Re: Using freeRadius with OTP and gateway
You don't enable it. The NAS is responsible for sending RADIUS packets, and originating CHAP requests. CHAP doesn't use a RADIUS challenge-response, despite it's name. Ho ok, so I think I haven't good understand CHAP, my bad, sorry. CHAP doesn't work that way. The NAS sends a challenge to the client, and receives a response. It then sends challenge and response to the RADIUS server. If you want challenge-response controlled by the RADIUS server, use EAP-MD5. And you think with EAP-MD5, I can prompt a challenge or number to the client and I can calculate the response, and then I can send an another Radius request to the server for the final authentication ? Thanks for your answer Alan. Best regards -- Mercier Valentin Le mercredi, 14 mars 2012 à 20:46, Alan DeKok a écrit : Mercier Valentin wrote: But with some research we made, we have an another question. We want to enable on free radius the Access Request -- Access Challenge -- Access Request -- Access Accept / Reject, with CHAP, but we don't know how to do this, and if you can help us it would be great. You don't enable it. The NAS is responsible for sending RADIUS packets, and originating CHAP requests. CHAP doesn't use a RADIUS challenge-response, despite it's name. Because I read that usually with this kind of implementation the Access Challenge contain a message with which the client need to calculate the response. And for now that enough for us. CHAP doesn't work that way. The NAS sends a challenge to the client, and receives a response. It then sends challenge and response to the RADIUS server. If you want challenge-response controlled by the RADIUS server, use EAP-MD5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help - ASN-GW throwing error - Validation of attributes failed
There is no WiMAX-MSK attribute in Access-Accept. You need to call rlm_wimax module from post-auth section of default virtual server: # raddb/sites-enabled/default post-auth { ... wimax ... } This module will add WiMAX-MSK and remove MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Rathod Subhashchandra wrote: Dear All, I am trying to setup EAP-TLS authentication mechanism for my WiMAX testing and following are the details. 1. TATA ELXSI - WIMAX MS 2. TATA ELXSI - WIMAX BS 3. ARICENT ASN-GW version 4.2 4. Free Radius AAA server version 2.1.3 Certificates exchange is through. When AAA server responds with Access-Accept, ASN-GW throws error saying Validation of the Attributes in the Received packet failed Wireshark logs @ ASN-GW I could not attach wireshark pcap logs due to size constraint. I have took print screen of only ACCESS-ACCEPT message copied to MS word. What are the mandatory fields in Access-Accept and their valid values? Service-Type attribute value is 2. ASN-GW is adding this attribute. Is this valid for EAP-TLS? I am guessing this should be 8. I don’t have control over ASN-GW parameters modification. Please let me know what fields are invalid in above ACCESS-ACCEPT. Thanks ! Rathod. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Very large environment depending on FreeRadius
Greetings guys, Need advice before going live: I have deployed a FreeRadius server in an environment with 2,491,000 subscribers. GGSN 2,491,000 MSISDN subscribers. 3 APN(s). 1 APN will be authenticated locally: 830 000 subscribers 1 APN will be proxied for: 1,660,000 subscribers 1 APN another will be proxied for: 1,660,000 subsicbers. BRAS for PPPOE is 1000 subscribers. We tested the configuration and it was working, with attribute filters on proxy etc.. for all our requirements. Using MYSQL Backend and SQL IP Pool to hand out IP addresses for localally authenticated. Also have a secondary standby FreeRadius, with mysql replication using a bunch of additional scripts I wrote to handle redundancy and consistency checks. The system is running live for the 1000 subscribers. We about to swing over the 2,491,000 mobile subscribers... Can you please advice me on anything I should watch out for or plan for? Should I be worried about tuning the ports? listening on multiple ports for auth+acct? anything strange? Any tips??? :-) go mad, i need to ensure this runs smoothly... System is running on Ubuntu Linux Server. -- Christiaan Rademan - JNCIE #661 Mobile: +27 83 419 2078 E-mail: christiaan.rade...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Help - ASN-GW throwing error - Validation of attributes failed
Hi, ask ASN-GW vendor if it passed IOT with FR. 15 марта 2012, 09:58 от Rathod Subhashchandra rat...@tataelxsi.co.in: Dear Fajar, I went through the documentation of ASN-GW. I could not find configuring AAA parameters except AAA IP address. I am not quite clear which attribute is causing the problem. For EAP-TTLS, almost same ACCESS-ACCEPT attributes are through. But for EAP-TLS I am facing this issue. I am attaching the AAA wireshark logs. Please let me know your valuable feedback. Thanks ! Rathod. -Original Message- From: Fajar A. Nugraha [mailto:l...@fajar.net] Sent: Thursday, March 15, 2012 11:00 AM To: rat...@tataelxsi.co.in; FreeRadius users mailing list Subject: Re: Help - ASN-GW throwing error - Validation of attributes failed On Thu, Mar 15, 2012 at 12:21 PM, Rathod Subhashchandra rat...@tataelxsi.co.in wrote: Wireshark logs @ ASN-GW I could not attach wireshark pcap logs due to size constraint. I have took print screen of only ACCESS-ACCEPT message copied to MS word. While that information might be interesting for ASN support/list/forum, this list is not it. What are the mandatory fields in Access-Accept and their valid values? Service-Type attribute value is 2. ASN-GW is adding this attribute. Is this valid for EAP-TLS? I am guessing this should be 8. I don't have control over ASN-GW parameters modification. Please let me know what fields are invalid in above ACCESS-ACCEPT. Did you try asking the NAS vendor? If you know what attributes are needed, you can configure FR to send it. If you don't know what they are, then you should ask the NAS vendor, or at least read its documentation. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help - ASN-GW throwing error - Validation of attributes failed
Dear Iliya, Thanks for your valuable suggestion. Rlm_wimax module was not building. I enabled and now it is building. As per your suggestion, I have added wimax in file raddb/sites-enabled/default Still I am not getting WiMAX-MSK in Access-Accept. Could you please help me in this? Thanks ! Rathod. -Original Message- From: Iliya Peregoudov [mailto:iperegu...@cboss.ru] Sent: Thursday, March 15, 2012 11:41 AM To: rat...@tataelxsi.co.in; FreeRadius users mailing list Subject: Re: Help - ASN-GW throwing error - Validation of attributes failed There is no WiMAX-MSK attribute in Access-Accept. You need to call rlm_wimax module from post-auth section of default virtual server: # raddb/sites-enabled/default post-auth { ... wimax ... } This module will add WiMAX-MSK and remove MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Rathod Subhashchandra wrote: Dear All, I am trying to setup EAP-TLS authentication mechanism for my WiMAX testing and following are the details. 1. TATA ELXSI - WIMAX MS 2. TATA ELXSI - WIMAX BS 3. ARICENT ASN-GW version 4.2 4. Free Radius AAA server version 2.1.3 Certificates exchange is through. When AAA server responds with Access-Accept, ASN-GW throws error saying Validation of the Attributes in the Received packet failed Wireshark logs @ ASN-GW I could not attach wireshark pcap logs due to size constraint. I have took print screen of only ACCESS-ACCEPT message copied to MS word. What are the mandatory fields in Access-Accept and their valid values? Service-Type attribute value is 2. ASN-GW is adding this attribute. Is this valid for EAP-TLS? I am guessing this should be 8. I don't have control over ASN-GW parameters modification. Please let me know what fields are invalid in above ACCESS-ACCEPT. Thanks ! Rathod. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very large environment depending on FreeRadius
On 03/15/2012 07:38 AM, Christiaan Rademan wrote: Can you please advice me on anything I should watch out for or plan for? I'm sure others will chip in, but basically: don't worry about FreeRADIUS, worry about your SQL database. FreeRADIUS itself can handle a truly enormous rate of authentication and accounting packets. The problem people seem to run into at scale is the SQL database they're using for authentication (i.e. to read password) or accounting (i.e. write accounting records) is too slow, which means FreeRADIUS becomes slow. Then people get in a muddle and think adding hundreds of threads to the thread pool will help (My database is slow... I know, I'll add MORE concurrent queries, that'll speed it up). It's a particular problem if, after a couple of weeks, they've got 100million rows in their accounting table and accounting takes seconds to complete, so ensure you're archiving regularly. Assuming you're not doing any SQL activity for proxied packets, I don't think you need to worry too much about the, but DO ENSURE you are running 2.1.12, and not some earlier version. With regards the local auth, you say you're using MySQL and sqlippool; you might want to check the list archives for this, there has been some discussion in the past. I don't use MySQL, but my understanding was that the required locking (to avoid handing the same IP out twice) was problematic in some fashion in MySQL. Basically: run some test auths through the server and dump the SQL queries it generates. Then think about how those SQL queries will perform in a month, when your SQL DB is full of accounting records, or when 100 queries/sec come in. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help - ASN-GW throwing error - Validation of attributes failed
Run freeradius in debug mode (-X). Look for eap module debug messages. Look for wimax module debug messages. Try to understand. Rathod Subhashchandra wrote: Dear Iliya, Thanks for your valuable suggestion. Rlm_wimax module was not building. I enabled and now it is building. As per your suggestion, I have added wimax in file raddb/sites-enabled/default Still I am not getting WiMAX-MSK in Access-Accept. Could you please help me in this? Thanks ! Rathod. -Original Message- From: Iliya Peregoudov [mailto:iperegu...@cboss.ru] Sent: Thursday, March 15, 2012 11:41 AM To: rat...@tataelxsi.co.in; FreeRadius users mailing list Subject: Re: Help - ASN-GW throwing error - Validation of attributes failed There is no WiMAX-MSK attribute in Access-Accept. You need to call rlm_wimax module from post-auth section of default virtual server: # raddb/sites-enabled/default post-auth { ... wimax ... } This module will add WiMAX-MSK and remove MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Rathod Subhashchandra wrote: Dear All, I am trying to setup EAP-TLS authentication mechanism for my WiMAX testing and following are the details. 1. TATA ELXSI - WIMAX MS 2. TATA ELXSI - WIMAX BS 3. ARICENT ASN-GW version 4.2 4. Free Radius AAA server version 2.1.3 Certificates exchange is through. When AAA server responds with Access-Accept, ASN-GW throws error saying Validation of the Attributes in the Received packet failed Wireshark logs @ ASN-GW I could not attach wireshark pcap logs due to size constraint. I have took print screen of only ACCESS-ACCEPT message copied to MS word. What are the mandatory fields in Access-Accept and their valid values? Service-Type attribute value is 2. ASN-GW is adding this attribute. Is this valid for EAP-TLS? I am guessing this should be 8. I don't have control over ASN-GW parameters modification. Please let me know what fields are invalid in above ACCESS-ACCEPT. Thanks ! Rathod. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wimax Account
Hi there, Anyone worked with WASN9770 , how did you setup the wimax account? I want to setup an account with such a profile. say username password 512K bandwidth bi-direction Always on username2 password 512Kbps bandwidth bi-direction Only connects at night How would i achieve this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wimax Account
Mulindwa wrote: Anyone worked with WASN9770 , how did you setup the wimax account? Ask the vendor how their product works. This isn't a FreeRADIUS question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot authenticate TinyRadius with freeRadius
Hi All, I am using Tiny Radius client to authenticate with freeRadius Server. But from freeRadius server(version 2.1.10) it can not read the password.I am getting following msg from freeRadius server. The user name is testing. Password is password. Secret is testing123. I have test the username and password with radtest that comes with freeRadius and it works. The entry in users file is following. *testing Cleartext-Password == password* I will be very great full to you . if any one ca tell me how to fix it. Thanks Raihan *Msg from FreeRadius Server* rad_recv: Access-Request packet from host 127.0.0.1 port 49851, id=1, length=59 User-Name = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 123 User-Password = \317\356`\275\277\377d%q\321\341o2خ\303 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = testing, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry testing at line 49 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password ��`���d%q��o2خ� [pap] Using clear text password password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 1 to 127.0.0.1 port 49851 Waking up in 4.9 seconds. Cleaning up request 5 ID 1 with timestamp +364 *JAVA source code* import java.io.IOException; import org.tinyradius.*; import org.tinyradius.packet.AccessRequest; import org.tinyradius.packet.RadiusPacket; import org.tinyradius.util.RadiusClient; import org.tinyradius.util.RadiusException; public class JavaRadiusClient { /** * @param args */ public static void main(String[] args) { // TODO Auto-generated method stub //JavaRadiusClient jrc = new JavaRadiusClient(); //jrc.secndAuthentication(); RadiusClient rc = new RadiusClient(localhost, testing123); try { if (rc.authenticate(testing, password)) { System.out.println(Authnticated); } else System.out.println(Not Authnticated); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (RadiusException e) { // TODO Auto-generated catch block e.printStackTrace(); } } public void secndAuthentication(){ RadiusClient rc = new RadiusClient(localhost, testing123); AccessRequest ar = new AccessRequest(testing, password); //ar.setAuthProtocol(AccessRequest.AUTH_CHAP); // or AUTH_PAP ar.setAuthProtocol(AccessRequest.AUTH_PAP); // or AUTH_PAP ar.addAttribute(NAS-IP-Address, 127.0.0.1); ar.addAttribute(NAS-Port ,123); RadiusPacket response; try { response = rc.authenticate(ar); if (response.getPacketType() == RadiusPacket.ACCESS_ACCEPT) { System.out.println(Authnticated); } } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (RadiusException e) { // TODO Auto-generated catch block e.printStackTrace(); } } } -- View this message in context: http://freeradius.1045715.n5.nabble.com/Cannot-authenticate-TinyRadius-with-freeRadius-tp5567736p5567736.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot authenticate TinyRadius with freeRadius
Hi All, I am using Tiny Radius client to authenticate with freeRadius Server. But from freeRadius server(version 2.1.10) it can not read the password.I am getting following msg from freeRadius server. The user name is testing. Password is password. Secret is testing123. I have test the username and password with radtest that comes with freeRadius and it works. The entry in users file is following. *testing Cleartext-Password == password* I will be very great full to you . if any one ca tell me how to fix it. Thanks Raihan *Msg from FreeRadius Server* rad_recv: Access-Request packet from host 127.0.0.1 port 49851, id=1, length=59 User-Name = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 123 User-Password = \317\356`\275\277\377d%q\321\341o2خ\303 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = testing, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry testing at line 49 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password ��`���d%q��o2خ� [pap] Using clear text password password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 1 to 127.0.0.1 port 49851 Waking up in 4.9 seconds. Cleaning up request 5 ID 1 with timestamp +364 *JAVA source code* import java.io.IOException; import org.tinyradius.*; import org.tinyradius.packet.AccessRequest; import org.tinyradius.packet.RadiusPacket; import org.tinyradius.util.RadiusClient; import org.tinyradius.util.RadiusException; public class JavaRadiusClient { /** * @param args */ public static void main(String[] args) { // TODO Auto-generated method stub //JavaRadiusClient jrc = new JavaRadiusClient(); //jrc.secndAuthentication(); RadiusClient rc = new RadiusClient(localhost, testing123); try { if (rc.authenticate(testing, password)) { System.out.println(Authnticated); } else System.out.println(Not Authnticated); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (RadiusException e) { // TODO Auto-generated catch block e.printStackTrace(); } } public void secndAuthentication(){ RadiusClient rc = new RadiusClient(localhost, testing123); AccessRequest ar = new AccessRequest(testing, password); //ar.setAuthProtocol(AccessRequest.AUTH_CHAP); // or AUTH_PAP ar.setAuthProtocol(AccessRequest.AUTH_PAP); // or AUTH_PAP ar.addAttribute(NAS-IP-Address, 127.0.0.1); ar.addAttribute(NAS-Port ,123); RadiusPacket response; try { response = rc.authenticate(ar); if (response.getPacketType() == RadiusPacket.ACCESS_ACCEPT) { System.out.println(Authnticated); } } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (RadiusException e) { // TODO Auto-generated catch block e.printStackTrace(); } } } -- View this message in context: http://freeradius.1045715.n5.nabble.com/Cannot-authenticate-TinyRadius-with-freeRadius-tp5567735p5567735.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help - ASN-GW throwing error - Validation of attributes failed
Rathod Subhashchandra wrote: Rlm_wimax module was not building. I enabled and now it is building. As per your suggestion, I have added wimax in file raddb/sites-enabled/default Still I am not getting WiMAX-MSK in Access-Accept. Could you please help me in this? Read the debug output to see why. And ask your NAS vendor why their equipment is broken. They need to supply a *useful* error message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wimax Account
Was wondering if there is anyone on this forum who is using WASN9770 and are using Freeradius, am sure they would be more than happy to direct me in the right direction. But if there are none, am sure i will have no response, otherwise thanks Alan Eric M From: Alan DeKok al...@deployingradius.com To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, March 15, 2012 2:44 PM Subject: Re: Wimax Account Mulindwa wrote: Anyone worked with WASN9770 , how did you setup the wimax account? Ask the vendor how their product works. This isn't a FreeRADIUS question. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot authenticate TinyRadius with freeRadius
ulislam.raihan wrote: The entry in users file is following. *testing Cleartext-Password == password* That's wrong. See the FAQ. Use :=, not ==. rad_recv: Access-Request packet from host 127.0.0.1 port 49851, id=1, length=59 User-Name = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 123 User-Password = \317\356`\275\277\377d%q\321\341o2خ\303 The shared secret is wrong. Or, the client doesn't implement RADIUS properly. There are no other choices. *JAVA source code* Which isn't appropriate for this list. Ask the tinyradius people how to debug their software. FreeRADIUS works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very large environment depending on FreeRadius
Thank you so much for the tips Phil Mayers. I have optimised everything, except archiving of the accounting messages. That would be a good idea... On 15/03/2012 10:58, Phil Mayers wrote: On 03/15/2012 07:38 AM, Christiaan Rademan wrote: Can you please advice me on anything I should watch out for or plan for? I'm sure others will chip in, but basically: don't worry about FreeRADIUS, worry about your SQL database. FreeRADIUS itself can handle a truly enormous rate of authentication and accounting packets. The problem people seem to run into at scale is the SQL database they're using for authentication (i.e. to read password) or accounting (i.e. write accounting records) is too slow, which means FreeRADIUS becomes slow. Then people get in a muddle and think adding hundreds of threads to the thread pool will help (My database is slow... I know, I'll add MORE concurrent queries, that'll speed it up). It's a particular problem if, after a couple of weeks, they've got 100million rows in their accounting table and accounting takes seconds to complete, so ensure you're archiving regularly. Assuming you're not doing any SQL activity for proxied packets, I don't think you need to worry too much about the, but DO ENSURE you are running 2.1.12, and not some earlier version. With regards the local auth, you say you're using MySQL and sqlippool; you might want to check the list archives for this, there has been some discussion in the past. I don't use MySQL, but my understanding was that the required locking (to avoid handing the same IP out twice) was problematic in some fashion in MySQL. Basically: run some test auths through the server and dump the SQL queries it generates. Then think about how those SQL queries will perform in a month, when your SQL DB is full of accounting records, or when 100 queries/sec come in. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christiaan Rademan - JNCIE #661 Mobile: +27 83 419 2078 E-mail: christiaan.rade...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help - ASN-GW throwing error - Validation of attributes failed
Quite often you need to change whether or not the response goes via the inner-tunnel. Work with your EAP settings to see if that will change the behavior. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Alan DeKok Sent: Thursday, March 15, 2012 7:49 AM To: rat...@tataelxsi.co.in; FreeRadius users mailing list Subject: Re: Help - ASN-GW throwing error - Validation of attributes failed Rathod Subhashchandra wrote: Rlm_wimax module was not building. I enabled and now it is building. As per your suggestion, I have added wimax in file raddb/sites-enabled/default Still I am not getting WiMAX-MSK in Access-Accept. Could you please help me in this? Read the debug output to see why. And ask your NAS vendor why their equipment is broken. They need to supply a *useful* error message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 2.1.12, why is EAP AKA support in eap2 module
Hi, We are using FreeRadius ver 2.1.12, I had query regarding EAP-AKA support in eap2 module, its mentioned in FreeRadius website that This module is experimental, and may not be ready for use in a production environment, Is it still in experimental state, can't it be used as EAP-SIM, is performance tested for EAP-AKA. I am waiting for response so that we supporting EAP-AKA in our product using FreeRadius, any specific reason for keeping it in eap2 module rather then mainline eap module. Waiting for positive and quick response, Thanks in advance. Thanks Altaf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.12, why is EAP AKA support in eap2 module
Altaf Husain wrote: We are using FreeRadius ver 2.1.12, I had query regarding EAP-AKA support in eap2 module, its mentioned in FreeRadius website that This module is experimental, and may not be ready for use in a production environment, Is it still in experimental state, can't it be used as EAP-SIM, is performance tested for EAP-AKA. I am waiting for response so that we supporting EAP-AKA in our product using FreeRadius, any specific reason for keeping it in eap2 module rather then mainline eap module. Because the native code hasn't been written. Feel free to (a) submit code, or (b) pay someone to write it. Waiting for positive and quick response, Thanks in advance. This isn't a paid support list. There are no guarantees on quick responses, and there is no reason to ask for a quick response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very large environment depending on FreeRadius
Christiaan Rademan wrote: I have deployed a FreeRadius server in an environment with 2,491,000 subscribers. That's a fairly high number. We tested the configuration and it was working, with attribute filters on proxy etc.. for all our requirements. Using MYSQL Backend and SQL IP Pool to hand out IP addresses for localally authenticated. Have you done performance tests? If not, who knows what will happen. Can you please advice me on anything I should watch out for or plan for? Test it before switching over 3M users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows 7 clients
Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Scott McLane Gardner wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? You need to put the root CA into the certs directory, so that FreeRADIUS knows it's allowed to issue client certs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Okay, it is the INTERMEDIATE CA. Sorry for the noise. On 3/15/12 8:26 AM, Scott McLane Gardner sgar...@uark.edu wrote: Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Hi, Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? the server needs to be configured so that the certificate file entry points to a file that contains your server cert, any intermediaries and the root all in one file, in the right order concatenated after each other. the client is then fed that cert chain... if it has the root CA installed it should be happy - though some clients still complain. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help - ASN-GW throwing error - Validation of attributes failed
Dear Iliya, Do I need to modify the code to call rlm_wimax functions for generating the keys? By default, it is invoking eaptls_gen_mppe_keys functions. This function is generating MS-MPPE-Recv-Keys. From your first mail, I understood that only modifying raddb/sites-enabled/default, will take care of everything. Thanks ! Rathod. -Original Message- From: freeradius-users-bounces+rathod=tataelxsi.co...@lists.freeradius.org [mailto:freeradius-users-bounces+rathod=tataelxsi.co...@lists.freeradius.org ] On Behalf Of Iliya Peregoudov Sent: Thursday, March 15, 2012 2:51 PM To: 'FreeRadius users mailing list' Subject: Re: Help - ASN-GW throwing error - Validation of attributes failed Run freeradius in debug mode (-X). Look for eap module debug messages. Look for wimax module debug messages. Try to understand. Rathod Subhashchandra wrote: Dear Iliya, Thanks for your valuable suggestion. Rlm_wimax module was not building. I enabled and now it is building. As per your suggestion, I have added wimax in file raddb/sites-enabled/default Still I am not getting WiMAX-MSK in Access-Accept. Could you please help me in this? Thanks ! Rathod. -Original Message- From: Iliya Peregoudov [mailto:iperegu...@cboss.ru] Sent: Thursday, March 15, 2012 11:41 AM To: rat...@tataelxsi.co.in; FreeRadius users mailing list Subject: Re: Help - ASN-GW throwing error - Validation of attributes failed There is no WiMAX-MSK attribute in Access-Accept. You need to call rlm_wimax module from post-auth section of default virtual server: # raddb/sites-enabled/default post-auth { ... wimax ... } This module will add WiMAX-MSK and remove MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Rathod Subhashchandra wrote: Dear All, I am trying to setup EAP-TLS authentication mechanism for my WiMAX testing and following are the details. 1. TATA ELXSI - WIMAX MS 2. TATA ELXSI - WIMAX BS 3. ARICENT ASN-GW version 4.2 4. Free Radius AAA server version 2.1.3 Certificates exchange is through. When AAA server responds with Access-Accept, ASN-GW throws error saying Validation of the Attributes in the Received packet failed Wireshark logs @ ASN-GW I could not attach wireshark pcap logs due to size constraint. I have took print screen of only ACCESS-ACCEPT message copied to MS word. What are the mandatory fields in Access-Accept and their valid values? Service-Type attribute value is 2. ASN-GW is adding this attribute. Is this valid for EAP-TLS? I am guessing this should be 8. I don't have control over ASN-GW parameters modification. Please let me know what fields are invalid in above ACCESS-ACCEPT. Thanks ! Rathod. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius Server with Dynamic IP address.
Hello Everybody: I just figure out how to solve the problem of NAS has a dynamic IP address(single client entry 0.0.0.0). But how about the radius Server is also behind a NAT which will get a Dynamic IP address?(Server and NAS communicate with each other through Internet)! How could I set the NAS's radius server IP adress option? The NAS i use is Compex WP543 and Netgear WG103, i dont think i could use a hostname or domain name to instead the IP address. Please advice me, thank you very much. Joey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
On Thu, Mar 15, 2012 at 01:51:19PM +, Alan Buxey wrote: Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? is then fed that cert chain... if it has the root CA installed it should be happy - though some clients still complain. When I (briefly) tested Windows 7 the other week, it needed the root and intermediate certificates installed. Windows didn't seem to want to accept the intermediate that was sent from the server, no matter what order the certs were. After installing the intermediate on the client, all was well. However, it was only a quick test, and I was actually doing something else, so it might not be correct. It just niggled me enough at the time to dig a bit deeper, and I put it down to the standard case of Windows being stupid, and moved on. I'd like to be proven incorrect. Thanks, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.2 - 2.1.12 migration steps
I don't see any differences... Just save your config files and replace them later when rpm goes live If anyone's interested, 2.1.12 builds fine with the specfile included in the source release. I had to rebuild the certificate patch file and include a few extra man files in the manifest. Simple build. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius Server with Dynamic IP address.
ZhenJoey wrote: But how about the radius Server is also behind a NAT which will get a Dynamic IP address?(Server and NAS communicate with each other through Internet)! That is a horrible way to run a RADIUS server. How could I set the NAS's radius server IP adress option? You don't. It's a bad idea. The NAS i use is Compex WP543 and Netgear WG103, i dont think i could use a hostname or domain name to instead the IP address. Please advice me, thank you very much. The only possible advice is don't do it Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: proxy server goes deaf after Client has closed connection (RadSec to home server)
Alan DeKok [al...@deployingradius.com] wrote: Sent: Friday, March 09, 2012 3:25 AM Brian Julin wrote: This keeps the server listening, but there are some lingering issues: Well, fixes are welcome. I don't have time to look into this for a few weeks at least. request_proxy_anew was assuming its argument would be installed in the proxy_list, which wasn't the case, so it was removing it twice causing .num_outgoing counters to roll over. Then, request_proxy was not expecting the case where the argument was already in the proxy_list (put there by request_proxy_anew) and was failing when attempting to add it a second time. The latter makes me wonder why or if request_proxy_anew works at all. The attached patch seems to do the trick. Some caveats: This bypasses (for certain situations) the attempts to make sure that a duplicate packet does not reuse the proxy_list ID of its predecessor. Not knowing the reasoning behind that, I don't know if that's important or not. request_proxy has a retransmit flag as a parameter, which might be the better test to avoid inserting the entry twice, or might not be. Off topic, JOOC, while reading through the source I was left wondering what prevents proxy_wait_for_reply from entering master-only functions from a non-master thread when it falls through the DUP case into the TIMER case. diff --git a/src/main/process.c b/src/main/process.c index 4b5f084..f3b0c3f 100644 --- a/src/main/process.c +++ b/src/main/process.c @@ -1596,7 +1596,7 @@ static void remove_from_proxy_hash_nl(REQUEST *request) request-proxy_listener = NULL; /* - * Got from YES in hash, to NO, not in hash while we hold + * Go from YES in hash, to NO, not in hash while we hold * the mutex. This guarantees that when another thread * grabs the mutex, the not in hash flag is correct. */ @@ -2264,7 +2264,7 @@ static int request_proxy(REQUEST *request, int retransmit) /* * We're actually sending a proxied packet. Do that now. */ - if (!insert_into_proxy_hash(request)) { + if (!request-in_proxy_hash !insert_into_proxy_hash(request)) { radlog_request(L_PROXY, 0, request, Failed to insert initial packet into the proxy list.); return -1; } @@ -2298,9 +2298,13 @@ static int request_proxy_anew(REQUEST *request) /* * Keep a copy of the old Id so that the * re-transmitted request doesn't re-use the old - * Id. + * Id. Note that in certain cases (socket crash) + * there is no Id as they have been purged from + * proxy_list, but there should still be a leftover + * packet hung off this request. */ RADIUS_PACKET old = *request-proxy; + int old_hash = request-in_proxy_hash; home_server *home; home_server *old_home = request-home_server; #ifdef WITH_TCP @@ -2327,7 +2331,7 @@ static int request_proxy_anew(REQUEST *request) } /* - * Don't free the old Id on error. + * Don't free the old Id (if any) on error. */ if (!insert_into_proxy_hash(request)) { radlog_request(L_PROXY, 0, request, Failed to insert retransmission into the proxy list.); @@ -2335,16 +2339,18 @@ static int request_proxy_anew(REQUEST *request) } /* - * Now that we have a new Id, free the old one + * Now that we have a new Id, free the old one (if any) * and update the various statistics. */ PTHREAD_MUTEX_LOCK(proxy_mutex); - fr_packet_list_yank(proxy_list, old); - fr_packet_list_id_free(proxy_list, old); - old_home-currently_outstanding--; + if (old_hash) { + fr_packet_list_yank(proxy_list, old); + fr_packet_list_id_free(proxy_list, old); + old_home-currently_outstanding--; #ifdef WITH_TCP - if (listener) listener-count--; + if (listener) listener-count--; #endif + } PTHREAD_MUTEX_UNLOCK(proxy_mutex); /* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL_LOG Interim Update missing partial config error? huh?
Any possible updates on this? It seems at some point the man pages changed from using INSERTs and UPDATEs to only using INSERTS. On 14/03/2012, at 3:52 PM, Aidan Rowe wrote: Hi Chrstiaan, It's because there is no SQL statement configured for Interim-Update by default, you need to create a query to be associated with it in modules/sql_log. A poor example: Interim-Update = UPDATE ${acct_table} \ SET FramedIPAddress = '%{Framed-IP-Address}', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Octets}', \ AcctOutputOctets = '%{Acct-Output-Octets}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{User-Name}'; While you've got this question posted, does anyone mind sharing their sql_log config? The default only talks about inserting a new row for start, stop and alive and nothing about doing updates on stop and interim-update. Is it still acceptable to use updates on stop/interim-update? On 14/03/2012, at 4:34 AM, Christiaan Rademan wrote: Greetings Everyone, I am using FreeRadius + mySQL + SQLIPPOOL. FreeRADIUS Version 2.1.11. The start and stop accounting records work fine. My issue is I keep getting the following in the logs: Tue Mar 13 22:18:33 2012 : Info: [sql_log] Couldn't find an entry Interim-Update in the config section. Any idea why the interim-updates not working? I have looked through the configuration, I cant find what config section it refers too? I mean the stuff should all be configured as per default for interim update sql query etc is still in raddb/sql/mysql/dialup.conf what special configuration do I have todo? Or where can I go read about it? Please advice! Many thanks! -- Christiaan Rademan - JNCIE #661 Mobile: +27 83 419 2078 E-mail: christiaan.rade...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL_LOG Interim Update missing partial config error? huh?
On 03/15/2012 09:11 PM, Aidan Rowe wrote: Any possible updates on this? It seems at some point the man pages changed from using INSERTs and UPDATEs to only using INSERTS. I'm guessing here, but I suspect the problem with doing UPDATEs is that they noop if the row isn't present. This can happen if an Accounting-Start packet gets dropped and fails its retransmit for example. This is not a problem if you just do INSERTs. The sql module (driven either synchronously, or asynchronously via buffered detail files / SQL) handles this differently for this exact reason - it does an UPDATE and if no rows are changed, does an INSERT instead. FWIW we use sql_log and just INSERT to a log table, and a trigger on the table then does the UPDATE or INSERT magic. We never moved to using buffered SQL because we need to stream the auth logs as well as the accounting logs (long story) and I couldn't see a way to do that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Hi, GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A this error is usually when the client is misconfigured in their trust settings why wouldnt your ca.pen file be trusted? does it not contain the whole cert chain (in the right order?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRadius Server with Dynamic IP address.
Hello Alan: I dont understand. So the radius server could only work in a LAN? except use proxy radius? Joey Date: Thu, 15 Mar 2012 15:53:00 -0400 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: freeRadius Server with Dynamic IP address. ZhenJoey wrote: But how about the radius Server is also behind a NAT which will get a Dynamic IP address?(Server and NAS communicate with each other through Internet)! That is a horrible way to run a RADIUS server. How could I set the NAS's radius server IP adress option? You don't. It's a bad idea. The NAS i use is Compex WP543 and Netgear WG103, i dont think i could use a hostname or domain name to instead the IP address. Please advice me, thank you very much. The only possible advice is don't do it Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot authenticate TinyRadius with freeRadius
HI Thanks for your suggestion. Actually the mistake was in secret. It was wrongly written. Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/Cannot-authenticate-TinyRadius-with-freeRadius-tp5567736p5569771.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius Server with Dynamic IP address.
2012/3/16 ZhenJoey snan4l...@hotmail.com: Hello Alan: I dont understand. So the radius server could only work in a LAN? except use proxy radius? No. On most setups, radius server needs a static IP address, accessible by the client (NAS). There are ways around that (e.g. using VPN), but the short answer to your original question is no, what you want to do is a bad idea. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html