date:20120213


Hi,

I have set in sql.conf multiple sql instance. I will also include 
further different dialup.conf for sql query.


How can I configure default file in site-avalible as for one softswitch 
I do not need this variables to be replied:



update reply {
   NAS-IP-Address = %{NAS-IP-Address}
   Acct-Multi-Session-Id = %{Acct-Multi-Session-Id}
   Acct-Session-Id = %{Acct-Session-Id}
   Event-Timestamp = %{Event-Timestamp}
   3GPP2-Session-Termination-Capability = 
%{3GPP2-Session-Termination-Capability}

   3GPP2-Prepaid-Acct-Quota = %{3GPP2-Prepaid-Acct-Quota}
   3GPP2-Prepaid-acct-Capability = %{3GPP2-Prepaid-acct-Capability}


#   3GPP2-Session-Termination-Capability = 
{3GPP2-Session-Termination-Capability}

#   Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}
#   3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator}
}

Thanks!

Miha

--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: update replay

Hi,
 Hi,
 
 I have set in sql.conf multiple sql instance. I will also include 
 further different dialup.conf for sql query.
 
 How can I configure default file in site-avalible as for one softswitch 
 I do not need this variables to be replied:

stick a 

if (%{NAS-IP-Address} != 192.168.0.1){
}

wrapper around it - where that IP address is the one you dont care about

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: update replay


On 2/13/2012 10:19 AM, Alan Buxey wrote:

Hi,

Hi,

I have set in sql.conf multiple sql instance. I will also include
further different dialup.conf for sql query.

How can I configure default file in site-avalible as for one softswitch
I do not need this variables to be replied:

stick a

if (%{NAS-IP-Address} != 192.168.0.1){
}

wrapper around it - where that IP address is the one you dont care about

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Thanks for quick replay!

Regards,
Miha

--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cert issues

2012-02-13 Thread Alan DeKok

  Please respond to the original email, not a digest, and use a good
subject line.  It helps other people track the conversation.

Gilmour, Scott wrote:
 Alan,
 I already have certificates created on my 2008 Server so I want to use those 
 certificates on my Ubuntu Server without creating new ones.

  That's fine.

 You mentioned my openssl configuration is wrong.  Any suggestions on how I 
 can fix the openssl configuration?

  The file raddb/certs/Makefile creates good certificates.  The *cnf
files in the same directory create good certificates.  I don't know what
you're doing different, and it isn't really useful to look.

  Grab the certificate creation commands from the Makefile, and use
those.  Modify them to point to your files.  It *will* work.

  There's a lot of magic in creating good certs.  That magic is embedded
in the existing Makefile and config files.  Use them, they will make
your life easier.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multi-domain AD and Users Who Aren't So Bright

2012-02-13 Thread NdK

Il 12/02/2012 23:54, McNutt, Justin M. ha scritto:
 I'm not sure why, then, but it actually does work.  We have shown that with 
 the client configured to use u...@e.mail.address (where e.mail.address is 
 NOT the same as the AD domain), if I have FR look for 'e.mail.address' and 
 translate it to the correct NT domain, authentication succeeds.
See Phil's answer on Feb 03 18:57 ...
That's because domains (both NT-like and Kerberos-like) get stripped
from crypto ops. Too bad you can't change user name when calling
ntlm_auth (that's what I'd have to do for users with an UPN change).

 The user name must not be part of the crypto calculation or it would fail.  
 I've been able to correct all kinds of things in the user name and set the 
 domain manually to whatever I want.  As long as I supply the correct password 
 on the client side to what I happen to know the RADIUS server has mapped my 
 ID to, authentication is successful.
The 'user' *is* part of the crypto. '@e.mail.address' (or 'DOMAIN\') is not.

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: update replay

On Mon, Feb 13, 2012 at 4:44 PM, Miha Zoubek m...@softnet.si wrote:
 Hi,

 I have one problem:


 if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){


  Module: Checking post-auth {...} for more modules to load
 Bare %{...} is invalid in condition at: %{NAS-IP-Address} !=
 xxx.xxx.xx.xxx)


The message should be quite obvious. Try adding quotes:

if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: update replay


On 2/13/2012 10:52 AM, Fajar A. Nugraha wrote:

if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){
@Fajar sorry that I did not inform you about this. I have noticed right 
when I send email to the group. I have fix quotes but still getting error.


fix:

if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){

update reply {
   NAS-IP-Address = %{NAS-IP-Address}
   Acct-Multi-Session-Id = %{Acct-Multi-Session-Id}
   Acct-Session-Id = %{Acct-Session-Id}
   Event-Timestamp = %{Event-Timestamp}
   3GPP2-Session-Termination-Capability = 
%{3GPP2-Session-Termination-Capability}

   3GPP2-Prepaid-Acct-Quota = %{3GPP2-Prepaid-Acct-Quota}
   3GPP2-Prepaid-acct-Capability = %{3GPP2-Prepaid-acct-Capability}


#   3GPP2-Session-Termination-Capability = 
{3GPP2-Session-Termination-Capability}

#   Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}
#   3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator}
}
}


Error:

 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
Bare %{...} is invalid in condition at: %{NAS-IP-Address} != 
xxx.xxx.xxx.xxx)
/usr/local/etc/raddb/sites-enabled/default[450]: Errors parsing 
post-auth section.

[root@newbill sites-available]#

BR,
Miha


--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: update replay


On 2/13/2012 11:06 AM, Miha Zoubek wrote:

On 2/13/2012 10:52 AM, Fajar A. Nugraha wrote:

if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){
@Fajar sorry that I did not inform you about this. I have noticed 
right when I send email to the group. I have fix quotes but still 
getting error.


fix:

if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){

update reply {
   NAS-IP-Address = %{NAS-IP-Address}
   Acct-Multi-Session-Id = %{Acct-Multi-Session-Id}
   Acct-Session-Id = %{Acct-Session-Id}
   Event-Timestamp = %{Event-Timestamp}
   3GPP2-Session-Termination-Capability = 
%{3GPP2-Session-Termination-Capability}

   3GPP2-Prepaid-Acct-Quota = %{3GPP2-Prepaid-Acct-Quota}
   3GPP2-Prepaid-acct-Capability = %{3GPP2-Prepaid-acct-Capability}


#   3GPP2-Session-Termination-Capability = 
{3GPP2-Session-Termination-Capability}

#   Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}
#   3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator}
}
}


Error:

 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
Bare %{...} is invalid in condition at: %{NAS-IP-Address} != 
xxx.xxx.xxx.xxx)
/usr/local/etc/raddb/sites-enabled/default[450]: Errors parsing 
post-auth section.

[root@newbill sites-available]#

BR,
Miha


--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

Sorry:)

forget. It is working perfectly:)

Thanks!

Miha

--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: update replay

Hi,

  if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){

no, please add quotes around %{NAS-IP-Address} as was already mentioned

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cert issues

2012-02-13 Thread Rudolph Bott


Am 13.02.2012 10:32, schrieb Alan DeKok:

Please respond to the original email, not a digest, and use a good
subject line.  It helps other people track the conversation.

Gilmour, Scott wrote:

Alan,
I already have certificates created on my 2008 Server so I want to 
use those certificates on my Ubuntu Server without creating new ones.


  That's fine.


If you use a MS CA please be aware that by default 2k8 CAs create 
certificates signed with SHA-256bit - many systems (including XP and Win 
2003 without a patch) are NOT able to deal with those certificates, as 
they only support SHA1. Once the CA has been setup, there is no easy way 
to change this.


Also, usually MS CAs include some mandatory extensions in their CRLs 
which OpenSSL can not read as well. You need to remove these extensions 
in the CRL configuration.





You mentioned my openssl configuration is wrong.  Any suggestions on 
how I can fix the openssl configuration?


  The file raddb/certs/Makefile creates good certificates.  The *cnf
files in the same directory create good certificates.  I don't know 
what

you're doing different, and it isn't really useful to look.

  Grab the certificate creation commands from the Makefile, and use
those.  Modify them to point to your files.  It *will* work.

  There's a lot of magic in creating good certs.  That magic is 
embedded

in the existing Makefile and config files.  Use them, they will make
your life easier.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


--
Mit freundlichen Grüßen / with kind regards
  Rudolph Bott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing

2012-02-13 Thread Chezangla

Hi,
I have successfully installed and tested freeRADIUS on centOS with MySQL
database. But I wanted to test if the freeRADIUS is accessible from
remote machines as well so I tried to test it using NTRadPing on my
windows PC, but it always say no response from the server. I have added
my PC IP to clients.conf.


I even tried to telnet 1812 on localhost but it says connection refused.


Please can someone help me in this regard.


chezang

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing

Hi,

 I have successfully installed and tested freeRADIUS on centOS with MySQL
 database. But I wanted to test if the freeRADIUS is accessible from
 remote machines as well so I tried to test it using NTRadPing on my
 windows PC, but it always say no response from the server. I have added
 my PC IP to clients.conf.

first question would be why?  end clients never talk to the RADIUS server
directly - the NAS (wireless AP, switch, VPN, RAS etc) do.

however if this is for eg testing another server can talk to it, then simply
add the client to clients.conf, restart FR and ensure the client is allowed
to talk to the RADIUS server (firewall)

 I even tried to telnet 1812 on localhost but it says connection refused.

yep. firewall. adjust your CentOS default firewall settings - 
/etc/sysconfig/iptables
so that your client can talk to the server on UDP 1812

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing

On Mon, Feb 13, 2012 at 6:48 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
 I even tried to telnet 1812 on localhost but it says connection refused.

 yep. firewall. adjust your CentOS default firewall settings - 
 /etc/sysconfig/iptables
 so that your client can talk to the server on UDP 1812

While firewall is most likely the culprit, you can't use telnet to
test UDP connection.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-SIM on freeradius-server-2.1.12

2012-02-13 Thread GNUbie

Hello all,

I configured manually ($  ./configure --with-modules=rlm_sim
--with-modules=rlm_sim_files  make) and installed (# make install)
the freeradius-server-2.1.12 from the upstream on the CentOS 5.7
x86_64 machine. Then I configured the following configuration files:

- /usr/local/etc/raddb/radiusd.conf
- /usr/local/etc/raddb/clients.conf
- /usr/local/etc/raddb/eap.conf
- /usr/local/etc/raddb/sites-enabled/default

And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with
six (6) triplets (just to make sure though AFAIK 3 is enough) for a
single IMSI.

Then, I executed the command # /usr/local/sbin/radiusd -X -d
/usr/local/etc/raddb and tried testing directly from my iPhone4, I
got the below snippet of the stdout logs:

- - -  s n i p  - - -
rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
id=120, length=249
User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org
NAS-IP-Address = 172.17.1.110
NAS-Port = 0
Called-Station-Id = 0E-19-BE-80-71-00:eap-sim
Calling-Station-Id = 5C-59-48-67-C7-A5
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x023901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
- /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
[auth_log] 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
[auth_log]  expand: %t - Mon Feb 13 23:48:18 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm wlan.mnc001.mcc525.3gppnetwork.org for
User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org
[suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org
++[suffix] returns noop
rlm_sim_files: insufficient number of challenges for imsi
3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0
++[sim_files] returns notfound
[eap] EAP packet type response id 0 length 57
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
   can not initiate sim, no RAND1 attribute
[eap] Default EAP type sim failed in initiate
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect:
[3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org] (from client
eap-sim port 0 cli 5C-59-48-67-C7-A5)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 120 to 172.17.1.110 port 2048
EAP-Message = 0x0404
Message-Authenticator = 0x
Waking up in 4.9 seconds.
Cleaning up request 0 ID 120 with timestamp +13
Ready to process requests.
- - -  s n i p  - - -

Based on the above logs, below are the (3) lines that I'm not sure how
to address them:

[suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org

rlm_sim_files: insufficient number of challenges for imsi
3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0
++[sim_files] returns notfound

[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.

[eap] processing type sim
   can not initiate sim, no RAND1 attribute
[eap] Default EAP type sim failed in initiate
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect:
[3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org] (from client
eap-sim port 0 cli 5C-59-48-67-C7-A5)

Please advice on how am I going to proceed from here. Thank you in advance.

Regards,

GNUbie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Increment Acct-Delay-Time on proxy

2012-02-13 Thread Emanuele Colombo

Hello,

I've installed FreeRADIUS 2.1.7 on a CentOS system. In my setup, the RADIUS 
server will work as proxy, storing locally the accounting packets if the 
destination servers are down, and resending them when the destination servers 
are up again. To achieve this result I've followed the 
robust-proxy-accounting example config file with success.

Now I'm looking for a way to update the Acct-Delay-Time, so that, when the 
destination servers are back, the packet is read from the detail file and is 
sent by the proxy adding to the Acct-Delay-Time the delay introduced by the 
temporary failure at the proxy level. Is there a way to do this with FreeRADIUS?

Thanks!
Emanuele
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Increment Acct-Delay-Time on proxy

2012-02-13 Thread Emanuele Colombo

- Messaggio originale -
 Da: Alan DeKok al...@deployingradius.com
 A: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Inviato: Lunedì, 13 febbraio 2012 17:54:01
 Oggetto: Re: Increment Acct-Delay-Time on proxy
 
  
  Now I'm looking for a way to update the Acct-Delay-Time, so that,
  when the destination servers are back, the packet is read from the
  detail file and is sent by the proxy adding to the
  Acct-Delay-Time the delay introduced by the temporary failure at
  the proxy level. Is there a way to do this with FreeRADIUS?
 
   The detail file reader will automatically do that for you.
 

Actually it didn't worked for me... How can I check this? Is there any setting 
for enabling this feature or a delay threshold after it starts working? What 
configuration file I could check?

Thanks!
Emanuele

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Increment Acct-Delay-Time on proxy

2012-02-13 Thread Alan DeKok

Emanuele Colombo wrote:
 Actually it didn't worked for me... How can I check this? Is there any 
 setting for enabling this feature or a delay threshold after it starts 
 working? What configuration file I could check?

  The code has been in the server since August 2007, i.e. 2.0.0.

  There is no setting for enabling it.  It works.

  What do you mean it didn't work for me ?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Increment Acct-Delay-Time on proxy

2012-02-13 Thread Emanuele Colombo

- Messaggio originale -
 Da: Alan DeKok al...@deployingradius.com
 A: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Inviato: Lunedì, 13 febbraio 2012 18:03:42
 Oggetto: Re: Increment Acct-Delay-Time on proxy
 
   The code has been in the server since August 2007, i.e. 2.0.0.
 
   There is no setting for enabling it.  It works.
 
   What do you mean it didn't work for me ?
 

I looked at packets sent by my FreeRADIUS server when the destination was back 
and Acct-Delay-Time was 0, as the original ones. Now I know that it should 
already work so tomorrow I'll make some other test and I'll try to find where 
my mistake is.

Thanks,
Emanuele

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hello,
I've been looking at free radius wiki,
and read all about interpreter pools. the prerequisites are that
perl is complied with USE_ITHREADS and a bit lower also with
MULTIPLICITY. I have both. what I can't seem to get working is the
thread management as:
#max_clones = 32
#start_clones = 32
#min_spare_clones = 0
#max_spare_clones = 32
#cleanup_delay = 5
#max_request_per_clone = 0

Next stage was to look at the source, but I can't find
any reference to any of the above! Is this still to come?
Kind regards
Simon

ESEYE

Ltd.
Simon

Earthrowl
Surrey

Technology Centre, 40 Occam Way, Guildford, Surrey, GU2
7YG
Company

No:06397669 Telephone:+44

(0)1483 685200, Cellular:+44 (0)7775 777672 Skype:simonearthrowl

Winner: 2009 DTI Digital
Communications Knowledge Network Competition
Winner: 2009 SetSquared Investment
Showcase

Have you seen Eseye's Cool-Tel
product on

This

message (including any attachments) is confidential and
may be legally privileged. If you are not the intended
recipient, you should not disclose, copy or use any part
of it - please delete all copies immediately and notify
Eseye on +44 (0)1483 685200. Any statements, opinions or
information in this message are provided by the author,
not on behalf of Eseye, unless subsequently confirmed by
an individual who is authorised to represent Eseye. This
email has been scanned for viruses; however, it is
recommended that the addressee also check attachments.
Eseye does not accept responsibility for any virus that is
contracted via this email

Follow @EseyeM2M

Surface mount embedded SIMs in stock - adapter kit available for testing in a SIM socket
"Smart Metering Technology of the Year Award 2012 - Shortlisted'
Eseye Ltd , Company No: 06397669 - Surrey Technology Centre, Guildford, UK +44 1483 685200

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and Threaded Perl??

Hi,

I've been looking at [1]free radius wiki, and read all about interpreter
pools. the prerequisites are that perl is complied with USE_ITHREADS and a
bit lower also with MULTIPLICITY. I have both. what I can't seem to get
working is the thread management as:

what version of FR ?  in older versions you had to care about the PERL
clones entry - to make sure it matched the parent process counts.. (learnt
that the hard way) - but with newer releases all of this is dealt with for you

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and Threaded Perl??

2012-02-13 Thread Simon Earthrowl


FR 2.1.12-1 and 2.1.12-7, but also looked at 3.0.0.
I manage to get 2048 perl threads (assumed from /netstat -ap/ - as I'm 
interfacing into Apache's ActiveMQ), then when I hit 2049 threads FR 
crashes.


Simon

On 02/13/2012 11:25 PM, Alan Buxey wrote:

Hi,


I've been looking at [1]free radius wiki, and read all about interpreter
pools. the prerequisites are that perl is complied with USE_ITHREADS and a
bit lower also with MULTIPLICITY. I have both. what I can't seem to get
working is the thread management as:

what version of FR ?  in older versions you had to care about the PERL
clones entry - to make sure it matched the parent process counts.. (learnt
that the hard way) - but with newer releases all of this is dealt with for you

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Follow us on Twitter at  EseyeM2M
Surface mount embedded SIMs in stock - adapter kit available for testing in a 
SIM socket
Smart Metering Technology of the Year Award 2012- Shortlisted'
Eseye Ltd , Company No:  06397669 - Surrey Technology Centre, Guildford, UK   
+44 1483 685200

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-SIM on freeradius-server-2.1.12

2012-02-13 Thread GNUbie

Hello all,

What am I missing in my current setup that I am getting such errors?
Why is it that it can't find the triplets when in fact it's there?

Basically, the major changes I made on the configuration files are as follows:

[ /usr/local/etc/raddb/radiusd.conf ]

user = radiusd
group = radiusd

modules {
  sim_files {
simtriplets = /usr/local/etc/raddb/simtriplets.dat
  }
...
...
...
}

[ /usr/local/etc/raddb/clients.conf ]

client 172.17.1.0 {
  ipaddr = 172.17.1.0
  netmask = 24
  secret = qwerty
  shortname = eap-sim
}

[ /usr/local/etc/raddb/eap.conf ]

  eap {
sim {
}
default_eap_type = sim
...
...
...
  }

[ /usr/local/etc/raddb/sites-enabled/default ]

authorize {
  ...
  ...
  ...
  sim_files
  eap {
ok = return
  }
  ...
  ...
  ...
}

The contents of the /usr/local/etc/raddb/simtriplets.dat file has the
format of IMSI,RAND,SRES,KC without the quotes:

354162120787078,C97024E532E340a1A1C4DE24DA001CA6,CBe30a81,988c8753D4197800
354162120787078,38E1F9E16B6E4ee6A785072241E8FF43,9Bcd3f54,F56fb487C1359c00
354162120787078,8254442AD6CB47a29ABC530391DDE402,7054a123,806894125A715800
354162120787078,7CA9CE3C148D43e09EBCC40D0AF8048B,A290d514,A2983885440dc400
354162120787078,391DDF50B644482fAE46F091B1D6AA1C,7968b608,875d2af9E883d800
354162120787078,E244EC5344CF4df1A83E54AB7E399670,F9122829,FB2763c02Cbfac00

I also tried in my testing to add 1 on every IMSI but with no luck.

# sed -i 's/^/1/g' /usr/local/etc/raddb/simtriplets.dat

And lastly, the rlm_eap_sim and rlm_sim_files modules are in place.

# ls -l /usr/local/lib/*sim*
lrwxrwxrwx 1 root root14 Feb 13 21:19
/usr/local/lib/rlm_eap_sim-2.1.12.la - rlm_eap_sim.la
-rwxr-xr-x 1 root root 35972 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.so
-rw-r--r-- 1 root root 48340 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.a
-rwxr-xr-x 1 root root   932 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.la
lrwxrwxrwx 1 root root21 Feb 13 21:19
/usr/local/lib/rlm_eap_sim.so - rlm_eap_sim-2.1.12.so
lrwxrwxrwx 1 root root16 Feb 13 21:19
/usr/local/lib/rlm_sim_files-2.1.12.la - rlm_sim_files.la
-rwxr-xr-x 1 root root 35331 Feb 13 21:19 /usr/local/lib/rlm_sim_files-2.1.12.so
-rw-r--r-- 1 root root 46534 Feb 13 21:19 /usr/local/lib/rlm_sim_files.a
-rwxr-xr-x 1 root root   910 Feb 13 21:19 /usr/local/lib/rlm_sim_files.la
lrwxrwxrwx 1 root root23 Feb 13 21:19
/usr/local/lib/rlm_sim_files.so - rlm_sim_files-2.1.12.so

Can anyone from this community help me how to solve my problem?

Thank you in advance.

Regards,

GNUbie


On Tue, Feb 14, 2012 at 12:26 AM, GNUbie gnu...@gmail.com wrote:
 Hello all,

 I configured manually ($  ./configure --with-modules=rlm_sim
 --with-modules=rlm_sim_files  make) and installed (# make install)
 the freeradius-server-2.1.12 from the upstream on the CentOS 5.7
 x86_64 machine. Then I configured the following configuration files:

 - /usr/local/etc/raddb/radiusd.conf
 - /usr/local/etc/raddb/clients.conf
 - /usr/local/etc/raddb/eap.conf
 - /usr/local/etc/raddb/sites-enabled/default

 And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with
 six (6) triplets (just to make sure though AFAIK 3 is enough) for a
 single IMSI.

 Then, I executed the command # /usr/local/sbin/radiusd -X -d
 /usr/local/etc/raddb and tried testing directly from my iPhone4, I
 got the below snippet of the stdout logs:

 - - -  s n i p  - - -
 rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
 id=120, length=249
        User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org
        NAS-IP-Address = 172.17.1.110
        NAS-Port = 0
        Called-Station-Id = 0E-19-BE-80-71-00:eap-sim
        Calling-Station-Id = 5C-59-48-67-C7-A5
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = CONNECT 11Mbps 802.11b
        EAP-Message =
 0x023901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
        Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7
 # Executing section authorize from file
 /usr/local/etc/raddb/sites-enabled/default
 +- entering group authorize {...}
 ++[preprocess] returns ok
 [auth_log]      expand:
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 - /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
 [auth_log] 
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
 [auth_log]      expand: %t - Mon Feb 13 23:48:18 2012
 ++[auth_log] returns ok
 ++[chap] returns noop
 ++[mschap] returns noop
 ++[digest] returns noop
 [suffix] Looking up realm wlan.mnc001.mcc525.3gppnetwork.org for
 User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org
 [suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org
 ++[suffix] returns noop
 rlm_sim_files: insufficient number of challenges for imsi
 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0

Re: rlm_perl and Threaded Perl??

On Tue, Feb 14, 2012 at 6:32 AM, Simon Earthrowl searthr...@eseye.com wrote:
 FR 2.1.12-1 and 2.1.12-7, but also looked at 3.0.0.
 I manage to get 2048 perl threads (assumed from netstat -ap - as I'm
 interfacing into Apache's ActiveMQ), then when I hit 2049 threads FR
 crashes.

Why would you want that many threads?

Can your activemq backend REALLY process  2048 concurrent active
connections without slowing down? It might be simply that nobody has
tested that many perl threads in FR, so if a lower number works then I
suggest you stick with that for now.

From my experience with sql, the optimum number of radius threads is
equal to the number of backend connections (in my case, sql). And the
optimum number of sql connections depends on several things, including
processing delay (e.g. network roundtrip between nodes) and available
cpu cores. But even then my optimum number is around 200. If a radius
request arrive when all the 200-threads are busy, it will simply be
queued for later processing.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-SIM on freeradius-server-2.1.12

2012-02-13 Thread GNUbie

    ...
    ...
    ...
  }

 [ /usr/local/etc/raddb/sites-enabled/default ]

 authorize {
  ...
  ...
  ...
  sim_files
  eap {
    ok = return
  }
  ...
  ...
  ...
 }

 The contents of the /usr/local/etc/raddb/simtriplets.dat file has the
 format of IMSI,RAND,SRES,KC without the quotes:

 354162120787078,C97024E532E340a1A1C4DE24DA001CA6,CBe30a81,988c8753D4197800
 354162120787078,38E1F9E16B6E4ee6A785072241E8FF43,9Bcd3f54,F56fb487C1359c00
 354162120787078,8254442AD6CB47a29ABC530391DDE402,7054a123,806894125A715800
 354162120787078,7CA9CE3C148D43e09EBCC40D0AF8048B,A290d514,A2983885440dc400
 354162120787078,391DDF50B644482fAE46F091B1D6AA1C,7968b608,875d2af9E883d800
 354162120787078,E244EC5344CF4df1A83E54AB7E399670,F9122829,FB2763c02Cbfac00

 I also tried in my testing to add 1 on every IMSI but with no luck.

 # sed -i 's/^/1/g' /usr/local/etc/raddb/simtriplets.dat

 And lastly, the rlm_eap_sim and rlm_sim_files modules are in place.

 # ls -l /usr/local/lib/*sim*
 lrwxrwxrwx 1 root root    14 Feb 13 21:19
 /usr/local/lib/rlm_eap_sim-2.1.12.la - rlm_eap_sim.la
 -rwxr-xr-x 1 root root 35972 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.so
 -rw-r--r-- 1 root root 48340 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.a
 -rwxr-xr-x 1 root root   932 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.la
 lrwxrwxrwx 1 root root    21 Feb 13 21:19
 /usr/local/lib/rlm_eap_sim.so - rlm_eap_sim-2.1.12.so
 lrwxrwxrwx 1 root root    16 Feb 13 21:19
 /usr/local/lib/rlm_sim_files-2.1.12.la - rlm_sim_files.la
 -rwxr-xr-x 1 root root 35331 Feb 13 21:19 
 /usr/local/lib/rlm_sim_files-2.1.12.so
 -rw-r--r-- 1 root root 46534 Feb 13 21:19 /usr/local/lib/rlm_sim_files.a
 -rwxr-xr-x 1 root root   910 Feb 13 21:19 /usr/local/lib/rlm_sim_files.la
 lrwxrwxrwx 1 root root    23 Feb 13 21:19
 /usr/local/lib/rlm_sim_files.so - rlm_sim_files-2.1.12.so

 Can anyone from this community help me how to solve my problem?

 Thank you in advance.

 Regards,

 GNUbie


 On Tue, Feb 14, 2012 at 12:26 AM, GNUbie gnu...@gmail.com wrote:
 Hello all,

 I configured manually ($  ./configure --with-modules=rlm_sim
 --with-modules=rlm_sim_files  make) and installed (# make install)
 the freeradius-server-2.1.12 from the upstream on the CentOS 5.7
 x86_64 machine. Then I configured the following configuration files:

 - /usr/local/etc/raddb/radiusd.conf
 - /usr/local/etc/raddb/clients.conf
 - /usr/local/etc/raddb/eap.conf
 - /usr/local/etc/raddb/sites-enabled/default

 And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with
 six (6) triplets (just to make sure though AFAIK 3 is enough) for a
 single IMSI.

 Then, I executed the command # /usr/local/sbin/radiusd -X -d
 /usr/local/etc/raddb and tried testing directly from my iPhone4, I
 got the below snippet of the stdout logs:

 - - -  s n i p  - - -
 rad_recv: Access-Request packet from host 172.17.1.110 port 2048,
 id=120, length=249
        User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org
        NAS-IP-Address = 172.17.1.110
        NAS-Port = 0
        Called-Station-Id = 0E-19-BE-80-71-00:eap-sim
        Calling-Station-Id = 5C-59-48-67-C7-A5
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = CONNECT 11Mbps 802.11b
        EAP-Message =
 0x023901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267
        Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7
 # Executing section authorize from file
 /usr/local/etc/raddb/sites-enabled/default
 +- entering group authorize {...}
 ++[preprocess] returns ok
 [auth_log]      expand:
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 - /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
 [auth_log] 
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 expands to 
 /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213
 [auth_log]      expand: %t - Mon Feb 13 23:48:18 2012
 ++[auth_log] returns ok
 ++[chap] returns noop
 ++[mschap] returns noop
 ++[digest] returns noop
 [suffix] Looking up realm wlan.mnc001.mcc525.3gppnetwork.org for
 User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org
 [suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org
 ++[suffix] returns noop
 rlm_sim_files: insufficient number of challenges for imsi
 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0
 ++[sim_files] returns notfound
 [eap] EAP packet type response id 0 length 57
 [eap] No EAP Start, assuming it's an on-going EAP conversation
 ++[eap] returns updated
 ++[files] returns noop
 ++[expiration] returns noop
 ++[logintime] returns noop
 [pap] WARNING! No known good password found for the user.
 Authentication may fail because of this.
 ++[pap] returns noop
 Found Auth-Type = EAP
 # Executing group from file /usr/local/etc/raddb/sites-enabled/default
 +- entering group authenticate {...}
 [eap] EAP Identity
 [eap] processing type sim
   can not initiate sim, no RAND1 attribute
 [eap] Default EAP

Re: rlm_perl and Threaded Perl??

2012-02-13 Thread Alan DeKok

Simon Earthrowl wrote:
 
 Hello,
 I've been looking at free radius wiki
 http://wiki.freeradius.org/Rlm_perl, and read all about interpreter
 pools. the prerequisites are that perl is complied with USE_ITHREADS and
 a bit lower also with MULTIPLICITY. I have both. what I can't seem to
 get working is the thread management as:

  That hasn't worked for MANY years.  I've deleted that nonsense from
the Wiki.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rad client


Hi,

I need one information about radius behaviour regarding voip cdr (AAA).

I know I get two stop packet and two start packets for every call that
is made.
For one softswitch I get session ID same for all paskets (stopstart for
a leg, and stopstart for b leg), on other softswitch I get one session
ID for one stopstart packet and other ID for second stopstart packet.
So, for one softswitch as is only one ID I get one enetry in sql table,
for other softswitch I get two enetries in my sql table as I get two
session IDs.

Which behaviour is right?

Thanks!

Miha

--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rad client

On Tue, Feb 14, 2012 at 2:34 PM, Miha Zoubek m...@softnet.si wrote:
 Hi,

 I need one information about radius behaviour regarding voip cdr (AAA).

 I know I get two stop packet and two start packets for every call that
 is made.
 For one softswitch I get session ID same for all paskets (stopstart for
 a leg, and stopstart for b leg), on other softswitch I get one session
 ID for one stopstart packet and other ID for second stopstart packet.
 So, for one softswitch as is only one ID I get one enetry in sql table,
 for other softswitch I get two enetries in my sql table as I get two
 session IDs.

 Which behaviour is right?

I can't comment about softswitch, but a NAS in general should send
only one acct start  stop for each session it handles. Unless they're
re-sent due to transmission problems, in which case the session ID
will be the same.

I suggest you ask your softswitch vendor about that. If you know the
difference betwenn those two different packets from the same session
(e.g perhaps there's an attribute that's only present in one of them),
then you should be able to filter it out so you can record only one
entry per session in your acct table.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rad client