Re: rlm_python configTuple question

[Phil Mayers]

On 05/30/2012 06:43 AM, PENZ Robert wrote:

replyTuble are the attributes which are send to the requesting NAS,
but I couldn't find out what configTuple is exactly. I currently only
pass an () and it works. Is it the same as "update control"  and
setting variables in the normal config files?


Yes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Phil Mayers]

On 05/29/2012 10:28 PM, Steve Hopps wrote:


So I'm confused, what's the right way to handle this situation?


What situation?

What are you trying to do?

Alan has already hinted at the issue, but basically see here:

http://deployingradius.com/documents/protocols/oracles.html

...and here:

http://deployingradius.com/documents/protocols/compatibility.html

Whatever protocol you are running within TTLS, it's not PAP therefore 
not compatible with PAM-as-an-oracle.


rlm_pam: Attribute "User-Password" is required for authentication.
++[pam] returns invalid

PAM is being forced (I think) here:

[files] users: Matched entry DEFAULT at line 222

...fix that line. Don't force PAM if you don't want or need it, and if 
you want/need it, pick compatible authentication.


The Proxy-To-Realm comments in the default config files might be out of 
date; in general, obey what the debug says over ANY other advice, 
because it's coming from the actual code.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius autoreply the access chanllenge

[Tamás Becz]

Hi,

> Subject: Re: FreeRadius autoreply the access chanllenge
> 
> sam wrote:
> > I setup the pam_radius_auth.so in pam.d/sshd to verify the 
> user using 
> > the remote Radius server
> > I think the message flow is right, but at the point-2 and 
> point-4, the 
> > prompt should be popped and ask us to input the passwd. 
> However, our 
> > freeradius sends the access-Request automatically.
> 
>   It's not FreeRADIUS.  It's the pam_radius_auth module.
> 
>   The application needs to support showing the challenges.  
> In this case, it's sshd.  If sshd doesn't support challenges, 
> then it won't work.
> 

Probably need to set 'ChallengeResponseAuthentication yes' in sshd config 
otherwise it just says 'Password:'.

tamas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Alan DeKok]

Steve Hopps wrote:
> But according to the configuration file:
...
> update control {
>Proxy-To-Realm := LOCAL
> }
> 
> So I'm confused, what's the right way to handle this situation?

  Don't edit proxy.conf to delete the LOCAL realm?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reading winbind reply failed! (0xc0000001)

[Peter Kaagman]

Hi there list,

Am in the process of using FreeRadius for 802.1x authentication and ran
into some problems with peap and mschap2.

FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24
2011 at 07:53:12

Ubuntu 64bit 12.04 (wheezy/sid)

winbindd version 3.6.3

Ntlm_auth seems to work just fine:

pkn@radtest:~$ ntlm_auth -request-ne-key --domain=ATLAS
--username=osgtest
password: 
NT_STATUS_NO_SUCH_USER: No such user (0xc064)

Which is just fine... that user indeed does not exist.

pkn@radtest:~$ ntlm_auth -request-ne-key --domain=ATLAS
--username=stafosg
password: 
NT_STATUS_OK: Success (0x0)

Good user and pass... no problem...

pkn@radtest:~$ ntlm_auth -request-ne-key --domain=ATLAS
--username=stafosg
password: 
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)

Good user wrong pass... again no problem there

But radtest gives the following:

pkn@radtest:~$ radtest -t mschap stafosg ** localhost 0 testing123
Sending Access-Request of id 183 to 127.0.0.1 port 1812
User-Name = "stafosg"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
MS-CHAP-Challenge = 0x7f1105068ad7bc78
MS-CHAP-Response =
0x00010f03251526c7384a3b
76762e76c823a1ca6bd195649817d4
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=183,
length=20


And the following freeradius -X trace:

FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24
2011 at 07:53:12
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the GNU
General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf including
configuration file /etc/freeradius/proxy.conf including configuration
file /etc/freeradius/clients.conf including files in directory
/etc/freeradius/modules/ including configuration file
/etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/ldap including
configuration file /etc/freeradius/modules/inner-eap including
configuration file /etc/freeradius/modules/logintime including
configuration file /etc/freeradius/modules/perl including configuration
file /etc/freeradius/modules/pap including configuration file
/etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/smbpasswd including
configuration file /etc/freeradius/modules/linelog including
configuration file /etc/freeradius/modules/mschap including
configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr including
configuration file /etc/freeradius/modules/wimax including configuration
file /etc/freeradius/modules/mac2ip including configuration file
/etc/freeradius/modules/mac2vlan including configuration file
/etc/freeradius/modules/always including configuration file
/etc/freeradius/modules/policy including configuration file
/etc/freeradius/modules/exec including configuration file
/etc/freeradius/modules/otp including configuration file
/etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/passwd including
configuration file /etc/freeradius/modules/sradutmp including
configuration file /etc/freeradius/modules/echo including configuration
file /etc/freeradius/modules/ippool including configuration file
/etc/freeradius/modules/radutmp including configuration file
/etc/freeradius/modules/files including configuration file
/etc/freeradius/modules/counter including configuration file
/etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/sql_log including
configuration file /etc/freeradius/modules/krb5 including configuration
file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/chap including
configuration file /etc/freeradius/modules/checkval including
configuration file /etc/freeradius/modules/digest including
configuration file /etc/freeradius/modules/smsotp including
configuration file /etc/freeradius/modules/pam including configuration
file /etc/freeradius/modules/realm including configuration file
/etc/freeradius/modules/detail including configuration file
/etc/freeradius/modules/etc_group including configuration file
/etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/cui including
configuration file /etc/freeradius/modules/ntlm_auth including
configuration file /etc/freeradius/modules/unix including configuration
file /etc/freeradius/eap.conf including configuration file
/etc/freeradius/policy.conf including files in directory
/etc/freeradius

Re: Reading winbind reply failed! (0xc0000001)

[Phil Mayers]

On 30/05/12 10:43, Peter Kaagman wrote:


Exec-Program output: Reading winbind reply failed! (0xc001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001)


Check permissions on the winbind socket in /var/cache/ and 
SELinux context/labels as well, if you're using it.


Odds are, FreeRADIUS is running as a user who can't talk to winbind for 
one of these reasons.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Reading winbind reply failed! (0xc0000001)

[Peter Kaagman]

-Oorspronkelijk bericht-
On 30/05/12 10:43, Peter Kaagman wrote:

>> Exec-Program output: Reading winbind reply failed! (0xc001)
>> Exec-Program-Wait: plaintext: Reading winbind reply failed! 
>> (0xc001)
>
>Check permissions on the winbind socket in /var/cache/ and
SELinux context/labels as well, if you're using it.
>
>Odds are, FreeRADIUS is running as a user who can't talk to winbind for
one of these reasons.

You were absolutely right.
For future reference:

Ubuntu (12.04) places the socket in /var/run/samba/winbindd_privileged
The socket itself is owned root:root permissions  s777
The directory is owned root:winbindd_privileged permissions 750
Adding the user freerad to the group winbindd_privileged did the trick.

Thanks Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reading winbind reply failed! (0xc0000001)

[alan buxey]

Hi,

> You were absolutely right.

hmmm, usually if there is group issues for that socket then you get some
winbind_privileged error with the word 'crap' in it (literally!) - maybe
3.6.x has changed that behaviour/message?  I'd have to look at the sourcecode
of SAMBA...

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Steve Hopps]

We're trying to use an access point configured for wpa2 using freeradius to
authenticate with openldap. For Android and Linux it works out of the box
with eap/ttls and pap. So we used Pam cause it already works with ldap. I
didn't know other encryption types wouldn't work with Pam.

IPhones work with a custom config profile that's easily installed. However,
our most significant hurdle is windows machines. Who would have guessed???
For some stupid reason Microsoft doesn't care about supporting all modern
encryption standards. Making our staff pay for SecureW2 isn't an option and
XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying
to get mschapv2 working with peap. This seems impossible.
 On May 30, 2012 2:43 AM, "Phil Mayers"  wrote:

> On 05/29/2012 10:28 PM, Steve Hopps wrote:
>
>  So I'm confused, what's the right way to handle this situation?
>>
>
> What situation?
>
> What are you trying to do?
>
> Alan has already hinted at the issue, but basically see here:
>
> http://deployingradius.com/**documents/protocols/oracles.**html
>
> ...and here:
>
> http://deployingradius.com/**documents/protocols/**compatibility.html
>
> Whatever protocol you are running within TTLS, it's not PAP therefore not
> compatible with PAM-as-an-oracle.
>
> rlm_pam: Attribute "User-Password" is required for authentication.
> ++[pam] returns invalid
>
> PAM is being forced (I think) here:
>
> [files] users: Matched entry DEFAULT at line 222
>
> ...fix that line. Don't force PAM if you don't want or need it, and if you
> want/need it, pick compatible authentication.
>
> The Proxy-To-Realm comments in the default config files might be out of
> date; in general, obey what the debug says over ANY other advice, because
> it's coming from the actual code.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Alan DeKok]

Steve Hopps wrote:
> We're trying to use an access point configured for wpa2 using freeradius
> to authenticate with openldap. For Android and Linux it works out of the
> box with eap/ttls and pap. So we used Pam cause it already works with
> ldap. I didn't know other encryption types wouldn't work with Pam.

  This confuses me.  Why use PAM when FreeRADIUS can use LDAP directly?

> IPhones work with a custom config profile that's easily installed.
> However, our most significant hurdle is windows machines. Who would have
> guessed??? For some stupid reason Microsoft doesn't care about
> supporting all modern encryption standards. Making our staff pay for
> SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
> 64bit Win7. So I'm back to trying to get mschapv2 working with peap.
> This seems impossible.

  It's possible.  It's easy.

  (a) configure FreeRADIUS to query LDAP directly

  (b) ensure that the passwords in LDAP are stored in a format
compatible with MS-CHAP.

  If you can do both, then getting PEAP to work should be trivial.

  In 2.1.2, you can use "radclient" to send MS-CHAP requests to the
server.  Don't even THINK of trying to get PEAP to work until you have
plain old MS-CHAP working.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[alan buxey]

Hi,

>an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm
>back to trying to get mschapv2 working with peap. This seems impossible.

its 100% possible natively if you expose either the plain text password, or 
HT-Hashed
password to the server - eg with LDAP module.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Phil Mayers]

On 30/05/12 13:44, Steve Hopps wrote:


IPhones work with a custom config profile that's easily installed.
However, our most significant hurdle is windows machines. Who would have
guessed??? For some stupid reason Microsoft doesn't care about
supporting all modern encryption standards. Making our staff pay for
SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
64bit Win7. So I'm back to trying to get mschapv2 working with peap.
This seems impossible.


It's certainly a shame that Windows 7 doesn't support TTLS/PAP.

PEAP/MSCHAP requires you have the plaintext password or NT hash, or 
access to an mschap "oracle" like ntlm_auth running on Samba as a member 
of the domain.


If you don't have those, you can't do PEAP/MSCHAP, and your options are 
very limited.


EAP-TLS, perhaps?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: more EAP/TTLS trouble

[Aman Arneja]

Hi Steve
Microsoft supports EAP TTLS in our upcoming is release of Windows 8 . That
said PEAP MSChapv2 is as modern as an EAP TTLS and is a very widely and
simply deployed method. I have personally used the freeradius peap mschapv2
pretty much out of the box. As far as the certificate error you saw earlier
that was due to the nature of design of a modern secure authentication
method which gave supported security feature like Server Certificate
Validation enabled by default. If you just go through the net you will find
tonnes of peap mschapv2 working eap.conf's and I suggest you compare yours
to the ones available for the authentication to work. Also if you are
looking for ttls only you can test with the beta of windows 8 and become
one of our early adopters when it releases.

Thanx and Regards

Aman Arneja

Sent from my Windows Phone
--
From: Steve Hopps
Sent: 5/30/2012 6:23 PM
To: FreeRadius users mailing list
Subject: Re: more EAP/TTLS trouble

We're trying to use an access point configured for wpa2 using freeradius to
authenticate with openldap. For Android and Linux it works out of the box
with eap/ttls and pap. So we used Pam cause it already works with ldap. I
didn't know other encryption types wouldn't work with Pam.

IPhones work with a custom config profile that's easily installed. However,
our most significant hurdle is windows machines. Who would have guessed???
For some stupid reason Microsoft doesn't care about supporting all modern
encryption standards. Making our staff pay for SecureW2 isn't an option and
XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying
to get mschapv2 working with peap. This seems impossible.
 On May 30, 2012 2:43 AM, "Phil Mayers"  wrote:

> On 05/29/2012 10:28 PM, Steve Hopps wrote:
>
>  So I'm confused, what's the right way to handle this situation?
>>
>
> What situation?
>
> What are you trying to do?
>
> Alan has already hinted at the issue, but basically see here:
>
> http://deployingradius.com/**documents/protocols/oracles.**html
>
> ...and here:
>
> http://deployingradius.com/**documents/protocols/**compatibility.html
>
> Whatever protocol you are running within TTLS, it's not PAP therefore not
> compatible with PAM-as-an-oracle.
>
> rlm_pam: Attribute "User-Password" is required for authentication.
> ++[pam] returns invalid
>
> PAM is being forced (I think) here:
>
> [files] users: Matched entry DEFAULT at line 222
>
> ...fix that line. Don't force PAM if you don't want or need it, and if you
> want/need it, pick compatible authentication.
>
> The Proxy-To-Realm comments in the default config files might be out of
> date; in general, obey what the debug says over ANY other advice, because
> it's coming from the actual code.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Steve Hopps]

The reasons you stated are why I think this is near impossible. Our
passwords are stored with md5... I'm not fond of the idea that in
order to get this to work, we have to compromise our security policy.

As for the Windows salesman, leaving out features from one OS to sell
a newer OS is one of the reasons I cannot stand your company. That
said, Windows 7 is great in my opinion, like Windows XP. If you really
care, put pressure on your higher ups to extend the functionality to
support things like EAP/TTLS and PAP. I'm sure there's other
deficiencies.. How is it right to sell "ultimate" versions of an OS
for $150-200 when they dont even support as many features as a free,
open source system?

I just got into work, so I'll be looking over the suggestions and
making more attempts at this. Thanks again for all the help!


On Wed, May 30, 2012 at 8:15 AM, Phil Mayers  wrote:
> On 30/05/12 13:44, Steve Hopps wrote:
>
>> IPhones work with a custom config profile that's easily installed.
>> However, our most significant hurdle is windows machines. Who would have
>> guessed??? For some stupid reason Microsoft doesn't care about
>> supporting all modern encryption standards. Making our staff pay for
>> SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
>> 64bit Win7. So I'm back to trying to get mschapv2 working with peap.
>> This seems impossible.
>
>
> It's certainly a shame that Windows 7 doesn't support TTLS/PAP.
>
> PEAP/MSCHAP requires you have the plaintext password or NT hash, or access
> to an mschap "oracle" like ntlm_auth running on Samba as a member of the
> domain.
>
> If you don't have those, you can't do PEAP/MSCHAP, and your options are very
> limited.
>
> EAP-TLS, perhaps?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Stefan Winter]

Hi,

> The reasons you stated are why I think this is near impossible. Our
> passwords are stored with md5... I'm not fond of the idea that in
> order to get this to work, we have to compromise our security policy.
> 
> As for the Windows salesman, leaving out features from one OS to sell
> a newer OS is one of the reasons I cannot stand your company. That
> said, Windows 7 is great in my opinion, like Windows XP. If you really
> care, put pressure on your higher ups to extend the functionality to
> support things like EAP/TTLS and PAP. I'm sure there's other
> deficiencies.. How is it right to sell "ultimate" versions of an OS
> for $150-200 when they dont even support as many features as a free,
> open source system?
> 
> I just got into work, so I'll be looking over the suggestions and
> making more attempts at this. Thanks again for all the help!

Here's one more: many folks in eduroam have gone through the exact same
considerations, and some indeed need TTLS-PAP. If it is unavoidable,
there is a GPLed version of SecureW2 which can deliver TTLS-PAP to older
versions of Windows. I'm sure you can find it on the internet somewhere.

Stefan

> 
> 
> On Wed, May 30, 2012 at 8:15 AM, Phil Mayers  wrote:
>> On 30/05/12 13:44, Steve Hopps wrote:
>>
>>> IPhones work with a custom config profile that's easily installed.
>>> However, our most significant hurdle is windows machines. Who would have
>>> guessed??? For some stupid reason Microsoft doesn't care about
>>> supporting all modern encryption standards. Making our staff pay for
>>> SecureW2 isn't an option and XSupplicant doesn't work reliably yet in
>>> 64bit Win7. So I'm back to trying to get mschapv2 working with peap.
>>> This seems impossible.
>>
>>
>> It's certainly a shame that Windows 7 doesn't support TTLS/PAP.
>>
>> PEAP/MSCHAP requires you have the plaintext password or NT hash, or access
>> to an mschap "oracle" like ntlm_auth running on Samba as a member of the
>> domain.
>>
>> If you don't have those, you can't do PEAP/MSCHAP, and your options are very
>> limited.
>>
>> EAP-TLS, perhaps?
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Alan DeKok]

Steve Hopps wrote:
> The reasons you stated are why I think this is near impossible. Our
> passwords are stored with md5... I'm not fond of the idea that in
> order to get this to work, we have to compromise our security policy.

  Life is a series of compromises.  Deal with it.

> As for the Windows salesman, leaving out features from one OS to sell
> a newer OS is one of the reasons I cannot stand your company.

  I'll take that as "adding more features in newer releases".

  Windows 8 is the first version which supports TTLS.  While this should
arguably have been done years ago, it's nice to have it now.

  And if you're arguing against upgrades, you can do the same for
FreeRADIUS.  Version 3.0 will support RadSec (RADIUS over SSL).  Version
2.x will not.  Ever.

> That
> said, Windows 7 is great in my opinion, like Windows XP. If you really
> care, put pressure on your higher ups to extend the functionality to
> support things like EAP/TTLS and PAP. I'm sure there's other
> deficiencies.. How is it right to sell "ultimate" versions of an OS
> for $150-200 when they dont even support as many features as a free,
> open source system?

  They have different priorities.

  FreeRADIUS is about making software that works.

  Microsoft is about money.

  Guess which one works well, and which one has more money?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[Steve Hopps]

It's a frustrating situation because if Windows were to support all of
the encryption features that their competition does, indeed, that my
_phone_ supports, I would not need to compromise. I personally believe
a company can deliver a top product without sacrificing their profit
margin. Microsoft falls short of this, and here we have a perfect
example of precisely how. I also think their tiered version method
they introduced with Vista is dishonest, as a result of this. But
we're getting off track.

It's too bad the XSupplicant project is not yet to the point of
stability with Windows 7 64-Bit. I haven't had an opportunity to test
it with 32-Bit yet, I imagine it works okay with Windows XP, but many
of our employees are using Windows 7 on newer laptops. If that app
worked, this wouldn't be a problem. If you ask me, that is the nature
of the beast when it comes to computers. It'll work in a month, or a
year, or several years, but for now we just beat our heads against the
wall.

In quick response to Stefan, I'm not associated with eduroam, however,
I have found the eduroam instructions to be very helpful in getting
this working as far as I have. In particular, the iphone support. So
thanks for that. :)

On Wed, May 30, 2012 at 8:55 AM, Alan DeKok  wrote:
> Steve Hopps wrote:
>> The reasons you stated are why I think this is near impossible. Our
>> passwords are stored with md5... I'm not fond of the idea that in
>> order to get this to work, we have to compromise our security policy.
>
>  Life is a series of compromises.  Deal with it.
>
>> As for the Windows salesman, leaving out features from one OS to sell
>> a newer OS is one of the reasons I cannot stand your company.
>
>  I'll take that as "adding more features in newer releases".
>
>  Windows 8 is the first version which supports TTLS.  While this should
> arguably have been done years ago, it's nice to have it now.
>
>  And if you're arguing against upgrades, you can do the same for
> FreeRADIUS.  Version 3.0 will support RadSec (RADIUS over SSL).  Version
> 2.x will not.  Ever.
>
>> That
>> said, Windows 7 is great in my opinion, like Windows XP. If you really
>> care, put pressure on your higher ups to extend the functionality to
>> support things like EAP/TTLS and PAP. I'm sure there's other
>> deficiencies.. How is it right to sell "ultimate" versions of an OS
>> for $150-200 when they dont even support as many features as a free,
>> open source system?
>
>  They have different priorities.
>
>  FreeRADIUS is about making software that works.
>
>  Microsoft is about money.
>
>  Guess which one works well, and which one has more money?
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: more EAP/TTLS trouble

[alan buxey]

Hi,

> It's a frustrating situation because if Windows were to support all of
> the encryption features that their competition does, indeed, that my
> _phone_ supports, I would not need to compromise. I personally believe
> a company can deliver a top product without sacrificing their profit
> margin. Microsoft falls short of this, and here we have a perfect
> example of precisely how. I also think their tiered version method
> they introduced with Vista is dishonest, as a result of this. But
> we're getting off track.

...but whilst you worry about the server (which you can secure) you are happy 
with
EAP-TTLs/PAP - which, whilst it lets you do your secure server stuff, means
that you can have users with badly configured clients which dont do the
required CA checking or RADIUS CN checking - who will then quite happily send 
me,
running a nasty MiTM attack RADIUS server, their username+password.

your worries seem to be at the wrong end of the security mix. where YOU control
the security ecpsystem you can do other things...after all, your RADIUS server 
can quite happily
log in clear text your secure things..

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to set h323-credit-amount

[Varun Agrawal]

hi All,

I am using FreeRADIUS Version 2.1.12  .

how can i set h323-credit-amount,h323-credit-time for a access reply

regards,
Varun Agrawal

VARUN AGRAWAL | SOFTWARE ENGINEER
GlobalLogic Inc. | Innovation by Design
ARGENTINA | CHILE | CHINA | INDIA | ISRAEL | UKRAINE | UK | USA
Office: +911204342000 x 4213 | Mobile: +91.99.111.72990
www.globallogic.com

http://www.globallogic.com/email_disclaimer.txt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting in syslog

[Luo, Frank Y.F. Mr.]

Is there a way to send accounting log to syslog instead of detail file in 
radacct?

Also instead of sending it to sql db, i tried to use sql-file but it results in 
a lot of sql command (we really don't want to run the sql command later).  

INSERT INTO radacct (AcctSessionId, UserName,NASIPAddress, FramedIPAddress, 
AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES
 ('4fc645a8/00:25:00:3e:e6:c2/188601', 'luoy', 
'172.18.47.242',  '172.25.128.186', '2012-05-30 12:07:04', '0', '0', 
'');
INSERT INTO radacct (AcctSessionId, UserName,NASIPAddress, FramedIPAddress, 
AcctStartTime, AcctStopTime, AcctSessionTime, AcctTerminateCause) VALUES
 ('4fc645d8/10:40:f3:1c:a3:b4/188604', '1040f31ca3b4', 
'172.18.47.242',  '172.24.146.51', '2012-05-30 12:07:52', '0', '0', '
');


Also noticing the UserName part, a lot of times that a binary username is 
logged, like here "1040f31ca3b4", instead of the real name. How to fix this?

THanks for the help

Frank

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: accounting in syslog

[Phil Mayers]

On 30/05/12 18:00, Luo, Frank Y.F. Mr. wrote:

Is there a way to send accounting log to syslog instead of detail
file in radacct?


See "linelog"



Also instead of sending it to sql db, i tried to use sql-file but it
results in a lot of sql command (we really don't want to run the sql
command later).


I don't know what this means, I'm afraid.



Also noticing the UserName part, a lot of times that a binary
username is logged, like here "1040f31ca3b4", instead of the real
name. How to fix this?


That's not a "binary username". It's the MAC address, without any colons.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Server stuck and stop responding.

[Awais]

We are using radius server for IPTV services.
It was running fine but 2 days before it stuck and stop responding. But
after restart it is working fine now, i want to know what may be the problem
because of which it stuck and stop responding. It is on trail so they want
to know the reason. It will also help me in future to remove that bug.


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Server-stuck-and-stop-responding-tp5713440.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Server stuck and stop responding.

[Fajar A. Nugraha]

On Thu, May 31, 2012 at 11:56 AM, Awais  wrote:
> We are using radius server for IPTV services.
> It was running fine but 2 days before it stuck and stop responding. But
> after restart it is working fine now, i want to know what may be the problem
> because of which it stuck and stop responding. It is on trail so they want
> to know the reason. It will also help me in future to remove that bug.

Start with saying what version you use, and how you install it on what
OS. Some combinations have known bugs.

Also, check what radius log says (usually in /var/log/radius or
/var/log/freeradius). It has very useful message in some cases (e.g.
when the backend db doesn't respond fast enough).

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Server stuck and stop responding.

[Awais]

Red Hat Enterprise Linux Server release 5.5

Installed by using tar.gz file, 1st untar it and than make make install etc.

Database is on other server.

And please also tell me how can i know, at that time how many request are
under process?

Part of log file is below:


Query to execute ::
  CALL
Proc_Ngi_IPTV_Authentication('00606E71E0D6','E8D9BE8F','0','E8D9BE8F',@ret);
select @ret 

 --Result--- 
 Value of Return Code :: 0

 Request Start time =  67058605  
 User-Name = 00606E71E0D6 
 User-Password =  E8D9BE8F 
 Authorize-type = 0 
 Caller id is  = E8D9BE8F 
 CALL
Proc_Ngi_IPTV_Authentication('00606E71E0D6','E8D9BE8F','0','E8D9BE8F',@ret);
select @ret 
 Return-code  =  0 
 USERNAME & PASSWORD HAVE JUST MATCHED 
 REQUEST END TIME = 67058764 
 Process time =  159
  modcall[authorize]: module "sql" returns ok for request 41885
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 41885
modcall: leaving group authorize (returns ok) for request 41885
  rad_check_password:  Found Auth-Type PAP
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [00606E71E0D6/E8D9BE8F] (from client localhost port 0 cli
E8D9BE8F)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 41885
radius_xlat: 
'/usr/local/var/log/radius/radacct/10.2.4.17/auth-detail-20120516:18'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d:%H
expands to
/usr/local/var/log/radius/radacct/10.2.4.17/auth-detail-20120516:18
  modcall[post-auth]: module "reply_log" returns ok for request 41885
modcall: leaving group post-auth (returns ok) for request 41885
Sending Access-Accept of id 222 to 111.12.432.17 port 33
ReturnCode = 0
Finished request 41885
Going to the next request
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 10.2.4.17:33033, id=222, length=92
Sending duplicate reply to client localhost:33033 - ID: 222
Re-sending Access-Accept of id 222 to 111.12.432.17 port 33
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 41856 ID 178 with timestamp 4fb4565e
Cleaning up request 41857 ID 179 with timestamp 4fb4565e
Cleaning up request 41858 ID 180 with timestamp 4fb4565e
Cleaning up request 41859 ID 181 with timestamp 4fb4565e
Cleaning up request 41860 ID 182 with timestamp 4fb4565e
Cleaning up request 41861 ID 183 with timestamp 4fb4565e
Cleaning up request 41862 ID 184 with timestamp 4fb4565e
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 41863 ID 185 with timestamp 4fb4565f
Cleaning up request 41864 ID 187 with timestamp 4fb4565f
Cleaning up request 41865 ID 193 with timestamp 4fb4565f
Cleaning up request 41866 ID 195 with timestamp 4fb4565f
Cleaning up request 41867 ID 196 with timestamp 4fb4565f
Cleaning up request 41868 ID 197 with timestamp 4fb4565f
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 41869 ID 198 with timestamp 4fb45660
Cleaning up request 41870 ID 199 with timestamp 4fb45660
Cleaning up request 41871 ID 200 with timestamp 4fb45660
Cleaning up request 41872 ID 202 with timestamp 4fb45660
Cleaning up request 41873 ID 203 with timestamp 4fb45660
Cleaning up request 41874 ID 204 with timestamp 4fb45660
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 41875 ID 206 with timestamp 4fb45661
Cleaning up request 41876 ID 207 with timestamp 4fb45661
Cleaning up request 41877 ID 212 with timestamp 4fb45661
Cleaning up request 41878 ID 214 with timestamp 4fb45661
Cleaning up request 41879 ID 215 with timestamp 4fb45661
Cleaning up request 41880 ID 216 with timestamp 4fb45661
Cleaning up request 41881 ID 218 with timestamp 4fb45661
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 41882 ID 219 with timestamp 4fb45662
Cleaning up request 41883 ID 220 with timestamp 4fb45662
Cleaning up request 41884 ID 221 with timestamp 4fb45662
Cleaning up request 41885 ID 222 with timestamp 4fb45662
Nothing to do.  Sleeping until we see a request.
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
Exiting...
rlm_sql (sql): Closing sqlsocket 14
rlm_sql (sql): Closing sqlsocket 13
rlm_sql (sql): Closing sqlsocket 12
rlm_sql (sql): Closing sqlsocket 11
rlm_sql (sql): Closing sqlsocket 10
rlm_sql (sql): Closing sqlsocket 9
rlm_sql (sql): Closing sqlsocket 8
rlm_sql (sql): Closing sqlsocket 7
rlm_sql (sql): Closing sqlsocket 6
rlm_sql (sql): Closing sqlsocket 5
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
[  OK  ]

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Server-stuck-and-stop-responding-tp5713440p

Re: Radius Server stuck and stop responding.

[Alan Buxey]

I see duplicate reply. Suggests that your sql is being too slow. Look at 
optimizing it eg indexes on the tabled you queryor migrate to a better DB.

If mysql then look at reducing number of connections to 10

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html