date:20120808

Hello!

we are using freeradius2 version 2.1.10 on a centos/rhel 5 Server. We
authenticate several ubnt clients on ubnt AP's via EAP-PEAP/MSCHAPV2.
This works very well, but sometimes the clients got an Access-Reject and i
don't know why ;(

I set the radius Server to debug mode and get those output:

Waking up in 0.7 seconds.
Waking up in 2.2 seconds.
Waking up in 1.9 seconds.
WARNING:
!!
WARNING: !! EAP session for state 0x69522edb6a233743 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
Waking up in 0.3 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[thread] # Executing section authorize from file
/etc/raddb/sites-enabled/default
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
# Executing group from file /etc/raddb/sites-enabled/default
Waking up in 0.9 seconds.
[thread] # Executing section authorize from file
/etc/raddb/sites-enabled/default
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
# Executing group from file /etc/raddb/sites-enabled/default
Waking up in 0.9 seconds.
[thread] # Executing section authorize from file
/etc/raddb/sites-enabled/default
# Executing group from file /etc/raddb/sites-enabled/default
Waking up in 3.9 seconds.
Waking up in 1.9 seconds.
Waking up in 0.9 seconds.
[thread] # Executing section authorize from file
/etc/raddb/sites-enabled/default
# Executing group from file /etc/raddb/sites-enabled/default
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Login incorrect: [m1588a00@EAP/via Auth-Type = EAP] (from client
10.55.0.0/16 port 0 cli 00-27-22-D2-CD-83)
# Executing group from file /etc/raddb/sites-enabled/default
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
Waking up in 0.9 seconds.

The wiki talks about windows clients and decreasing the tunnel MTU. I'm not
sure what they mean.
How can i get a more detailed debug msg on what is actually wrong.

thx for your help

Stefan
__
www.epb.at
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time

On Wed, Aug 8, 2012 at 2:44 PM, stefan novak lms.bruba...@gmail.com wrote:
 Hello!

 we are using freeradius2 version 2.1.10 on a centos/rhel 5 Server. We
 authenticate several ubnt clients on ubnt AP's via EAP-PEAP/MSCHAPV2.
 This works very well, but sometimes the clients got an Access-Reject and i
 don't know why ;(

If it's sometimes, then it would be wise to compare the debug log of
when the client succeeds and when it does not. Also, IIRC RHEL5 has
2.1.12 already, so you should upgrade just in case this is a fixed
bug.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Timeout instead of Access-Reject

Hi,

there's reject_delay in radiusd.conf

It is typcially set to one second to prevent some attacks. You could set
it to zero and then the reject may come through faster.

Still, 300 ms is *really* low even for that - depending on the time your
auth backend needs to even determine whether it was success or failure
may take longer than that.

Stefan

On 07.08.2012 20:55, Antonio Modesto wrote:
 You're right, it worked. The default mikrotik timeout is 300ms, I've set
 it to 5000 ms and I've got the right answer. One more question, Though
 I'll reconfigure all the timeout's on my nas'es, why doesn't this
 problem happen with freeradius 1.X? Is that normal? Or is it something
 that's causing my freeradius 2.x to take longer to reply the requests
 
 2012/8/7 Alan DeKok al...@deployingradius.com
 mailto:al...@deployingradius.com
 
 Antonio Modesto wrote:
  Hi,
 
  I work at an ISP in Brazil, our main radius server is running
 freeradius
  1.X. I'm configuring a new server with freeradius 2.X and doing some
  tests to see if I find any problem before putting it on production. So
  far I've found a little problem that doesn't disable me to put it in
  production, but can confuse in case of a radius failure. When an
  authentication failure happens, on the nas it appears that the radius
  server is not responding, it shows a Radius timeout message, here is
  the output of the radius debug:
 
   The timeouts on the NAS are set WAY too low.
 
  Delaying reject of request 4 for 1 seconds
  Going to the next request
  Waking up in 0.9 seconds.
  rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
  id=86, length=145
  Waiting to send Access-Reject to client teste port 35710 - ID: 86
 
   i.e. the NAS didn't see a reply, and retransmitted.
 
  Waking up in 0.6 seconds.
  rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
  id=86, length=145
  Waiting to send Access-Reject to client teste port 35710 - ID: 86
 
   And retransmitted again 0.3 seconds later.
 
  Waking up in 0.3 seconds.
  Sending delayed reject for request 4
  Sending Access-Reject of id 86 to 192.168.2.100 port 35710
 
   And then the server responded 0.3 seconds later.
 
   Fix the NAS so it doesn't have *ridiculous* timeouts.  RADIUS timeouts
 are normally in the multi-second range.  Having the NAS retransmit
 multiple times a second is stupid, wrong, and will create problems.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 
 
 
 -- 
 Atenciosamente,
 *
 Antônio Modesto
 
 Gerente de TI*
 
 
 
 
 
 Praça Getúlio Vargas, 77 – Sala 308 – Centro
 
 Santo Antônio do Monte – MG – CEP: 35560-000
 Tel:(37) 3281-2800
 
 Contato: isimp...@isimples.com.br mailto:isimp...@isimples.com.br
 http://www.isimples.com.br
 
 
 Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter
 informações confidenciais e/ou
 
 privilegiadas. Se você não for o destinatário ou a pessoa autorizada a
 receber esta mensagem, por favor, não
 
 leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada
 nessas informações. Notifique o
 
 remetente imediatamente por e-mail e apague a mensagem permanentemente.
 Atenção: embora a Isimples
 
 Telecom, tome seus cuidados para garantir a ausência de vírus neste
 e-mail, a empresa não se responsabiliza
 
 por quaisquer perdas ou danos decorrentes do uso da mensagem e seus
 anexos. A segurança e ausência de
 
 erros na transmissão do e-mail não podem ser garantidas, já que as
 informações podem ser interceptadas,
 
 corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou,
 ainda, conter vírus. Recomendamos
 
 checar se o e-mail e seus anexos contém vírus, uma vez que nem a
 Isimples Telecom ou o remetente se
 
 responsabilizam pela transmissão destes.
 
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Radius copy accounting

2012-08-08 Thread BELLIERE Eric

Thanks but with sql I can send the attribute to Oracle DB without any
problem? So can you please help me with this unlang command to add? And
where?

In preacct section of my virtual sites?

Eric B.


-Original Message-
From:
freeradius-users-bounces+eric.belliere=mail.mobistar.be@lists.freeradius
.org
[mailto:freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.fr
eeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: Monday 6 August 2012 15:34
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 88, Issue 24

Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org

You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org

When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...


Today's Topics:

   1. Re: Radius copy accounting (Matthew Newton)
   2. Re: Radius copy accounting (alan buxey)
   3. Re: RES: FR 3 Event-Timestamp wrong format and Mysql
  FROM_UNIXTIME error (Alan DeKok)
   4. Duplicate Radius Accounting (Christopher Manigan)
   5. Re: Duplicate Radius Accounting (Alan DeKok)
   6. Freeradius Accounting (Robert Souter)


--

Message: 1
Date: Mon, 6 Aug 2012 13:39:06 +0100
From: Matthew Newton m...@leicester.ac.uk
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Radius copy accounting
Message-ID: 20120806123906.gb15...@rootmail.cc.le.ac.uk
Content-Type: text/plain; charset=us-ascii

On Mon, Aug 06, 2012 at 02:30:14PM +0200, BELLIERE Eric wrote:
 As you can see this schema is working well except that the attribute
REALM is not include in the packet?
 
 We can see it in the detail file but when FR proxy the packet this
attribute is missing?

Realm is an internal attribute (see dictionary.freeradius.internal) and
as such doesn't appear in any packets in transit.

Matthew


--
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Architect (UNIX and Networks), Network Services, I.T. Services,
University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk


--

Message: 2
Date: Mon, 6 Aug 2012 13:49:08 +0100
From: alan buxey a.l.m.bu...@lboro.ac.uk
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Radius copy accounting
Message-ID: 20120806124908.ga15...@lboro.ac.uk
Content-Type: text/plain; charset=us-ascii

Hi,

As you can see this schema is working well except that the
attribute REALM
is not include in the packet?

as already said this is an internal engine attribute. if you want this
to be exposed in other systems, you will need to use eg 'unlang' to
populate a suitable attribute with this value

alan


--

Message: 3
Date: Mon, 06 Aug 2012 14:59:34 +0200
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: RES: FR 3 Event-Timestamp wrong format and Mysql
FROM_UNIXTIME   error
Message-ID: 501fbfb6.7080...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1

lscrlstld wrote:
 '%{NAS-Port-Type}',  FROM_UNIXTIME(%{Event-Timestamp}),

  Well, that's wrong.  That was fixed ~2 weeks ago.  I also said it
should be %{integer:Event-Timestamp}

  Please grab an updated copy of the dialup.conf file.

  Alan DeKok.


--

Message: 4
Date: Mon, 6 Aug 2012 13:13:44 +
From: Christopher Manigan cmani...@towerstream.com
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Duplicate Radius Accounting
Message-ID:

72d41b40ee32e749ae3ae3b7190aa7ce1e142...@mail01.corp.towerstream.com
Content-Type: text/plain; charset=us-ascii

In my logs I see many entries like the following:

Info: WARNING: Child is hung for request 51651 in component core
module queue.3
Error: Dropping request (2049 is too many): from client myhost.mysite
port 32869 - ID: 239

In the last ~10 hours, the status server reports the following for
accounting:

Responses0
Duplicate954442
Malformed115045
Invalid  564029
Dropped  0
Unknown  0

Radius will hang and start to time out and eventually die.  It looks
like the duplicate count gets extremely high very quickly.  Could it be
the NAS that are pointing to it?  Or could it be my radius configs
somehow causing this?  I am not really sure how to prove it out or
troubleshoot.  I can increase the max requests but I don't think that is
the right solution.

Chris

Re: Radius copy accounting

Please do NOT send, forward, or reply an entire digest mail. It's
rude, useless, and will only make others unwilling to help you.

On Wed, Aug 8, 2012 at 3:19 PM, BELLIERE Eric
eric.belli...@mail.mobistar.be wrote:
 Thanks but with sql I can send the attribute to Oracle DB without any
 problem?

If you included excerpts of messages from the ORIGINAL thread (instead
of the digest), it would help others understand what you're talking
about.

Anyway, you should spend some time to understand how radius works.

In short, do you have the list of attributes in the original
accounting request? I'm not talking about the detail file, but rather
the accounting packet that FR receives. If you PROXY that packet to
another radius, then by default you'd get (roughly) what's in the
original packet. Which doesn't include REALM attribute.

You COULD add an attribute (e.g. using unlang, see
http://freeradius.org/radiusd/man/unlang.html), probably in pre-proxy
section. However if you want to do that, you need to use another
attribute (i.e. NOT realm, since it's FR's internal attribute), and
the destination radius server also needs to understand that attribute.
It's easy enough if the destination server is also FR (in which case
you can just create a custom attribute in both servers, or hijack one
of the ununsed vendor-spesific attributes), but it might not be so
easy with other radius servers.

Logging to an oracle db does not involve proxying the accounting
packet, so you can pretty much use whatever attributes or variables
that FR recognizes, including internal attributes.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time


 If it's sometimes, then it would be wise to compare the debug log of
 when the client succeeds and when it does not. Also, IIRC RHEL5 has
 2.1.12 already, so you should upgrade just in case this is a fixed
 bug.


just updated my testserver to 2.1.12.
I test now with rad_eap_test utility to eliminate a client failure. the
behaviour gets more stranger. the test utility also fails sometimes, but
the radius server seams to be ok now?


[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 1
[root@wlan-radius rad_eap_test-0.23]#

} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85
MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = nagios
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85
MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = nagios
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 9 to 172.21.15.1 port 59848
EAP-Message =
0x010a003b19001703010030a46c09beb178741efc835036735026e09d8b1b1b44a88b55fce72fc28133dbf7e6edca8c0a65a6a2a85fd98f2f6e
Message-Authenticator = 0x
State = 0xc9f5fd31c0ffe486f9e2896c0b298eff
Finished request 779.
Going to the next request
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 172.21.15.1 port 59848, id=10,
length=226
User-Name = nagios
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 70-6F-6C-69-73-68
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = rad_eap_test + eapol_test
EAP-Message =
0x020a006019001703010020fcc074273699ca1e907af0200b96b3eaa01064887cff1a26b692f38602c3a48817030100309381801c8d424b14a2d053af534f137d1f632c69aa0572f0720bec578a1d6a61df79dc279e86b9f81d68dc6c81191e8f
State = 0xc9f5fd31c0ffe486f9e2896c0b298eff
Message-Authenticator = 0xb3249ed0ca17319a8d00741f734c974b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = nagios, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 10 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [nagios/via Auth-Type = EAP] (from client 172.21.15.1 port 0
cli 70-6F-6C-69-73-68)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql]   expand: %{User-Name} - nagios
[sql] sql_set_user escaped user -- 'nagios'
[sql]   expand: %{User-Password} -
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} -
[sql]   expand: INSERT INTO radpostauth
(username, pass, reply, authdate)   VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth
(username, pass, reply, authdate)   VALUES
(   'nagios',   '',
  'Access-Accept', '2012-08-08 10:42:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth

Re: Problem with EAP Authentication working not every time

Hi,

just updated my testserver to 2.1.12.

I test now with rad_eap_test utility to eliminate a client failure. the
behaviour gets more stranger. the test utility also fails sometimes, but
the radius server seams to be ok now?
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P
1812 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P
1812 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P
1812 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P
1812 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P
1812 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 1


where the fail? all those are access-accept. 


byt he way rad_eap_test isnt the best tool to use - use 'eapol_test' instead - 
comes
as part of 'WPA_Supplicant' toolsetand FreeRADIUS has scripts ready to use 
with it
(eg freeradius-server-2.1.12/src/tests from source)


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time

2012-08-08 Thread Alan DeKok

stefan novak wrote:
 just updated my testserver to 2.1.12.
 I test now with rad_eap_test utility to eliminate a client failure. the
 behaviour gets more stranger. the test utility also fails sometimes, but
 the radius server seams to be ok now?

  Your method is wrong.

  You ran the client 5 times.  Yet you only looked at the debug output
for one authentication.

  Look at BOTH ends of the RADIUS conversation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time

On Wed, Aug 8, 2012 at 3:43 PM, stefan novak lms.bruba...@gmail.com wrote:
 If it's sometimes, then it would be wise to compare the debug log of
 when the client succeeds and when it does not. Also, IIRC RHEL5 has
 2.1.12 already, so you should upgrade just in case this is a fixed
 bug.


 just updated my testserver to 2.1.12.
 I test now with rad_eap_test utility to eliminate a client failure. the
 behaviour gets more stranger. the test utility also fails sometimes,

How did you determine that it fails?


 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
 access-accept; 0
 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
 access-accept; 0
 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
 access-accept; 0
 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
 access-accept; 0
 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
 -S testtest -u nagios -p  -m WPA-EAP -e PEAP -2 MSCHAPV2
 access-accept; 1

Those are all access-accept, aren't they? The second number (reading
from http://wiki.eduroam.cz/rad_eap_test/README)  should be latency,
not an indication that something failed. CMIIW.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time

On Wed, Aug 8, 2012 at 3:49 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote:
 byt he way rad_eap_test isnt the best tool to use - use 'eapol_test' instead

http://wiki.freeradius.org/EAP-Clients#rad_eap_test says rad_eap_test
also uses eapol_test from wpa_supplicant. Shouldn't it produce the
same behavior?

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time


 http://wiki.freeradius.org/EAP-Clients#rad_eap_test says rad_eap_test
 also uses eapol_test from wpa_supplicant. Shouldn't it produce the
 same behavior?

 rad_eap_test is only a wrapper script around eapol_test because it
produces much output.

 Those are all access-accept, aren't they? The second number (reading
 from http://wiki.eduroam.cz/rad_eap_test/README)  should be latency,
 not an indication that something failed. CMIIW.


yes, sorry. understand that false

ok, then it seams that radius server is ok, but the clients are generating
false eap packets.
i will post debug from those later, but debugging there is limited ;(

-- 
kind regards,
Stefan
___
www.epb.at - Your IT Partner in East Austria
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Radius copy accounting

2012-08-08 Thread BELLIERE Eric

Yes Thanks But I tried to force in preacct with update reply { Realm +=
%{Realm} } but still no attribute realm in the packet proxied to other
radius?

Eric B.

Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org

You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org

When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...


Today's Topics:

   1. RE: Radius copy accounting  (BELLIERE Eric)
   2. Re: Radius copy accounting (Fajar A. Nugraha)
   3. Re: Problem with EAP Authentication working not every time
  (stefan novak)


--

*DISCLAIMER*

This electronic transmission (and any attached document) is intended 
exclusively for the person or entity to whom it is addressed and may 
contain confidential and/or privileged material. 
Any disclosure, copying, distribution or other action  based upon 
the information by persons or entities other than the intended recipient
is prohibited. If you receive this message in error, please contact the 
sender and delete the material from any and all computers. 
Mobistar does not warrant a proper and complete transmission of this
information, nor does it accept liability for any delays.

*END OF DISCLAIMER*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time

Hi,

rad_eap_test is only a wrapper script around eapol_test because it
produces much output. 

yes..and i believe it has a bug or 2

yes, sorry. understand that false
ok, then it seams that radius server is ok, but the clients are generating
false eap packets.
i will post debug from those later, but debugging there is limited ;( 

when you say clients, you just mean these rad_eap_test requests?  I assume you 
are using
NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? 
 yes?
its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test 
with my NAGIOS
because of this bug. rad_eap_test is not maintained as far as i can see.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius copy accounting

Hi,
 Yes Thanks But I tried to force in preacct with update reply { Realm +=
 %{Realm} } but still no attribute realm in the packet proxied to other
 radius?

..and you were already told that 'Realm' is an internal attribute - you need to 
define
your own attribute...or borrow another that isnt of concern - and then assign 
that eg

http://www.lmgtfy.com/?q=FreeRadius+radrelay+proxying+the+Realm+attribute+to+the+home_serverl=1


please ask your site admins to stop blocking access to Google.   


see the first answer to this very same question - given by Matthew


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius copy accounting

2012-08-08 Thread Matthew Newton

On Wed, Aug 08, 2012 at 11:35:36AM +0200, BELLIERE Eric wrote:
 Yes Thanks But I tried to force in preacct with update reply { Realm +=
 %{Realm} }

This is pointless.

 but still no attribute realm in the packet proxied to other
 radius?

Please re-read what I wrote:

On Mon, Aug 06, 2012 at 01:39:06PM +0100, Matthew Newton wrote:
 Realm is an internal attribute (see dictionary.freeradius.internal)
 and as such doesn't appear in any packets in transit.

So read dictionary.freeradius.internal: These attributes CANNOT
go in the reply item list. Range:  1000+ Realm is 1045...

It's an internal attribute ONLY. You can NOT get it to appear in a
packet. To do so you need to copy to a different attribute that
can go in the packet.

Matthew


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time


 when you say clients, you just mean these rad_eap_test requests?  I assume
 you are using
 NAGIOS...and that occasionally you are getting a WARNING for the RADIUS
 server?  yes?
 its a bug in rap_eap_test as far as I can see - I moved to a native
 eapol_test with my NAGIOS
 because of this bug. rad_eap_test is not maintained as far as i can see.


no the real clients are Ubiquiti (www.ubnt.com) Nanostation M5 on Ubiquiti
Rocket M5 AccessPoints.
we encountered the problem that sometimes the rekey'ing from eap not works
and disconnects the client.
the radius logs then an access-reject

now i am sure that the ubnt clients maybe the problem. now i am thinking of
the next debug steps

-- 
kind regards,
Stefan
___
www.epb.at - Your IT Partner in East Austria
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time

Output from the ubnt client:

Aug  7 07:15:18 wpa-supplicant: CTRL-EVENT-EAP-STARTED EAP authentication
started
Aug  7 07:15:21 wpa-supplicant: CTRL-EVENT-EAP-METHOD EAP vendor 0 method
25 (PEAP) selected
Aug  7 07:15:57 pppd[1714]: No response to 5 echo-requests
Aug  7 07:15:57 pppd[1714]: Serial link appears to be disconnected.
Aug  7 07:15:57 pppd[1714]: Connect time 719.4 minutes.
Aug  7 07:15:57 pppd[1714]: Sent 144586850 bytes, received 1342640159 bytes.
Aug  7 07:16:06 pppd[1714]: Connection terminated.
Aug  7 07:16:06 pppd[1714]: Modem hangup
Aug  7 07:16:22 pppd[1714]: Timeout waiting for PADO packets
Aug  7 07:16:22 pppd[1714]: Unable to complete PPPoE Discovery
Aug  7 07:16:30 dnsmasq[1716]: no servers found in /etc/resolv.conf, will
retry
Aug  7 07:16:31 wpa-supplicant: CTRL-EVENT-EAP-FAILURE EAP authentication
failed
Aug  7 07:16:33 wpa-supplicant: Authentication with 00:27:22:4c:9c:1a timed
out.
Aug  7 07:16:33 wireless: ath0 Sending disassoc to 00:27:22:4c:9c:1a.
Reason: Station has left the basic service area and is disassociated (8).
Aug  7 07:16:33 wireless: ath0 New Access Point/Cell
address:Not-Associated
Aug  7 07:16:33 wpa-supplicant: CTRL-EVENT-DISCONNECTED - Disconnect event
- remove keys

-- 
kind regards,
Stefan
___
www.epb.at - Your IT Partner in East Austria
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP Authentication working not every time

2012-08-08 Thread Marinko Tarlać

I'm not 100% sure but as I know the UBNT equipment has introduced RADIUS 
client support in firmw. 5.x which is still active and under development...


RADIUS MAC authentication was introduced in latest firmware (5.5) so I 
believe that some things are still not as they should.


On 8.8.2012 11:59, stefan novak wrote:


when you say clients, you just mean these rad_eap_test requests?
 I assume you are using
NAGIOS...and that occasionally you are getting a WARNING for the
RADIUS server?  yes?
its a bug in rap_eap_test as far as I can see - I moved to a
native eapol_test with my NAGIOS
because of this bug. rad_eap_test is not maintained as far as i
can see.


no the real clients are Ubiquiti (www.ubnt.com http://www.ubnt.com) 
Nanostation M5 on Ubiquiti Rocket M5 AccessPoints.
we encountered the problem that sometimes the rekey'ing from eap not 
works and disconnects the client.

the radius logs then an access-reject

now i am sure that the ubnt clients maybe the problem. now i am 
thinking of the next debug steps


--
kind regards,
Stefan
___
www.epb.at http://www.epb.at - Your IT Partner in East Austria



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Set expiry timeout after first login

2012-08-08 Thread Andrei Petru Mura

I have a user that has Session-Timeout set to 2 hours (7200sec). I want
that user to have time for using its connection one day after first login.
So, if after one day after he logged in first time, he didn't use his full
amount of time, his account will be expired. Is there an attribute that can
set expiry timeout after first login?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius copy accounting

2012-08-08 Thread BELLIERE Eric

Many thanks

I have then create a new dictionary with IANA number of my entreprise
and add a new attribute
Now I can see it in the proxyed packet.


 Yes Thanks But I tried to force in preacct with update reply { Realm 
 += %{Realm} } but still no attribute realm in the packet proxied to 
 other radius?

..and you were already told that 'Realm' is an internal attribute - you
need to define your own attribute...or borrow another that isnt of
concern - and then assign that eg

All info here :-) 

http://www.lmgtfy.com/?q=FreeRadius+radrelay+proxying+the+Realm+attribut
e+to+the+home_serverl=1

Eric B.
***

*DISCLAIMER*

This electronic transmission (and any attached document) is intended 
exclusively for the person or entity to whom it is addressed and may 
contain confidential and/or privileged material. 
Any disclosure, copying, distribution or other action  based upon 
the information by persons or entities other than the intended recipient
is prohibited. If you receive this message in error, please contact the 
sender and delete the material from any and all computers. 
Mobistar does not warrant a proper and complete transmission of this
information, nor does it accept liability for any delays.

*END OF DISCLAIMER*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql returns fail for some stop requests

2012-08-08 Thread Amir Tal

After moving MYSQL to a clustered environment, and moving all backup and not 
related tasks to slave hosts,
It seems the issue is resolved, radius has been running for several days 
without any errors and/or sessions not being stopped.

Thanks for all your help and suggestions,

Amir.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[OFF] InnoDB x MyISAM

2012-08-08 Thread Antonio Modesto

Hi,

I'm thinking about changing the engine of the radacct and radippool tables
from MyISAM to  InnoDB, as these tables suffers with a lot of updates and,
in my head, row locking in this case could be better than table locking. Is
that right?


Thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius copy accounting

2012-08-08 Thread Alan Buxey

Cool.

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [OFF] InnoDB x MyISAM

2012-08-08 Thread Alan Buxey

Yes. That's the engine you should be using. I believe the current release has 
that by default. It really improves performancethen just tweak some innodb 
settings as per online performance guides for mysql.then after some more 
months of pain, migrate to postgresql.  ;)

alan


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [OFF] InnoDB x MyISAM

On Wed, Aug 8, 2012 at 7:38 PM, Antonio Modesto mode...@isimples.com.br wrote:
 Hi,

 I'm thinking about changing the engine of the radacct and radippool tables
 from MyISAM to  InnoDB, as these tables suffers with a lot of updates and,
 in my head, row locking in this case could be better than table locking. Is
 that right?

Correct.

And it's already the default on dev version
(https://github.com/alandekok/freeradius-server/commit/a5a633563085db8618c990c078ec6bbf80f5ec22).

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testing pre-2.2.0

Hi,

   We're (again) close to releasing 2.2.0.  This time for real.
 
   In order to make the server more future-proof, I've made some changes
 to the TTLS parser.  This will solve issues in the long term.  But it
 needs more testing now.
 
   Please try the git v2.1.x branch with various supplicants, and TTLS.
  Please post here if it works / fails.

I've just installed it on one of our servers (today's GIT).

Compiles and starts just fine; I've directed all our eduroam traffic at
it (mix of PEAP and TTLS) and see lots of Access-Accepts.

It's running only since a few minutes, so hard to make a long-term
prediction, but at least there's no immediate problem in sight.

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about SQLcounter and reject sessions

2012-08-08 Thread Andres Gomez Ruiz

Hi everybody!!


I have been using Freeradius as AAA of some wireless hotspots and it works
great!!


After reading the Rlm_sqlcounter wiki page I started to use it, and it also
works great. This is the code of my sqlcounters:



sqlcounter dailycounter {

counter-name = Daily-Session-Time

check-name = Max-Daily-Session

reply-name = Session-Timeout

sqlmod-inst = sql

key = User-Name

reset = daily
query = SELECT SUM(acctsessiontime) FROM radacct  WHERE \
username='%{%k}' AND acctstarttime  FROM_UNIXTIME('%b')
}

sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
   query = SELECT (UNIX_TIMESTAMP( NOW() ) -
IFNULL(UNIX_TIMESTAMP(acctst$

}

Everything works fine, but now I have a question about the dailycounter:
I have some users that I need to reject their sessions at midnight, because
of that Im using the dailycounter... but I need that user can't login again
(the user is valid only 1 day).
In this moment the user can login again the next day. How can I do to
invalid the user after midnight?

An example of an user:

radcheck table
username: user1
User-Password :=

radusergroup table
username: user1
groupname: 1day

radusergroup table
groupname: 1day
Max-Daily-Session := 12000

Thanks a lot!!

*
**Andres Gomez*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testing pre-2.2.0

Hi,

 It's running only since a few minutes, so hard to make a long-term
 prediction, but at least there's no immediate problem in sight.

Well... EAP-TLS seems not to work for me. My iPhone gets Rejects now.

primary server (2.1.12):

Wed Aug  8 12:57:46 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)
Wed Aug  8 13:27:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)
Wed Aug  8 13:30:18 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)
Wed Aug  8 13:31:04 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)
Wed Aug  8 13:42:39 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)
Wed Aug  8 13:42:43 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)
Wed Aug  8 14:43:41 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)
Wed Aug  8 14:43:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from 
client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)

backup server (2.2.0-pre):

Wed Aug  8 15:35:44 2012 : Auth: Login incorrect: 
[certuser-2010-...@restena.lu/via Auth-Type = eap-staff] (from client 
radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41)

I have neither touched the iPhone nor the server; primary and backup run the 
same configuration - synced via SVN.

I can revert back to 2.1.12 on the backup to verify that that fixes it to be 
sure...

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [OFF] InnoDB x MyISAM

2012-08-08 Thread Antonio Modesto

Good, thanks guys!

2012/8/8 Fajar A. Nugraha l...@fajar.net

On Wed, Aug 8, 2012 at 7:38 PM, Antonio Modesto mode...@isimples.com.br
wrote:
Hi,

I'm thinking about changing the engine of the radacct and radippool
tables
from MyISAM to InnoDB, as these tables suffers with a lot of updates
and,
in my head, row locking in this case could be better than table locking.
Is
that right?

Correct.

And it's already the default on dev version
(
https://github.com/alandekok/freeradius-server/commit/a5a633563085db8618c990c078ec6bbf80f5ec22
).

--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
Atenciosamente,
*
Antônio Modesto

Gerente de TI*

Praça Getúlio Vargas, 77 – Sala 308 – Centro

Santo Antônio do Monte – MG – CEP: 35560-000
Tel:(37) 3281-2800

Contato: isimp...@isimples.com.br
http://www.isimples.com.br

Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter informações
confidenciais e/ou

privilegiadas. Se você não for o destinatário ou a pessoa autorizada a
receber esta mensagem, por favor, não

leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada
nessas informações. Notifique o

remetente imediatamente por e-mail e apague a mensagem permanentemente.
Atenção: embora a Isimples

Telecom, tome seus cuidados para garantir a ausência de vírus neste e-mail,
a empresa não se responsabiliza

por quaisquer perdas ou danos decorrentes do uso da mensagem e seus anexos.
A segurança e ausência de

erros na transmissão do e-mail não podem ser garantidas, já que as
informações podem ser interceptadas,

corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou,
ainda, conter vírus. Recomendamos

checar se o e-mail e seus anexos contém vírus, uma vez que nem a Isimples
Telecom ou o remetente se

responsabilizam pela transmissão destes.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testing pre-2.2.0

Hi,

 I have neither touched the iPhone nor the server; primary and backup run the 
 same configuration - synced via SVN.
 
 I can revert back to 2.1.12 on the backup to verify that that fixes it to be 
 sure...

Never mind; a file in sites-enabled was out of sync with the primary,
and did something that never worked, also not with 2.1.12.

Now working fine with 2.2.0-pre.

Stefan


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testing pre-2.2.0

Hi,

 Well... EAP-TLS seems not to work for me. My iPhone gets Rejects now.

radiusd -X  debug output... you know the rules  ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testing pre-2.2.0

hi,

regarding testingmy 2 test/dev boxes are both now running the 3.x GIT 
release
and so the configs are very different and wont work on 2.x - I'm not sure about 
whether
I'd ever be running 2.2.x now anyway

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Set expiry timeout after first login

2012-08-08 Thread Carl Peterson

I'm sure there are other ways to do this but I do it with a post auth
query matching a specific max all session value.  If it matches, it
updates the attribute to expiration and sets the value 24hr from now.
When I wrote it, freeradius only supported one post auth query so I
use cases to match an hour, day, week, etc with an else for a
non-match.



On Aug 8, 2012, at 6:50 AM, Andrei Petru Mura mapand...@gmail.com wrote:

 I have a user that has Session-Timeout set to 2 hours (7200sec). I want that 
 user to have time for using its connection one day after first login. So, if 
 after one day after he logged in first time, he didn't use his full amount of 
 time, his account will be expired. Is there an attribute that can set expiry 
 timeout after first login?
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Testing pre-2.2.0

2012-08-08 Thread Alan DeKok

Stefan Winter wrote:
 It's running only since a few minutes, so hard to make a long-term
 prediction, but at least there's no immediate problem in sight.

  Thanks.  I'll try to get the release out this week. (finally)

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about SQLcounter and reject sessions