius-2.1.12.so: 
cannot open shared object file: No such file or directory

Thanks,
ASM
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply-Message in freeradius

[Dagia Dorjsuren]

Hello,

How to add Reply-Message in freeradius? anyone advise me pls.

For example : I would like to send "Your username or password is wrong" message 
to NAS if the someone to access to my freeradius via wrong password from that 
NAS

Thanks,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Arran Cudbard-Bell]

> 
> Thanks for your suggestion. Do I drop this into my existing 
> ..sites-available/default file? Does this add to what's there already, or do 
> I replace what's there with this (and does the order matter)? Sorry, I have a 
> very basic configuration and haven't had to delve into this.

Add it to sites-available/default in the existing sections (put replicate in 
the accounting {} section, put the other stuff in the preacct section...

-Arran

Arran Cudbard-Bell
a.cudba...@freeradius.org

Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Arran Cudbard-Bell]

On 5 Oct 2011, at 12:50, Phil Mayers wrote:

> On 05/10/11 09:56, Arran Cudbard-Bell wrote:
>> 
>> On 5 Oct 2011, at 10:40, Phil Mayers wrote:
>> 
>>> On 10/05/2011 09:26 AM, Alan DeKok wrote:
 Phil Mayers wrote:
> I guess that's ok, in that it stops an unresponsive realm
> blocking other realms, but wouldn't another solution be to add
> a config item to the detail reader to drop packets which are>X
> seconds old?
 
 if (Acct-Delay-Time>   3600) { ok } else { ... do proxy  }
>>> 
>>> 
>>> Ah ha! Clever. I had forgotten the detail reader created/updated
>>> that attribute. Yay FreeRADIUS!
>> 
>> It's a bad way of doing it. At least with replicate every accounting
>> packet has a chance... Using Acct-Delay-Time you'll end up dumping
>> anywhere between 1-15 seconds accounting data for all realms if one
>> realm is unreachable.
> 
> Whereas with rlm_replicate, you risk dropping arbitrary accounting packets 
> because there is no retry.
> There is no ideal solution, because radius accounting was never designed for 
> the kind of loosely-coupled federation that is Eduroam.
> For me, since most Eduroam sites don't care about receiving federated 
> accounting, my primary concern is for my server to carry on functioning, and 
> that means the detail file should not grow without bound. I don't really care 
> how that happens - as long as it does.


True. Both solutions suck in their own unique ways.

Roll on RADSEC.

-Arran

Arran Cudbard-Bell
a.cudba...@freeradius.org

Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Mike Diggins]

On Wed, 5 Oct 2011, Arran Cudbard-Bell wrote:



On 5 Oct 2011, at 02:20, Mike Diggins wrote:



I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an 
Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly 
failing over the Accounting Servers, due to lack of response from the Home 
Servers, or so says the log. However, I believe the issue is that some remote 
institutions Radius Servers are ignoring the Accounting packets, and timing out 
my end, making it believe the Home Servers have failed to respond. FreeRadius 
responds by marking the Home server dead. It then sends a status-server query, 
to which is gets a reply, and enables the Dead Home server. I believe that's 
the sequence of events anyway. I captured some of that in debug mode:

Rejecting request 288 due to lack of any response from home server x.x.x.x port 
1813

Finished request 288.

Cleaning up request 288 ID 205 with timestamp +1161

PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is 
dead).

Sending Status-Server of id 55 to x.x.x.x port 1813
   Message-Authenticator := 0x
   NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.

rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806

I don't have any control over Accounting Packets being accepted, or not, by 
other Eduroam members. Some do, some don't I imagine. Is there a configuration 
for FreeRadius that handles this situation cleanly? Seems to me that FR should 
check the Home server first, before marking it dead (at least).



No i've talked about this with Alan. The proposed solution is an enhancement to 
the detail writer/reader functionality where the server automagically spawns 
new reader instances to listen on per domain detail files.

For now i'd recommend using rlm_replicate, this allows you to send an entirely 
new request to the homeserver, whilst sending an Accounting-Response to the 
NAS. FR does not track the new request and so won't be able to retransmit.

Just use something like:

preacct {
if(Realm && Realm != 'local'){
update control {
Proxy-To-Realm := 'local'
Replicate-To-Realm = 'eduroam'
}
}
}

accounting {
replicate
}


Thanks for your suggestion. Do I drop this into my existing 
..sites-available/default file? Does this add to what's there already, or 
do I replace what's there with this (and does the order matter)? Sorry, I 
have a very basic configuration and haven't had to delve into this.


-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and FreeRADIUS environment

[Alan DeKok]

tonimanel wrote:
> I have readed the "sites-available/example" file that contains an example of
> how to define a client and a server.

  i.e. you didn't do what you were told to do.

>  I should to define a client and a
> server in both machines (serverA's client is server B AND serverB's client
> is server A). Do you understand me? 

  I have no idea.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and FreeRADIUS environment

[tonimanel]

I have readed the "sites-available/example" file that contains an example of
how to define a client and a server. I should to define a client and a
server in both machines (serverA's client is server B AND serverB's client
is server A). Do you understand me? 

Thanks again.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872439.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and FreeRADIUS environment

[Alan DeKok]

tonimanel wrote:
> I have readed the example file. I have some doubts. 
> 
> Do I get with this example file? I don't have a radrelay.conf example (or is
> this?) 

  Yes, you do.  See the raddb/ directory.

> ... I have readed in Internet that in radiusd.conf I should to define
> a detail block information like detail detail-name {some information} to get
> two binary files with my main server data (then the other server should to
> use to replicate data), it is true?

  You could try reading the examples that come with the server.  The
examples you were told to read.

  Why search the internet when you have the answers in front of you?

> And then I should create radrelay.conf
> file (because not exists in /etc/freeradius) with what information? I think
> that with listen block of copy-acct-to-home-server file, it is true?

  The server comes with a sample radrelay.conf.  See the "tar" file on
the web site.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL and FreeRADIUS environment

[tonimanel]

I have readed the example file. I have some doubts. 

Do I get with this example file? I don't have a radrelay.conf example (or is
this?) ... I have readed in Internet that in radiusd.conf I should to define
a detail block information like detail detail-name {some information} to get
two binary files with my main server data (then the other server should to
use to replicate data), it is true? And then I should create radrelay.conf
file (because not exists in /etc/freeradius) with what information? I think
that with listen block of copy-acct-to-home-server file, it is true?

Then, when I have got radrelay.conf file with listen block information from
"copy-acct-to-home-server" file, where I should to define the second server?
I think that in some place I should to define the second server for make the
replica...

Can you help me? Can you tell me about that?

Thank you.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872393.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and FreeRADIUS environment

[tonimanel]

I'm going to read this example file. I don't know if I will understand it but
I will try it.

Thanks,

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872336.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and FreeRADIUS environment

[Fajar A. Nugraha]

On Wed, Oct 5, 2011 at 4:57 PM, tonimanel
 wrote:
> Hi again,
>
> How can I do freeradius replication with radrelay? Do you know any tutorial
> or howto?

Have you READ the suggested documentation? For example, Alan said
"Also, raddb/sites-available/copy-acct-to-home-server"

I also wrote earlier rerarding FR-managed replication: "In this setup
the user data needs to be synced manually though."

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mac access mixed ldap access same NAS

[Alejandro Gandara]

Hi list,

does someone know if Its possible mix MAC auth with ldap AUTH in the same
NAS.

I mean, I have multiple connection to one NAS but a few users will access
through mac address, and others will access trhough auth ldap + passwords.

Nowadays Ive configured ldap access but I dont know how to configure
freeradius to allow connect a few users(16-20) trhough mac auth.

As always thanks you very much for your time and peacence.

Regards,

Alejandro Gándara
Junior System Administrator
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Phil Mayers]

On 05/10/11 09:56, Arran Cudbard-Bell wrote:


On 5 Oct 2011, at 10:40, Phil Mayers wrote:


On 10/05/2011 09:26 AM, Alan DeKok wrote:

Phil Mayers wrote:

I guess that's ok, in that it stops an unresponsive realm
blocking other realms, but wouldn't another solution be to add
a config item to the detail reader to drop packets which are>X
seconds old?


if (Acct-Delay-Time>   3600) { ok } else { ... do proxy  }



Ah ha! Clever. I had forgotten the detail reader created/updated
that attribute. Yay FreeRADIUS!


It's a bad way of doing it. At least with replicate every accounting
packet has a chance... Using Acct-Delay-Time you'll end up dumping
anywhere between 1-15 seconds accounting data for all realms if one
realm is unreachable.


Whereas with rlm_replicate, you risk dropping arbitrary accounting 
packets because there is no retry. There is no ideal solution, because 
radius accounting was never designed for the kind of loosely-coupled 
federation that is Eduroam.


For me, since most Eduroam sites don't care about receiving federated 
accounting, my primary concern is for my server to carry on functioning, 
and that means the detail file should not grow without bound. I don't 
really care how that happens - as long as it does.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and FreeRADIUS environment

[tonimanel]

My FreeRADIU version is 2.1.10 on Debian. Suggest me update? Or is a valid
verstion to work and implement freeradius replication with radrelay?

Thanks,

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872269.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Alan DeKok]

Arran Cudbard-Bell wrote:
> It's a bad way of doing it. At least with replicate every accounting packet 
> has a chance... Using Acct-Delay-Time you'll end up dumping anywhere between 
> 1-15 seconds accounting data for all realms if one realm is unreachable.

  

if (Packet-Transmit-Counter > 5) {
ok
} else {
... proxy ...
}

  If the home server doesn't get it after 5 tries, throw it away.

  In 2.1.10 & later, IIRC.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MySQL and FreeRADIUS environment

[tonimanel]

Hi again,

How can I do freeradius replication with radrelay? Do you know any tutorial
or howto?

I have a basic freeradius service installed and function!!!

Thanks!

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872147.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Issue with installation of FreeRadiusServer (2.1.11) on Solaris

[Vladimir S. Nikeshin]

I do have freeradius installation on sparc solaris 10 and have no problems with 
compiling it:

# export 
PATH=$PATH:/usr/sbin:/usr/bin:/opt/csw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/local/bin:/usr/sfw/bin
# export LDFLAGS='-fPIC -mimpure-text -L/usr/sfw/lib -R/usr/sfw/lib -L/lib 
-R/lib -L/usr/local/lib -R/usr/local/lib'
# export LD_OPTIONS='-L/usr/sfw/lib -R/usr/sfw/lib -L/lib -R/lib 
-L/usr/local/lib -R/usr/local/lib'
# export CFLAGS='-D_XPG4_2 -D__EXTENSIONS__ -I/usr/include -I/usr/sfw/include 
-I/usr/local/include -I/usr/include/kerberosv5 
-I/var/src/freeradius-server-2.1.12/libltdl'
# ./configure --prefix=/opt/freeradius_v2.1.12 --with-modules="rlm_perl 
rlm_replicate" --without-rlm-dbm --with-openssl

always works.


В Mon, 3 Oct 2011 15:45:03 -0700 (PDT)
Harish Kumar  пишет:

> Hi,
> 
>        I am using solaris sparc 5.10 for installation of 2.1.11
> version of FreeRadiusServer. My Configure, gmake went fine but at
> time of "gmake install" getting following error. Can anyone suggest
> how to fix that error?
> 
> #gmake install
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c
> -d -m
> 755 /usr/local/sbin 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m
> 755 /usr/local/bin 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m
> 755 /usr/local/etc/raddb 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m
> 755 /usr/local/share/man 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m
> 755 /usr/local/var/run/radiusd 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m
> 700 /usr/local/var/log/radius 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m
> 700 /usr/local/var/log/radius/radacct 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m
> 755 /usr/local/share 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m 755 /usr/local/share/freeradius for i in 1 5 8; do
> \ /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -d -m 755 /usr/local/share/man/man$i; \ for p in man/man$i/*.$i;
> do
> \ /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh
> -c -m 644 $p /usr/local/share/man/man$i; \ done \ done gmake[1]:
> Entering directory
> `/export/home/emsuser/Documents/freeradius-server-2.1.11' Making
> install in libltdl... gmake[2]: Entering directory
> `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl'
> gmake[3]: Entering directory
> `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl'
> test -z "/usr/local/lib"
> || /bin/bash 
> /export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl/install-sh
> -d "/usr/local/lib" /bin/bash ./libtool
> --mode=install /usr/bin/install -c  'libltdl.la'
> '/usr/local/lib/libltdl.la' /usr/bin/install
> -c .libs/libltdl.so.3.1.4 /usr/local/lib/libltdl.so.3.1.4 cp: cannot
> access /usr/local/lib/libltdl.so.3.1.4 install:
> cp /usr/local/lib/libltdl.so.3.1.4 .libs/libltdl.so.3.1.4/libltdl.so.3.1.4
> failed gmake[3]: *** [install-libLTLIBRARIES] Error 2 gmake[3]:
> Leaving directory
> `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl'
> gmake[2]: *** [install-am] Error 2 gmake[2]: Leaving directory
> `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl'
> gmake[1]: *** [libltdl] Error 2 gmake[1]: Leaving directory
> `/export/home/emsuser/Documents/freeradius-server-2.1.11' gmake: ***
> [install] Error 2
> 
> Thanks,
> Harish

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Arran Cudbard-Bell]

On 5 Oct 2011, at 10:40, Phil Mayers wrote:

> On 10/05/2011 09:26 AM, Alan DeKok wrote:
>> Phil Mayers wrote:
>>> I guess that's ok, in that it stops an unresponsive realm blocking other
>>> realms, but wouldn't another solution be to add a config item to the
>>> detail reader to drop packets which are>X seconds old?
>> 
>>   if (Acct-Delay-Time>  3600) {
>>  ok
>>   } else {
>>  ... do proxy 
>>   }
> 
> 
> Ah ha! Clever. I had forgotten the detail reader created/updated that 
> attribute. Yay FreeRADIUS!

It's a bad way of doing it. At least with replicate every accounting packet has 
a chance... Using Acct-Delay-Time you'll end up dumping anywhere between 1-15 
seconds accounting data for all realms if one realm is unreachable.

-Arran

Arran Cudbard-Bell
a.cudba...@freeradius.org

Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Phil Mayers]

On 10/05/2011 09:26 AM, Alan DeKok wrote:

Phil Mayers wrote:

I guess that's ok, in that it stops an unresponsive realm blocking other
realms, but wouldn't another solution be to add a config item to the
detail reader to drop packets which are>X seconds old?


   if (Acct-Delay-Time>  3600) {
ok
   } else {
... do proxy 
   }



Ah ha! Clever. I had forgotten the detail reader created/updated that 
attribute. Yay FreeRADIUS!






Or, modify the detail reader to write a "done" marker byte into records
which it has processed.


   That's a bit harder.


Tell me about it... we've got a home-grown system for logging DHCP 
requests via pcap (because ISC dhcpd can't do decent logging) and, along 
with a whole bunch of other crap, the process has to write to a logfile 
in chunks, with the ability to do this (mark one "row" as written)


It was amazingly unreliable... I eventually resorted to writing them to 
an sqlite database as a "spool", on the grounds that "marking" them 
done/ignored was easier that way.


One of these days I'll get the time to investigate FR DHCP...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Alan DeKok]

Phil Mayers wrote:
> I guess that's ok, in that it stops an unresponsive realm blocking other
> realms, but wouldn't another solution be to add a config item to the
> detail reader to drop packets which are >X seconds old?

  if (Acct-Delay-Time > 3600) {
ok
  } else {
... do proxy 
  }

> Or, modify the detail reader to write a "done" marker byte into records
> which it has processed.

  That's a bit harder.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Phil Mayers]

On 10/05/2011 07:16 AM, Arran Cudbard-Bell wrote:



No i've talked about this with Alan. The proposed solution is an
enhancement to the detail writer/reader functionality where the
server automagically spawns new reader instances to listen on per
domain detail files.


I guess that's ok, in that it stops an unresponsive realm blocking other 
realms, but wouldn't another solution be to add a config item to the 
detail reader to drop packets which are >X seconds old?


That would help with another case - where a realm is accepting some 
accounting packets but not others (e.g. they've got a SQL config that is 
barfing on upper-case usernames...).


Or, modify the detail reader to write a "done" marker byte into records 
which it has processed.


p1 = ftell
read packet
send packet
if ok
  p2 = ftell
  seek(p1)
  write('OK')
  seek(p2)
else:
  sleep & retry


Anyway - something else the OP can do today (aside from rlm_replicate) 
is to use follow the "robust-proxy-accounting" example, but instead of 
queueing failed packets, just "ok" them or write to a detail file.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

[Alan Buxey]

Hi,

> I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an 
> Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are 
> constantly failing over the Accounting Servers, due to lack of response 
> from the Home Servers, or so says the log. However, I believe the issue is 
> that some remote institutions Radius Servers are ignoring the Accounting 
> packets, and timing out my end, making it believe the Home Servers have 
> failed to respond. FreeRadius responds by marking the Home server dead. It 
> then sends a status-server query, to which is gets a reply, and enables 
> the Dead Home server. I believe that's the sequence of events anyway. I 
> captured some of that in debug mode:

the flow you captured is right - it tries, it doesnt get a response, it probes
with status-server and marks server up again. thats fine...and the way it should
work.

regarding eduroam and proxying of accounting. yes. its a continual problem
and one that I would like to see sorted...theres a large number of people
who dont believe in the proxying of accounting (they dont believe in the 
accounting
stuff really...) - I, however, like the accounting.

the issue is that YOU know your NAS kit - and all the wierd things that
it can do - sending 0 sesstion time and only using port 29 is the Cisco 
'thing'..
what you arent ready for is the slew of junk from other sites NAS when they do 
accounting
..and be prepared for a whole lot of junk.  (my current favourite is when 100% 
essential
RADIUS attributes for accounting have been striped out by an over keen admin 
with the
attribute filter on their RADIUS server. double fun!)

I would suggest you take the accounting out of the 'live' stream and move to 
using one
of the 'supplied with freeRADIUS' accounting virtual servers - 
decoupled-accounting,
robust-proxy-accounting or copy-acct-to-home-server

read those VS files and see which one appeals to you the most and which will 
suit
your needs

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html