date:20111026

James T. Mugauri wrote:
> Is there any thing i must pay attention to with regard to either (or
> both of):
> 
> 1. The order in which i define the attributes, especially when i am
> defining 2 QoS-Descriptors (for downlink and uplink e.g.) and 2 or more
> Packet-Flow-Descriptors (for controlling different types of traffic)

  List attributes in the order that they appear in the WiMAX dictionary
file.

> 2. The operator I should use. When should I use '+=', or is ':=' alright
> in every instance?

  Use +=.

  That's it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius rlm_sql: Failed to create the pair: Invalid TLV specification (WiMAX MS)

2011-10-26 Thread James T. Mugauri


Apologies for my incorrectly headed last response:

On 10/26/2011 12:11 AM, freeradius-users-requ...@lists.freeradius.org 
wrote:

   You just add the attributes, and the server will take care of
encapsulating them in TLVs.
Is there any thing i must pay attention to with regard to either (or 
both of):


1. The order in which i define the attributes, especially when i am 
defining 2 QoS-Descriptors (for downlink and uplink e.g.) and 2 or more 
Packet-Flow-Descriptors (for controlling different types of traffic)


2. The operator I should use. When should I use '+=', or is ':=' alright 
in every instance?


Regards,

JamesTM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Why is not writting in second detail file?

2011-10-26 Thread tonimanel

First, thanks for your answer. 

I think that I understand the basics but I had a doubt with second_detail
file because before appeared when I executed a ls. Now I have clear (I knew
that second_detail was removed when was readed, but only if the packets were
transmited). 

I have redone the configurations three times getting forever an insufficient
solution, but I have learnt a lot. Now, I'm reading a book about RADIUS to
expand my knowledge.

Now, I don't have clear why configuring proxy.conf and implementing
copy-acct-to-home-server, accounting packets have different times(I know
that these are using different timestamp). You have said that this is
possible changing sql quieries, is not exist another solution for do that?
This is my big doubt and now, my big problem. 

Thanks for your attention and your answers! 
I hope your answers again.

Regards.



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Why-is-not-writting-in-second-detail-file-tp4935451p4939014.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Losing packets in Multi-Threads mode

2011-10-26 Thread Pierre Rondou

Hello,

On Tue, 25 Oct 2011 21:09:31 +0100, Alan Buxey  
> 
> however, as Alan said. in single thread mode, you only have one process
> dealing with
> requests.so one single open connection to SQL, one single sesion to
> LDAP etc etc
> (whatever you use) - eg even a local file with PERL.
> 
> with multithread mode, you have many threads - all of which can be
hitting
> your SQL or LDAP
> at same time...or trying to write to the same file in a PERL
moduleso
> you have to look
> at the speed/ability of your backendthe jump from a single query ata
> time to concurrent
> queries may have tipped your balance
> 
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

Here is what I had thought about: FreeRadius correctly treats the requests
(answer are always received), but there is a locking problem with the log
files, meaning that basically, only one thread can write inside.

Is there any solution about that? As stated before, there is no
overloading problem on the server.

Running in single thread could be a solution, but it's really slow
compared to multi-thread ...

Regards,

Pierre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Why is not writting in second detail file?

On Wed, Oct 26, 2011 at 3:07 PM, tonimanel
 wrote:
> Now, I don't have clear why configuring proxy.conf and implementing
> copy-acct-to-home-server, accounting packets have different times(I know
> that these are using different timestamp).

That's the way it is.

> You have said that this is
> possible changing sql quieries, is not exist another solution for do that?

Short answer: unless your NAS sends Event-Timestamp, then no.

Long answer:
When a NAS sends Event-Timestamp, freeradius will use that as packet
timestamp. You should get the same timestamp no matter how many tiimes
the request is proxied. See
https://github.com/alandekok/freeradius-server/commit/1fa94b7

When a NAS does NOT send Event-Timestamp, the only way to guess when
the packet was first received is by using the current timestamp and
Acct-Delay-Time. Current approach taken by the default sql queries
(see sql/mysql/dialup.conf for example) is to record both attributes
in different columns. If you don't like this you can change the query.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Losing packets in Multi-Threads mode

2011-10-26 Thread Alexandre Chapellon


Did the very same test here, with very same results.
I find this a little bit scary to imagine that some accounting packets 
are lost (meaning I have no "proof" the requests was answered and how.


regards

Le 26/10/2011 10:21, Pierre Rondou a écrit :

Hello,

On Tue, 25 Oct 2011 21:09:31 +0100, Alan Buxey

however, as Alan said. in single thread mode, you only have one process
dealing with
requests.so one single open connection to SQL, one single sesion to
LDAP etc etc
(whatever you use) - eg even a local file with PERL.

with multithread mode, you have many threads - all of which can be

hitting

your SQL or LDAP
at same time...or trying to write to the same file in a PERL

moduleso

you have to look
at the speed/ability of your backendthe jump from a single query ata
time to concurrent
queries may have tipped your balance

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Here is what I had thought about: FreeRadius correctly treats the requests
(answer are always received), but there is a locking problem with the log
files, meaning that basically, only one thread can write inside.

Is there any solution about that? As stated before, there is no
overloading problem on the server.

Running in single thread could be a solution, but it's really slow
compared to multi-thread ...

Regards,

Pierre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--


Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Losing packets in Multi-Threads mode

Pierre Rondou wrote:
> Here is what I had thought about: FreeRadius correctly treats the requests
> (answer are always received), but there is a locking problem with the log
> files, meaning that basically, only one thread can write inside.

  Edit raddb/detail, and add "locking = yes"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user

2011-10-26 Thread James T. Mugauri


Hi,

I have managed to auth a Greenpacket WiMAX MS via an eap ttls tunnel. 
Thanks to Alan's direction earlier, I can also send the service flow 
definitions correctly.


I have now found that subsequent db writes (and logging) associated with 
accounting and postauth functions are the encrypted values (available in 
the tunnel?). Is there a way to ensure that the plaintext values are 
used with all subsequent logging actions?


Regards,

JamesTM

Irrationally held truths may be more harmful than reasoned errors.
  - Thomas H. Huxley


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Build RPM

2011-10-26 Thread Fred

Hi Francois,

As you did not gave any linl to your SRPM, could you share your spec ?

I still have some trouble with radrelay using my own spec with git
2.1.x, which is not version 2.2.0 ...

Best regards,
Fred

2011/10/25 Francois Gaudreault :
> Hi,
>
> The spec is a bit buggy, I had to make some tweaks to make it work (minor
> tweaks).  Let me know if you would like to have them.  We are maintaining
> the latest RPMs (core,perl,mysql,utils) in our PacketFence repositories for
> RHEL5 and RHEL6, if you want...
>
> http://www.packetfence.org/downloads/PacketFence/RHEL5/devel/x86_64/RPMS/freeradius2-2.1.12-1.el5.x86_64.rpm
> http://www.packetfence.org/downloads/PacketFence/RHEL5/devel/x86_64/RPMS/freeradius2-ldap-2.1.12-1.el5.x86_64.rpm
> http://www.packetfence.org/downloads/PacketFence/RHEL5/devel/x86_64/RPMS/freeradius2-mysql-2.1.12-1.el5.x86_64.rpm
> http://www.packetfence.org/downloads/PacketFence/RHEL5/devel/x86_64/RPMS/freeradius2-perl-2.1.12-1.el5.x86_64.rpm
> http://www.packetfence.org/downloads/PacketFence/RHEL5/devel/x86_64/RPMS/freeradius2-utils-2.1.12-1.el5.x86_64.rpm
>
> We also have them for i386.
>
> On 11-10-25 7:47 AM, Phil Mayers wrote:
>>
>> On 25/10/11 12:37, Victor Guk wrote:
>>>
>>> Hi,
>>> I want to install freeradius on RHEL5.
>>> I downloaded tar.bz2.(version 2.1.12)
>>> Run *rpmbuild -ba freeradius.spec*, but get an error:
>>
>> There are "freeradius2" RPMs in the RHEL channels.
>>
>> I suggest you either:
>>
>>  a. Install one of those, or
>>  b. Download the .src.rpm for one of those, and re-use the .spec file
>>
>> The problem seems to be that the .spec file is out of date and not naming
>> all files, as is required.
>>
>> I don't use the bundled .spec file, so haven't looked at it in years. We
>> should probably just use the one that RedHat are using these days.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> --
> Francois Gaudreault, ing. jr
> fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Losing packets in Multi-Threads mode

Alexandre Chapellon wrote:
> Did the very same test here, with very same results.
> I find this a little bit scary to imagine that some accounting packets
> are lost (meaning I have no "proof" the requests was answered and how.

  Ah... after thinking about it some more, there is no problem.

  The test is wrong.

  Accounting packets have *nothing* which makes them unique, other than
the packet contents.  If you're sending the same packet over and over,
it's a duplicate, and gets a duplicate response.

  In single threaded mode, the server receives a packet, sends a reply,
and *deletes* all knowledge about the packet.  When it receives the next
one, it gets processed as if it was a new packet.

  In multi-threaded mode, the server receives a packet, hands it to a
thread, which processes it and sends a reply.  Crucially, the packet
isn't deleted until later, because the server avoids thread locks.

  While the packet is cached, the main thread receives a "new" packet,
which looks *exactly* the same as a packet in the cache.  So... the main
thread re-sends the same reply.

  If you look at the statistics from the server, you'll see the
"duplicate request" counter being very high.  It SHOULD be zero for
accounting packets.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap module change between 2.1.11 & 2.1.12 ?

2011-10-26 Thread Fred

2011/10/25 Fred :
> Phil,
> Yes, I am sure, but I don't have traces on hand...
> I will try to get some radiusd -X on 2.1.11 ASAP, as I can't do it now
> because I try to find a solution as I have to restart production in
> the next few hours ...
> Anyway, Thank a lot for your kind help attempts.
> Fred
>
> 2011/10/25 Phil Mayers :
>> On 25/10/11 16:10, Fred wrote:
>>
>>>     cache {
>>>        enable = no
>>>        lifetime = 6
>>>        max_entries = 8192
>>>        name = "A"
>>>     }
>>>    }
>>> rlm_eap: SSL error error:140DB111:SSL
>>> routines:SSL_CTX_set_session_id_context:ssl session id context too
>>> long
>>
>> I don't know why this isn't working. The un-patched 2.1.12 code builds the
>> "session id context" as:
>>
>> "FreeRADIUS EAP-TLS %s" eap->tls->cache->name
>>
>> If "name" is a one-char string, that should be <32 characters which is the
>> value of SSL_MAX_SSL_SESSION_ID_LENGTH (on my system).
>>
>> Sorry. Can't help. Try the patch and see if it works.
>>
>> Maybe this isn't your problem; are you SURE it works using the EXACT same
>> config under 2.1.11?
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user

James T. Mugauri wrote:
> I have managed to auth a Greenpacket WiMAX MS via an eap ttls tunnel.
> Thanks to Alan's direction earlier, I can also send the service flow
> definitions correctly.

  That's good.

> I have now found that subsequent db writes (and logging) associated with
> accounting and postauth functions are the encrypted values (available in
> the tunnel?). Is there a way to ensure that the plaintext values are
> used with all subsequent logging actions?

  Use a DB.

  On Access-Accept, store the unencrypted User-Name in the DB, along
with a Class attribute.  When you receive an accounting packet, look up
the Class attribute to find the unencrypted User-Name.

  That's pretty much the only way with WiMAX.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Anybody can confirm this?

2011-10-26 Thread tonimanel

Hi, 

I have two servers A and B configured. I have some doubts:
I would like to get to copy accounting data (same set of information) from A
to B. I have configured this and works fine (copy-acct-to-home-server &
proxy.conf), BUT in radacct table of server B, the records have different
acctstartime and different acctstoptime from server A. I know that this
happens because server B catchs its time and records it (exists a delay -
few seconds). 
In other post, suggest me modify sql queries to get this (I should catch
time of packet that send A - Event-Timestamp, and record it). For do this, I
have thought in to check "Packet-Src-IP-Address" and if it is equal to B's
address, I have to use my query modified. 
I have a problem, "Event-Timestamp" has the follows format: "Oct 26 2011
13:03:14 CEST" and I want to get -mm-dd HH:MM:ss (mysql format and
current format of freeradius' dates). Do you know how can I do it? I can't
believe that I can't do this more easy... Any suggestions? 

I have to think that I will get it... 

Thanks and regards!

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Anybody-can-confirm-this-tp4939606p4939606.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP with Machine auth

Hi,
I've spent too much time trying to fix this issue and going nowhere...

I am trying to make MACHINE auth working on Windows/CiscoWLC and Freeradius.
I have no problem with USER auth.

The certificate is fine, I've created it using xpextension. I've also
tried a Windows-CA certificate.
I've also tried MACHINE auth with IAS and it's working.
I've upgraded the WLC to 7.0.0.116, I was at 6.0.199-4 before.

Why is it working with USER auth but not MACHINE auth ?

Could someone give me some direction ?

Thanks!


Here's some logs:


rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=58,
length=280
   User-Name = "host/MININT-EC23NBT.domain.local"
   Calling-Station-Id = "b4-74-9f-9d-55-fb"
   Called-Station-Id = "00-25-84-23-52-60:SSID--Secure"
   NAS-Port = 1
   Cisco-AVPair = "audit-session-id=0132800a005618faa74e"
   NAS-IP-Address = 10.10.1.1
   NAS-Identifier = "Controller-WLC2125"
   Airespace-Wlan-Id = 5
   Service-Type = Framed-User
   Framed-MTU = 1300
   NAS-Port-Type = Wireless-802.11
   EAP-Message =
0x0202002801686f73742f4d494e494e542d454332334e42542e6373646573696c65732e71632e6361
   Message-Authenticator = 0x5b1e2e25b76f1f348cb1bb62b94b2d43
server peap {
# Executing section authorize from file /etc/raddb/sites-enabled/peap
+- entering group authorize {...}
[suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 40
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/peap
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server peap
Sending Access-Challenge of id 58 to 10.10.1.1 port 32770
   EAP-Message = 0x010300061920
   Message-Authenticator = 0x
   State = 0xd4ade9e4d4aef086c00dbb7516145db0
Finished request 232.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=59,
length=395
   User-Name = "host/MININT-EC23NBT.domain.local"
   Calling-Station-Id = "b4-74-9f-9d-55-fb"
   Called-Station-Id = "00-25-84-23-52-60:SSID--Secure"
   NAS-Port = 1
   Cisco-AVPair = "audit-session-id=0132800a005618faa74e"
   NAS-IP-Address = 10.10.1.1
   NAS-Identifier = "Controller-WLC2125"
   Airespace-Wlan-Id = 5
   Service-Type = Framed-User
   Framed-MTU = 1300
   NAS-Port-Type = Wireless-802.11
   EAP-Message =
0x020300891980007f160301007a017603014ea7fa1c69583120e18e33c7779ea4d03e42e8b960079d8f36ab746be5bb345a20512dccfbf8a28c0c5d27fb46eac23b913c638cc133e76aa06671c2dca9bd0018002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100
   State = 0xd4ade9e4d4aef086c00dbb7516145db0
   Message-Authenticator = 0xde1ff14a20623ba0cc79cb552d264947
server peap {
# Executing section authorize from file /etc/raddb/sites-enabled/peap
+- entering group authorize {...}
[suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 3 length 137
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/peap
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
 TLS Length 127
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 007a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 037c], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server peap
Sending Access-Challenge of id 59 to 10.10.1.1 port 32770
   EAP-Message =
0x010403c619001603010031022d03014ea7fa24d1353592fe67e3ae98e501bbfbe366dc12f730a1d2ab15d1efcc9f322f05ff01000100160301037c0b0003780003750003723082036e30820256a003020102020106300d06092a864886f70d01010505003075310b300906035504061

Re: PEAP with Machine auth


On 26/10/11 13:49, Bonald wrote:


WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility


Did you follow the link? Did you read it?

Most likely, you need to ensure your certificate CA is trusted by the 
machine store, as well as the user store(s)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.

On Wed, Oct 26, 2011 at 10:14 AM, Phil Mayers  wrote:
> On 26/10/11 13:49, Bonald wrote:
>
>> WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish!
>> WARNING: !! Please read
>> http://wiki.freeradius.org/Certificate_Compatibility
>
> Did you follow the link? Did you read it?
>
> Most likely, you need to ensure your certificate CA is trusted by the
> machine store, as well as the user store(s)
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth


On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.


Well, I guess it's just broken then. Oh well.

Seriously - it's important to understand that the CLIENT stops 
responding. FreeRADIUS can't do anything more in this case - the client 
has stopped sending EAPOL packets, so the client must think that 
something is wrong.


You will have to debug the client. This is very very painful on Windows; 
it's hard to even find the EAPOL debugging options, let alone interpret 
the results.


Good luck.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user

2011-10-26 Thread James T. Mugauri



On 10/26/2011 02:49 PM, freeradius-users-requ...@lists.freeradius.org 
wrote:

   On Access-Accept, store the unencrypted User-Name in the DB, along
with a Class attribute.  When you receive an accounting packet, look up
the Class attribute to find the unencrypted User-Name.

Thanks

I notice when running in debug mode, I have:

[ttls] Got tunneled request
User-Name = "testairs...@iconnect.zm"
User-Password = "airspan"
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "testairs...@iconnect.zm"
User-Password = "airspan"
FreeRADIUS-Proxied-To = 127.0.0.1
Calling-Station-Id = "00-1f-fb-20-7b-0e"
Service-Type = Framed-User
NAS-Port-Type = Wireless-802.16
WiMAX-Release = "1.0"
...
...
...
[sql] expand: %{User-Name} -> testairs...@iconnect.zm
[sql] sql_set_user escaped user --> 'testairs...@iconnect.zm'

The user is then correctly authenticated and receives the relevant 
parameters


What attribute contains the unencrypted username, and at which stage of 
the inner-tunnel session can I retrieve it?





   That's pretty much the only way with WiMAX.

   Alan DeKok

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

Phil Mayers wrote:
> Seriously - it's important to understand that the CLIENT stops
> responding. FreeRADIUS can't do anything more in this case - the client
> has stopped sending EAPOL packets, so the client must think that
> something is wrong.

  That's the main issue people have with RADIUS.  The client is in
charge of pretty much everything, and few people understand that.

Q: Why does the client stop talking to the server?
A: Because it doesn't like the response from the server

Q: OK... *what* part of the response doesn't it like?
A: Go ask the client

Q: But I can't!  What do I do?
A: well... we don't know, either.  Go ask Microsoft.

> You will have to debug the client. This is very very painful on Windows;
> it's hard to even find the EAPOL debugging options, let alone interpret
> the results.

  Yes.  Everyone reading this list should understand CLIENT issues cause
you to debug the CLIENT.

  If the server returns the wrong thing... you can fix the server.  Fort
pretty much everything else, blame the client.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user

James T. Mugauri wrote:
> On 10/26/2011 02:49 PM, freeradius-users-requ...@lists.freeradius.org
> wrote:
>>On Access-Accept, store the unencrypted User-Name in the DB, along
>> with a Class attribute.  When you receive an accounting packet, look up
>> the Class attribute to find the unencrypted User-Name.
> Thanks

  I don't see why.

> I notice when running in debug mode, I have:
> 
> [ttls] Got tunneled request
> User-Name = "testairs...@iconnect.zm"

  Which is an unencrypted User-Name.

> What attribute contains the unencrypted username, and at which stage of
> the inner-tunnel session can I retrieve it?

  (a) read my response
  (b) read the debug output.

  I fail to understand why this is difficult.  I answered your question.
 The debug log answers your question.  And you're still asking questions.

  Maybe you're looking for an answer to a question you didn't ask.  But
unless I'm completely incompetent at reading English, I answered your
question.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP with Machine auth

2011-10-26 Thread Sergio NNX


This kind of Q&A thing helps no one here! Many people are reporting the same 
issue on different platforms! I don't think the problem is either with the 
client or the certificates since I conducted some testing using the same client 
and the same certificates but an old FR version (1.1.7) and the tests pass. 
It's easier to blame something else but we could spend that time contributing 
to the solution and so helping others!



> Date: Wed, 26 Oct 2011 15:36:19 +0200
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: PEAP with Machine auth
> 
> Phil Mayers wrote:
> > Seriously - it's important to understand that the CLIENT stops
> > responding. FreeRADIUS can't do anything more in this case - the client
> > has stopped sending EAPOL packets, so the client must think that
> > something is wrong.
> 
>   That's the main issue people have with RADIUS.  The client is in
> charge of pretty much everything, and few people understand that.
> 
> Q: Why does the client stop talking to the server?
> A: Because it doesn't like the response from the server
> 
> Q: OK... *what* part of the response doesn't it like?
> A: Go ask the client
> 
> Q: But I can't!  What do I do?
> A: well... we don't know, either.  Go ask Microsoft.
> 
> > You will have to debug the client. This is very very painful on Windows;
> > it's hard to even find the EAPOL debugging options, let alone interpret
> > the results.
> 
>   Yes.  Everyone reading this list should understand CLIENT issues cause
> you to debug the CLIENT.
> 
>   If the server returns the wrong thing... you can fix the server.  Fort
> pretty much everything else, blame the client.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ntlm_auth fails @radius-debug

2011-10-26 Thread Andreas Rudat

Hello,

I work with this tutorial
http://deployingradius.com/documents/configuration/active_directory.html

all works fine, since I try to use ntlm_auth with radius directly


I added a user tester / testen

users:
at the top DEFAULT Auth-Type := ntlm_auth

tester Cleartext-Password := "testen"

and added to inner-site ->authenticate
ntlm_auth

then, if if I try
radtest tester testen localhost 0 testing123

I get this
Found Auth-Type = ntlm_auth
  WARNING: Unknown value specified for Auth-Type.  Cannot perform
requested action.
Failed to authenticate the user.

Thanks

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth


On 26/10/11 14:47, Sergio NNX wrote:

This kind of Q&A thing helps no one here! Many people are reporting the
same issue on different platforms! I don't think the problem is either
with the client or the certificates since I conducted some testing using
the same client and the same certificates but an old FR version (1.1.7)
and the tests pass. It's easier to blame something else but we could
spend that time contributing to the solution and so helping others!


In earnest: What exactly would you like us to do? Be specific. Bear in 
mind that no-one is paid to offer help here.


If you can reproduce the problem reliably, then do so. Carefully 
document the configs that work under 1.1.7, and fail under 2.1.12, 
including the client configuration. Give that information to the list, 
and I'm sure if people are interested, they will take a look.


If no-one is interested, you should start investigating the problem 
yourself - FreeRADIUS is open source. If you lack the skills locally, 
hire a contractor.


I will try to find some time today to test machine auth.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

Hi,

This kind of Q&A thing helps no one here!

I think it does...

Many people are reporting the same issue on different platforms! I 
don't think the problem is either with the client or the certificates 
since I conducted some testing using the same client and the same 
certificates but an old FR version (1.1.7) and the tests pass. It's 
easier to blame something else but we could spend that time 
contributing to the solution and so helping others!
Even more weird, we have had the same issue lately with one controller 
model, and not the other.  We were using the same config on the client, 
on the server, and the same certs.

I also tend to blame the client tho, maybe EAP is now more strict on the 
server side?  If you can point us a doc to enable the EAP debug under 
windows, I am sure many people (even myself) would be glad to troubleshoot.

> Date: Wed, 26 Oct 2011 15:36:19 +0200
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: PEAP with Machine auth
>
> Phil Mayers wrote:
> > Seriously - it's important to understand that the CLIENT stops
> > responding. FreeRADIUS can't do anything more in this case - the 
client

> > has stopped sending EAPOL packets, so the client must think that
> > something is wrong.
>
> That's the main issue people have with RADIUS. The client is in
> charge of pretty much everything, and few people understand that.
>
> Q: Why does the client stop talking to the server?
> A: Because it doesn't like the response from the server
>
> Q: OK... *what* part of the response doesn't it like?
> A: Go ask the client
>
> Q: But I can't! What do I do?
> A: well... we don't know, either. Go ask Microsoft.
>
> > You will have to debug the client. This is very very painful on 
Windows;
> > it's hard to even find the EAPOL debugging options, let alone 
interpret

> > the results.
>
> Yes. Everyone reading this list should understand CLIENT issues cause
> you to debug the CLIENT.
>
> If the server returns the wrong thing... you can fix the server. Fort
> pretty much everything else, blame the client.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

Sergio NNX wrote:
> This kind of Q&A thing helps no one here!

  Nonsense.  Explaining WHAT is going on, and WHY it's difficult for us
to help you is useful.

> Many people are reporting the
> same issue on different platforms! I don't think the problem is either
> with the client or the certificates since I conducted some testing using
> the same client and the same certificates but an old FR version (1.1.7)
> and the tests pass. It's easier to blame something else but we could
> spend that time contributing to the solution and so helping others!

  You want me to spend more time contributing?

  Right... I don't need to sleep or eat.

  If what you say is true (older versions work), then *you* can
contribute.  Build each version of the server until you find that
version X works, and version X+1 doesn't.

  I don't have the Windows machines for these tests, so I can't do them.
 Only you can.

  Go ahead.  Contribute.  Do what you ask others to do.  I'm waiting.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[solved] Re: ntlm_auth fails @radius-debug

2011-10-26 Thread Andreas Rudat

I edit the wrong site... sorry



Am 26.10.2011 15:48, schrieb Andreas Rudat:
> Hello,
>
> I work with this tutorial
> http://deployingradius.com/documents/configuration/active_directory.html
>
> all works fine, since I try to use ntlm_auth with radius directly
>
>
> I added a user tester / testen
>
> users:
> at the top DEFAULT Auth-Type := ntlm_auth
>
> tester Cleartext-Password := "testen"
>
> and added to inner-site ->authenticate
> ntlm_auth
>
> then, if if I try
> radtest tester testen localhost 0 testing123
>
> I get this
> Found Auth-Type = ntlm_auth
>   WARNING: Unknown value specified for Auth-Type.  Cannot perform
> requested action.
> Failed to authenticate the user.
>
> Thanks
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


-- 

-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v2.0.17 (MingW32)

mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p
YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1
QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp
gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r
STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH
YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9
jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S
wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf
wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl
LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih
XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt
PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR
hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo
YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh
bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn
tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1
teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv
33k4P9hxJKHNqLYJN+Gn
=UaS9
-END PGP PUBLIC KEY BLOCK-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP with Machine auth

2011-10-26 Thread Sallee, Stephen (Jake)

Ok, I have been watching your discourse from afar and I have to say this:

> This kind of Q&A thing helps no one here! ...

Two things.  Number one, he IS answering your questions.  He is just not GIVING 
you the answer.  Number two, the gentleman in question is quite possibly the 
preeminent FreeRADIUS expert in the world.  When he tells you something about 
FreeRADIUS, you should listen.

Sorry, I am not trying to be too blunt.   But when an expert speaks, you should 
listen.  This is true in any area.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Sergio NNX
Sent: Wednesday, October 26, 2011 8:47 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: PEAP with Machine auth

This kind of Q&A thing helps no one here! Many people are reporting the same 
issue on different platforms! I don't think the problem is either with the 
client or the certificates since I conducted some testing using the same client 
and the same certificates but an old FR version (1.1.7) and the tests pass. 
It's easier to blame something else but we could spend that time contributing 
to the solution and so helping others!

> Date: Wed, 26 Oct 2011 15:36:19 +0200
> From: al...@deployingradius.com
> To: 
> freeradius-users@lists.freeradius.org
> Subject: Re: PEAP with Machine auth
>
> Phil Mayers wrote:
> > Seriously - it's important to understand that the CLIENT stops
> > responding. FreeRADIUS can't do anything more in this case - the client
> > has stopped sending EAPOL packets, so the client must think that
> > something is wrong.
>
> That's the main issue people have with RADIUS. The client is in
> charge of pretty much everything, and few people understand that.
>
> Q: Why does the client stop talking to the server?
> A: Because it doesn't like the response from the server
>
> Q: OK... *what* part of the response doesn't it like?
> A: Go ask the client
>
> Q: But I can't! What do I do?
> A: well... we don't know, either. Go ask Microsoft.
>
> > You will have to debug the client. This is very very painful on Windows;
> > it's hard to even find the EAPOL debugging options, let alone interpret
> > the results.
>
> Yes. Everyone reading this list should understand CLIENT issues cause
> you to debug the CLIENT.
>
> If the server returns the wrong thing... you can fix the server. Fort
> pretty much everything else, blame the client.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Build RPM


Hi,

See Below (I won't put the comments section) for RHEL5:

Summary: High-performance and highly configurable free RADIUS server
Name: freeradius2
Version: 2.1.12
Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/

Source0: 
ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2

Source100: freeradius-radiusd-init
Source102: freeradius-logrotate
Source103: freeradius-pam-conf

Patch1: freeradius-cert-config.patch

Obsoletes: freeradius2-devel
Obsoletes: freeradius2-libs

%define docdir %{_docdir}/freeradius-%{version}
%define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}}

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

BuildRequires: autoconf
BuildRequires: gdbm-devel
BuildRequires: libtool
BuildRequires: libtool-ltdl-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: zlib-devel
BuildRequires: net-snmp-devel
BuildRequires: net-snmp-utils
BuildRequires: readline-devel
BuildRequires: libpcap-devel

Requires(pre): shadow-utils glibc-common
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig

%description
The FreeRADIUS Server Project is a high performance and highly configurable
GPL'd free RADIUS server. The server is similar in some respects to
Livingston's 2.0 server.  While FreeRADIUS started as a variant of the
Cistron RADIUS server, they don't share a lot in common any more. It now has
many more features than Cistron or Livingston, and is much more 
configurable.


FreeRADIUS is an Internet authentication daemon, which implements the RADIUS
protocol, as defined in RFC 2865 (and others). It allows Network Access
Servers (NAS boxes) to perform authentication for dial-up users. There are
also RADIUS clients available for Web servers, firewalls, Unix logins, and
more.  Using RADIUS allows authentication and authorization for a network to
be centralized, and minimizes the amount of re-configuration which has to be
done when adding or deleting new users.

%package utils
Group: System Environment/Daemons
Summary: FreeRADIUS utilities
Requires: %{name} = %{version}-%{release}
Requires: libpcap >= 0.9.4

%description utils
The FreeRADIUS server has a number of features found in other servers,
and additional features not found in any other server. Rather than
doing a feature by feature comparison, we will simply list the features
of the server, and let you decide if they satisfy your needs.

Support for RFC and VSA Attributes Additional server configuration
attributes Selecting a particular configuration Authentication methods

%package ldap
Summary: LDAP support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: openldap-devel

%description ldap
This plugin provides the LDAP support for the FreeRADIUS server project.

%package krb5
Summary: Kerberos 5 support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: krb5-devel

%description krb5
This plugin provides the Kerberos 5 support for the FreeRADIUS server 
project.


%package perl
Summary: Perl support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo 
$version))

%{?fedora:BuildRequires: perl-devel}
%if 0%{?rhel} <= 5
BuildRequires: perl
%endif
%if 0%{?rhel} >= 6
BuildRequires: perl-devel
%endif
BuildRequires: perl(ExtUtils::Embed)

%description perl
This plugin provides the Perl support for the FreeRADIUS server project.

%package python
Summary: Python support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: python-devel

%description python
This plugin provides the Python support for the FreeRADIUS server project.

%package mysql
Summary: MySQL support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: mysql-devel

%description mysql
This plugin provides the MySQL support for the FreeRADIUS server project.

%package postgresql
Summary: Postgresql support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: postgresql-devel

%description postgresql
This plugin provides the postgresql support for the FreeRADIUS server 
project.


%package unixODBC
Summary: Unix ODBC support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: unixODBC-devel

%description unixODBC
This plugin provides the unixODBC support for the FreeRADIUS server project.


%prep
%setup -q -n freeradius-server-%{version}
%patch1 -p1 -b .cert-config
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name 
'*.h' \) -a -perm /0111 -exec chmod a-x {} +


%build
%ifarch s390 s390x
export CFLAGS="$RPM_OPT_FLAGS -fPIC"
%else
export C

Re: PEAP with Machine auth

Francois Gaudreault wrote:
> Even more weird, we have had the same issue lately with one controller
> model, and not the other.  We were using the same config on the client,
> on the server, and the same certs.

  Ouch.  The whole EAP ecosystem is fragile to the point of insanity.

  There are times when I'm surprised it works at *all*.

> I also tend to blame the client tho, maybe EAP is now more strict on the
> server side?  If you can point us a doc to enable the EAP debug under
> windows, I am sure many people (even myself) would be glad to troubleshoot.

  The server side of EAP has changed a bit... but not much.  Most of the
changes to EAP are really the SSL stuff inside of OpenSSL, which we
don't control.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth




Even more weird, we have had the same issue lately with one controller
model, and not the other.  We were using the same config on the client,
on the server, and the same certs.

   Ouch.  The whole EAP ecosystem is fragile to the point of insanity.

   There are times when I'm surprised it works at *all*.
You bet.  It was two controller from the same manufacturer, just 
different model/firmware :S


--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius + MySQL | radacct: Errors and Warnings

2011-10-26 Thread Daniel Menezes

Hi all,

First, sorry my bad English.

I have a FreeRadius + MySQL setup with MikroTik as NAS.
And a few days ago I have some warnings and errors in the log:

Tue Oct 25 04:02:41 2011 : Info: Released IP xxx.xxx.xxx.xxx (did
via-pppoe-01 cli xx:xx:xx:xx:xx:xx user dmnzs-test)
Tue Oct 25 05:30:36 2011 : Error: Received conflicting packet from client
my-pppoe-01 port 39595 - ID: 75 due to unfinished request 625066.  Giving up
on old request.
Tue Oct 25 15:43:20 2011 : Error: WARNING: Unresponsive child for request
784, in module radutmp component accounting


I read something about slow backend, tables indexes and other things.
I've used the backend script 'mysqltuner.pl' to adjust the performance.
It's better now, but the warnings and erros persists.

Can anyone help me on this?
Thanks in advance.


Sds,

---
Daniel Menezes



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth


On 26/10/11 14:58, Phil Mayers wrote:

On 26/10/11 14:47, Sergio NNX wrote:

This kind of Q&A thing helps no one here! Many people are reporting the
same issue on different platforms! I don't think the problem is either
with the client or the certificates since I conducted some testing using
the same client and the same certificates but an old FR version (1.1.7)
and the tests pass. It's easier to blame something else but we could
spend that time contributing to the solution and so helping others!


In earnest: What exactly would you like us to do? Be specific. Bear in
mind that no-one is paid to offer help here.

If you can reproduce the problem reliably, then do so. Carefully
document the configs that work under 1.1.7, and fail under 2.1.12,
including the client configuration. Give that information to the list,
and I'm sure if people are interested, they will take a look.

If no-one is interested, you should start investigating the problem
yourself - FreeRADIUS is open source. If you lack the skills locally,
hire a contractor.

I will try to find some time today to test machine auth.



Sorry, this is long.

tl;dr version - under Windows 7, if you import the CA certificate into 
the "Trusted Root Certification Authorities" hierarchy in the MMC 
"Certificates" snap-in, Windows 7 user- and machine-auth work just fine 
against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.


It works for me.

===


I have just tested machine auth on a Windows 7 client. Everything works 
as I expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and 
default configs, I made two changes:


 1. Edit "modules/mschap" to enable the "ntlm_auth" helper like so:

ntlm_auth = "... --username=%{mschap:User-Name} ..."

 2. Edit "clients.conf" to add an entry for the switch

I then started FreeRADIUS, and it auto-generated the certificates. I 
then tried a sequence of things on the Windows client.


First - open the "services" MMC snap-in, and start (and set to 
auto-start) the "Wired autoconfig" service


Second - open the network adapter list, right-click on the wired 
adapter, and enable authentication using the default settings (PEAP, 
MSCHAP inner) except that I unchecked "use my windows domain login / 
password"


I then enabled 802.1x on the port facing the machine.

== 1st auth ==

Failed. Client did the TLS negotiation, and returned the following error 
to FreeRADIUS:


[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca

SSL: SSL_read failed inside of TLS (-1), TLS session fails.

This is expected; we haven't yet imported the client cert into the 
certificate store.


== 2nd auth ==

Copy the "ca.cer" file onto the client, double-click on it, follow the 
prompts using the defaults. This didn't work - the client did not import 
the cert, despite appearing to, so auth again failed.


== 3rd auth ==

Open "mmc", add the "Certificates" snap-in for "My user account". In the 
snap-in, expand the "Trusted Root Certification Authorities" folder, and 
right click on the "Certificates" child - select "All Tasks", 
"Import...". Browse to the cert & import it. You will be prompted saying 
"Windows cannot verify ..." - click OK.


You should now see the example cert in the list.

Re-start the 802.1x auth (unplug/reconnect).

You will be prompted for a username/password, as before - this time, 
auth will succeed.


== 4th auth ==

Return to the network adapter settings. Right-click, select properties. 
Go to the Authentication tab, select "Additional settings", and tick the 
"Specify authentication mode" box, and select "Computer authentication" 
from the drop-down.


The machine will re-authenticate and, as expected, fail with a bad CA alert:

[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca


== 5th auth ==

Return to the "mmc" window; add the "Certificates" snap-in for the 
computer account. Again, expand "Trusted Root Certification Authorities" 
and right-click on "Certificates" and select "All tasks", "Import..". 
Browse to the "ca.cer" and import it.


Re-start authentication. Authentication will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + MySQL | radacct: Errors and Warnings

On Wed, Oct 26, 2011 at 10:08 PM, Daniel Menezes  wrote:
> I read something about slow backend, tables indexes and other things.
> I've used the backend script 'mysqltuner.pl' to adjust the performance.
> It's better now, but the warnings and erros persists.
>
> Can anyone help me on this?

Obviously the automated script-based adjustment isn't enough.

Get a dba. I haven't seen a script that's good enough to magically
solve all problems that it can replace an actual expert.

A dba would be able to do a deep dive into your configuration and come
up with the best solution based on your particular situation. Who
knows, one of the advices might be "delete these indexes" (no, I'm not
kidding) or "you need to archive accounting records older than x
days".

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + MySQL | radacct: Errors and Warnings

On Wed, Oct 26, 2011 at 10:08 PM, Daniel Menezes  wrote:
> Tue Oct 25 15:43:20 2011 : Error: WARNING: Unresponsive child for request
> 784, in module radutmp component accounting

Another thing to try, are you using radutmp? If no (e.g.
session/simultaneous use check is using sql), just mark all instance
of radutmp from sites-available/default (and whatever other virtual
server you use).

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth


On 26/10/11 16:14, Phil Mayers wrote:


Sorry, this is long.

tl;dr version - under Windows 7, if you import the CA certificate into
the "Trusted Root Certification Authorities" hierarchy in the MMC
"Certificates" snap-in, Windows 7 user- and machine-auth work just fine
against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.

It works for me.


I've also tested the "802.1x single sign-on" functionality in Windows 7. 
Again, with the certs in the appropriate place, this just works. The 
machine authenticates as itself - host/name.domain.com - and when you 
enter your username/password, it de-auths and re-auths as "DOM\user"

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

If you are using the default config then your eap.conf must have
 default_eap_type = md5

Try with peap.


On Wed, Oct 26, 2011 at 12:14 PM, Phil Mayers  wrote:
> On 26/10/11 14:58, Phil Mayers wrote:
>>
>> On 26/10/11 14:47, Sergio NNX wrote:
>>>
>>> This kind of Q&A thing helps no one here! Many people are reporting the
>>> same issue on different platforms! I don't think the problem is either
>>> with the client or the certificates since I conducted some testing using
>>> the same client and the same certificates but an old FR version (1.1.7)
>>> and the tests pass. It's easier to blame something else but we could
>>> spend that time contributing to the solution and so helping others!
>>
>> In earnest: What exactly would you like us to do? Be specific. Bear in
>> mind that no-one is paid to offer help here.
>>
>> If you can reproduce the problem reliably, then do so. Carefully
>> document the configs that work under 1.1.7, and fail under 2.1.12,
>> including the client configuration. Give that information to the list,
>> and I'm sure if people are interested, they will take a look.
>>
>> If no-one is interested, you should start investigating the problem
>> yourself - FreeRADIUS is open source. If you lack the skills locally,
>> hire a contractor.
>>
>> I will try to find some time today to test machine auth.
>>
>
> Sorry, this is long.
>
> tl;dr version - under Windows 7, if you import the CA certificate into the
> "Trusted Root Certification Authorities" hierarchy in the MMC "Certificates"
> snap-in, Windows 7 user- and machine-auth work just fine against an
> out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.
>
> It works for me.
>
> ===
>
>
> I have just tested machine auth on a Windows 7 client. Everything works as I
> expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and default
> configs, I made two changes:
>
>  1. Edit "modules/mschap" to enable the "ntlm_auth" helper like so:
>
> ntlm_auth = "... --username=%{mschap:User-Name} ..."
>
>  2. Edit "clients.conf" to add an entry for the switch
>
> I then started FreeRADIUS, and it auto-generated the certificates. I then
> tried a sequence of things on the Windows client.
>
> First - open the "services" MMC snap-in, and start (and set to auto-start)
> the "Wired autoconfig" service
>
> Second - open the network adapter list, right-click on the wired adapter,
> and enable authentication using the default settings (PEAP, MSCHAP inner)
> except that I unchecked "use my windows domain login / password"
>
> I then enabled 802.1x on the port facing the machine.
>
> == 1st auth ==
>
> Failed. Client did the TLS negotiation, and returned the following error to
> FreeRADIUS:
>
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
>    TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
>
> This is expected; we haven't yet imported the client cert into the
> certificate store.
>
> == 2nd auth ==
>
> Copy the "ca.cer" file onto the client, double-click on it, follow the
> prompts using the defaults. This didn't work - the client did not import the
> cert, despite appearing to, so auth again failed.
>
> == 3rd auth ==
>
> Open "mmc", add the "Certificates" snap-in for "My user account". In the
> snap-in, expand the "Trusted Root Certification Authorities" folder, and
> right click on the "Certificates" child - select "All Tasks", "Import...".
> Browse to the cert & import it. You will be prompted saying "Windows cannot
> verify ..." - click OK.
>
> You should now see the example cert in the list.
>
> Re-start the 802.1x auth (unplug/reconnect).
>
> You will be prompted for a username/password, as before - this time, auth
> will succeed.
>
> == 4th auth ==
>
> Return to the network adapter settings. Right-click, select properties. Go
> to the Authentication tab, select "Additional settings", and tick the
> "Specify authentication mode" box, and select "Computer authentication" from
> the drop-down.
>
> The machine will re-authenticate and, as expected, fail with a bad CA alert:
>
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
>    TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
>
> == 5th auth ==
>
> Return to the "mmc" window; add the "Certificates" snap-in for the computer
> account. Again, expand "Trusted Root Certification Authorities" and
> right-click on "Certificates" and select "All tasks", "Import..". Browse to
> the "ca.cer" and import it.
>
> Re-start authentication. Authentication will work.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth


On 26/10/11 16:54, Bonald wrote:

If you are using the default config then your eap.conf must have
  default_eap_type = md5


Yes. The client NAKs the EAP-MD5 and asks for PEAP.



Try with peap.


Just to placate you, I have done so. It made no difference, except save 
one round-trip. User- and machine-based auth as well as single signon 
still both work.


The default EAP type is just that - the default. If you have the client 
set up to use PEAP, it will NAK the MD5 and ask for EAP, and the server 
will honour it.


Again: It is important that you understand authentication is driven by 
the CLIENT.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth


On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.


What is the client operating system and version, including service pack?

Are you using the built-in operating system supplicant, or a 3rd-party 
supplicant?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius + MySQL | radacct: Errors and Warnings

2011-10-26 Thread Tim Sylvester

Hi Daniel,

> I have a FreeRadius + MySQL setup with MikroTik as NAS.
> And a few days ago I have some warnings and errors in the log:
> 
> Tue Oct 25 04:02:41 2011 : Info: Released IP xxx.xxx.xxx.xxx (did
> via-pppoe-01 cli xx:xx:xx:xx:xx:xx user dmnzs-test) Tue Oct 25 05:30:36
2011 :
> Error: Received conflicting packet from client
> my-pppoe-01 port 39595 - ID: 75 due to unfinished request 625066.  Giving
up
> on old request.
> Tue Oct 25 15:43:20 2011 : Error: WARNING: Unresponsive child for request
> 784, in module radutmp component accounting

There are a few basic steps you can take to improve the performance of
FreeRADIUS with MySQL.

1. User the InnoDB Engine in MySQL. 
2. Increase the number of SQL sockets in sql.conf (num_sql_socks). The
default is 5, try 25.
3. Increase the number of connections (max_connections) in my.cnf to match
the number of SQL sockets in sql.conf.
4. Enable the MySQL slow query log (slow_query_log) in my.cnf.
5. Check the MySQL slow query log file for problems.

Start with this list.

Tim


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth


On 26/10/11 17:15, Phil Mayers wrote:

On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.


What is the client operating system and version, including service pack?

Are you using the built-in operating system supplicant, or a 3rd-party
supplicant?



Also, if you can (unicast, if you want) show the "netsh lan show 
profile" output from a command prompt please?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: FreeRadius + MySQL | radacct: Errors and Warnings

2011-10-26 Thread Daniel Menezes

Yes, there is a large number of rows in the radacct and radposauth tables.
The attribute 'Acct-Interim-Interval' works very well but makes many
records.
I rotate these tables to archive old records, I think I'll do this every
month.

Of course, the script wouldn't solve all my problems, but it was very
useful.
Maybe I really need some customization to the backend, I'll think about it.

Thank you.

Sds,

---
Daniel Menezes

-Mensagem original-
De: freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org
[mailto:freeradius-users-bounces+listas=dmnzs.com...@lists.freeradius.org]
Em nome de Fajar A. Nugraha
Enviada em: quarta-feira, 26 de outubro de 2011 13:17
Para: FreeRadius users mailing list
Assunto: Re: FreeRadius + MySQL | radacct: Errors and Warnings

On Wed, Oct 26, 2011 at 10:08 PM, Daniel Menezes 
wrote:
> I read something about slow backend, tables indexes and other things.
> I've used the backend script 'mysqltuner.pl' to adjust the performance.
> It's better now, but the warnings and erros persists.
>
> Can anyone help me on this?

Obviously the automated script-based adjustment isn't enough.

Get a dba. I haven't seen a script that's good enough to magically
solve all problems that it can replace an actual expert.

A dba would be able to do a deep dive into your configuration and come
up with the best solution based on your particular situation. Who
knows, one of the advices might be "delete these indexes" (no, I'm not
kidding) or "you need to archive accounting records older than x
days".

-- 
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + MySQL | radacct: Errors and Warnings

On Thu, Oct 27, 2011 at 12:13 AM, Daniel Menezes  wrote:
> Yes, there is a large number of rows in the radacct and radposauth tables.
> The attribute 'Acct-Interim-Interval' works very well but makes many
> records.

Interim update aren't suppose to add records, they simply update existing ones.
They DO make the db busier though, since the number of accounting
request increased (depending on your environment, the difference can
be over a magnitude).

> I rotate these tables to archive old records, I think I'll do this every
> month.
>
> Of course, the script wouldn't solve all my problems, but it was very
> useful.
> Maybe I really need some customization to the backend, I'll think about it.

Another thing to consider, IF:
- you're pretty sure that your setup is optimized-enough
- you already have someone with enough knowledge to look at the system
and determine that the bottleneck is in disk I/O (due to frequent
random db disk access)
- you have limited budget

then  you might want to try spending your budget to replace the disk
with SSD. Get sandforce-based SSD (or any other MLC SSD that have good
garbage collection and wear-leveling). Usually they can give you
instant performance boost (can be over 10x, depending on your current
situation) due to increased available IOPS.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

Client is Windows7 w/SP1. Using Cisco PEAP it's working. When using
Microsoft PEAP it's failing for machine auth.

I am on WLAN
"netsh wlan show profile" just shows my SSID

That fixed my problem. I needed to check the correct CA in the
protected PEAP properties.
http://www.letu.edu/it/faq/article/AA-00414/0/What-should-I-do-if-I-get-the-error-message-The-connection-attempt-could-not-be-completed-when-connecting-to-wireless.html

thanks

On Wed, Oct 26, 2011 at 1:59 PM, Phil Mayers  wrote:
> On 26/10/11 17:15, Phil Mayers wrote:
>>
>> On 26/10/11 14:24, Bonald wrote:
>>>
>>> Yes i've read it.
>>> Yes the certificate is trusted on the machine and the user store.
>>>
>>> It must be something else, using USER auth it's working. MACHINE auth
>>> is failling.
>>
>> What is the client operating system and version, including service pack?
>>
>> Are you using the built-in operating system supplicant, or a 3rd-party
>> supplicant?
>>
>
> Also, if you can (unicast, if you want) show the "netsh lan show profile"
> output from a command prompt please?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth

Correct me if I am wrong, but that should not be needed when you are not
validating server certificate.

That would mean windows is trying to validate server cert when doing
machine auth even if the profile says otherwise??

On 11-10-26 2:36 PM, Bonald wrote:

Client is Windows7 w/SP1. Using Cisco PEAP it's working. When using
Microsoft PEAP it's failing for machine auth.

I am on WLAN
"netsh wlan show profile" just shows my SSID

That fixed my problem. I needed to check the correct CA in the
protected PEAP properties.
http://www.letu.edu/it/faq/article/AA-00414/0/What-should-I-do-if-I-get-the-error-message-The-connection-attempt-could-not-be-completed-when-connecting-to-wireless.html

thanks

On Wed, Oct 26, 2011 at 1:59 PM, Phil Mayers wrote:

On 26/10/11 17:15, Phil Mayers wrote:

On 26/10/11 14:24, Bonald wrote:

Yes i've read it.
Yes the certificate is trusted on the machine and the user store.

It must be something else, using USER auth it's working. MACHINE auth
is failling.

What is the client operating system and version, including service pack?

Are you using the built-in operating system supplicant, or a 3rd-party
supplicant?

Also, if you can (unicast, if you want) show the "netsh lan show profile"
output from a command prompt please?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Machine auth