Problem with EAP Authentication working not every time
Hello! we are using freeradius2 version 2.1.10 on a centos/rhel 5 Server. We authenticate several ubnt clients on ubnt AP's via EAP-PEAP/MSCHAPV2. This works very well, but sometimes the clients got an Access-Reject and i don't know why ;( I set the radius Server to debug mode and get those output: Waking up in 0.7 seconds. Waking up in 2.2 seconds. Waking up in 1.9 seconds. WARNING: !! WARNING: !! EAP session for state 0x69522edb6a233743 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Waking up in 0.3 seconds. Ready to process requests. Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default # Executing group from file /etc/raddb/sites-enabled/default Waking up in 3.9 seconds. Waking up in 1.9 seconds. Waking up in 0.9 seconds. [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default # Executing group from file /etc/raddb/sites-enabled/default rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Login incorrect: [m1588a00@EAP/via Auth-Type = EAP] (from client 10.55.0.0/16 port 0 cli 00-27-22-D2-CD-83) # Executing group from file /etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Waking up in 0.9 seconds. The wiki talks about windows clients and decreasing the tunnel MTU. I'm not sure what they mean. How can i get a more detailed debug msg on what is actually wrong. thx for your help Stefan __ www.epb.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
On Wed, Aug 8, 2012 at 2:44 PM, stefan novak lms.bruba...@gmail.com wrote: Hello! we are using freeradius2 version 2.1.10 on a centos/rhel 5 Server. We authenticate several ubnt clients on ubnt AP's via EAP-PEAP/MSCHAPV2. This works very well, but sometimes the clients got an Access-Reject and i don't know why ;( If it's sometimes, then it would be wise to compare the debug log of when the client succeeds and when it does not. Also, IIRC RHEL5 has 2.1.12 already, so you should upgrade just in case this is a fixed bug. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Timeout instead of Access-Reject
Hi, there's reject_delay in radiusd.conf It is typcially set to one second to prevent some attacks. You could set it to zero and then the reject may come through faster. Still, 300 ms is *really* low even for that - depending on the time your auth backend needs to even determine whether it was success or failure may take longer than that. Stefan On 07.08.2012 20:55, Antonio Modesto wrote: You're right, it worked. The default mikrotik timeout is 300ms, I've set it to 5000 ms and I've got the right answer. One more question, Though I'll reconfigure all the timeout's on my nas'es, why doesn't this problem happen with freeradius 1.X? Is that normal? Or is it something that's causing my freeradius 2.x to take longer to reply the requests 2012/8/7 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com Antonio Modesto wrote: Hi, I work at an ISP in Brazil, our main radius server is running freeradius 1.X. I'm configuring a new server with freeradius 2.X and doing some tests to see if I find any problem before putting it on production. So far I've found a little problem that doesn't disable me to put it in production, but can confuse in case of a radius failure. When an authentication failure happens, on the nas it appears that the radius server is not responding, it shows a Radius timeout message, here is the output of the radius debug: The timeouts on the NAS are set WAY too low. Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145 Waiting to send Access-Reject to client teste port 35710 - ID: 86 i.e. the NAS didn't see a reply, and retransmitted. Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145 Waiting to send Access-Reject to client teste port 35710 - ID: 86 And retransmitted again 0.3 seconds later. Waking up in 0.3 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 86 to 192.168.2.100 port 35710 And then the server responded 0.3 seconds later. Fix the NAS so it doesn't have *ridiculous* timeouts. RADIUS timeouts are normally in the multi-second range. Having the NAS retransmit multiple times a second is stupid, wrong, and will create problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atenciosamente, * Antônio Modesto Gerente de TI* Praça Getúlio Vargas, 77 – Sala 308 – Centro Santo Antônio do Monte – MG – CEP: 35560-000 Tel:(37) 3281-2800 Contato: isimp...@isimples.com.br mailto:isimp...@isimples.com.br http://www.isimples.com.br Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter informações confidenciais e/ou privilegiadas. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, por favor, não leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada nessas informações. Notifique o remetente imediatamente por e-mail e apague a mensagem permanentemente. Atenção: embora a Isimples Telecom, tome seus cuidados para garantir a ausência de vírus neste e-mail, a empresa não se responsabiliza por quaisquer perdas ou danos decorrentes do uso da mensagem e seus anexos. A segurança e ausência de erros na transmissão do e-mail não podem ser garantidas, já que as informações podem ser interceptadas, corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou, ainda, conter vírus. Recomendamos checar se o e-mail e seus anexos contém vírus, uma vez que nem a Isimples Telecom ou o remetente se responsabilizam pela transmissão destes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius copy accounting
Thanks but with sql I can send the attribute to Oracle DB without any problem? So can you please help me with this unlang command to add? And where? In preacct section of my virtual sites? Eric B. -Original Message- From: freeradius-users-bounces+eric.belliere=mail.mobistar.be@lists.freeradius .org [mailto:freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.fr eeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: Monday 6 August 2012 15:34 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 88, Issue 24 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Radius copy accounting (Matthew Newton) 2. Re: Radius copy accounting (alan buxey) 3. Re: RES: FR 3 Event-Timestamp wrong format and Mysql FROM_UNIXTIME error (Alan DeKok) 4. Duplicate Radius Accounting (Christopher Manigan) 5. Re: Duplicate Radius Accounting (Alan DeKok) 6. Freeradius Accounting (Robert Souter) -- Message: 1 Date: Mon, 6 Aug 2012 13:39:06 +0100 From: Matthew Newton m...@leicester.ac.uk To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Radius copy accounting Message-ID: 20120806123906.gb15...@rootmail.cc.le.ac.uk Content-Type: text/plain; charset=us-ascii On Mon, Aug 06, 2012 at 02:30:14PM +0200, BELLIERE Eric wrote: As you can see this schema is working well except that the attribute REALM is not include in the packet? We can see it in the detail file but when FR proxy the packet this attribute is missing? Realm is an internal attribute (see dictionary.freeradius.internal) and as such doesn't appear in any packets in transit. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk -- Message: 2 Date: Mon, 6 Aug 2012 13:49:08 +0100 From: alan buxey a.l.m.bu...@lboro.ac.uk To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Radius copy accounting Message-ID: 20120806124908.ga15...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, As you can see this schema is working well except that the attribute REALM is not include in the packet? as already said this is an internal engine attribute. if you want this to be exposed in other systems, you will need to use eg 'unlang' to populate a suitable attribute with this value alan -- Message: 3 Date: Mon, 06 Aug 2012 14:59:34 +0200 From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: RES: FR 3 Event-Timestamp wrong format and Mysql FROM_UNIXTIME error Message-ID: 501fbfb6.7080...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 lscrlstld wrote: '%{NAS-Port-Type}', FROM_UNIXTIME(%{Event-Timestamp}), Well, that's wrong. That was fixed ~2 weeks ago. I also said it should be %{integer:Event-Timestamp} Please grab an updated copy of the dialup.conf file. Alan DeKok. -- Message: 4 Date: Mon, 6 Aug 2012 13:13:44 + From: Christopher Manigan cmani...@towerstream.com To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Duplicate Radius Accounting Message-ID: 72d41b40ee32e749ae3ae3b7190aa7ce1e142...@mail01.corp.towerstream.com Content-Type: text/plain; charset=us-ascii In my logs I see many entries like the following: Info: WARNING: Child is hung for request 51651 in component core module queue.3 Error: Dropping request (2049 is too many): from client myhost.mysite port 32869 - ID: 239 In the last ~10 hours, the status server reports the following for accounting: Responses0 Duplicate954442 Malformed115045 Invalid 564029 Dropped 0 Unknown 0 Radius will hang and start to time out and eventually die. It looks like the duplicate count gets extremely high very quickly. Could it be the NAS that are pointing to it? Or could it be my radius configs somehow causing this? I am not really sure how to prove it out or troubleshoot. I can increase the max requests but I don't think that is the right solution. Chris
Re: Radius copy accounting
Please do NOT send, forward, or reply an entire digest mail. It's rude, useless, and will only make others unwilling to help you. On Wed, Aug 8, 2012 at 3:19 PM, BELLIERE Eric eric.belli...@mail.mobistar.be wrote: Thanks but with sql I can send the attribute to Oracle DB without any problem? If you included excerpts of messages from the ORIGINAL thread (instead of the digest), it would help others understand what you're talking about. Anyway, you should spend some time to understand how radius works. In short, do you have the list of attributes in the original accounting request? I'm not talking about the detail file, but rather the accounting packet that FR receives. If you PROXY that packet to another radius, then by default you'd get (roughly) what's in the original packet. Which doesn't include REALM attribute. You COULD add an attribute (e.g. using unlang, see http://freeradius.org/radiusd/man/unlang.html), probably in pre-proxy section. However if you want to do that, you need to use another attribute (i.e. NOT realm, since it's FR's internal attribute), and the destination radius server also needs to understand that attribute. It's easy enough if the destination server is also FR (in which case you can just create a custom attribute in both servers, or hijack one of the ununsed vendor-spesific attributes), but it might not be so easy with other radius servers. Logging to an oracle db does not involve proxying the accounting packet, so you can pretty much use whatever attributes or variables that FR recognizes, including internal attributes. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
If it's sometimes, then it would be wise to compare the debug log of when the client succeeds and when it does not. Also, IIRC RHEL5 has 2.1.12 already, so you should upgrade just in case this is a fixed bug. just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now? [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 [root@wlan-radius rad_eap_test-0.23]# } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = nagios [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85 MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = nagios [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 9 to 172.21.15.1 port 59848 EAP-Message = 0x010a003b19001703010030a46c09beb178741efc835036735026e09d8b1b1b44a88b55fce72fc28133dbf7e6edca8c0a65a6a2a85fd98f2f6e Message-Authenticator = 0x State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Finished request 779. Going to the next request Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 172.21.15.1 port 59848, id=10, length=226 User-Name = nagios NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 70-6F-6C-69-73-68 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = rad_eap_test + eapol_test EAP-Message = 0x020a006019001703010020fcc074273699ca1e907af0200b96b3eaa01064887cff1a26b692f38602c3a48817030100309381801c8d424b14a2d053af534f137d1f632c69aa0572f0720bec578a1d6a61df79dc279e86b9f81d68dc6c81191e8f State = 0xc9f5fd31c0ffe486f9e2896c0b298eff Message-Authenticator = 0xb3249ed0ca17319a8d00741f734c974b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = nagios, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 10 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [nagios/via Auth-Type = EAP] (from client 172.21.15.1 port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} - nagios [sql] sql_set_user escaped user -- 'nagios' [sql] expand: %{User-Password} - [sql] ... expanding second conditional [sql] expand: %{Chap-Password} - [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'nagios', '', 'Access-Accept', '2012-08-08 10:42:37') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
Re: Problem with EAP Authentication working not every time
Hi, just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now? [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 where the fail? all those are access-accept. byt he way rad_eap_test isnt the best tool to use - use 'eapol_test' instead - comes as part of 'WPA_Supplicant' toolsetand FreeRADIUS has scripts ready to use with it (eg freeradius-server-2.1.12/src/tests from source) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
stefan novak wrote: just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, but the radius server seams to be ok now? Your method is wrong. You ran the client 5 times. Yet you only looked at the debug output for one authentication. Look at BOTH ends of the RADIUS conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
On Wed, Aug 8, 2012 at 3:43 PM, stefan novak lms.bruba...@gmail.com wrote: If it's sometimes, then it would be wise to compare the debug log of when the client succeeds and when it does not. Also, IIRC RHEL5 has 2.1.12 already, so you should upgrade just in case this is a fixed bug. just updated my testserver to 2.1.12. I test now with rad_eap_test utility to eliminate a client failure. the behaviour gets more stranger. the test utility also fails sometimes, How did you determine that it fails? [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 0 [root@wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812 -S testtest -u nagios -p -m WPA-EAP -e PEAP -2 MSCHAPV2 access-accept; 1 Those are all access-accept, aren't they? The second number (reading from http://wiki.eduroam.cz/rad_eap_test/README) should be latency, not an indication that something failed. CMIIW. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
On Wed, Aug 8, 2012 at 3:49 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: byt he way rad_eap_test isnt the best tool to use - use 'eapol_test' instead http://wiki.freeradius.org/EAP-Clients#rad_eap_test says rad_eap_test also uses eapol_test from wpa_supplicant. Shouldn't it produce the same behavior? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
http://wiki.freeradius.org/EAP-Clients#rad_eap_test says rad_eap_test also uses eapol_test from wpa_supplicant. Shouldn't it produce the same behavior? rad_eap_test is only a wrapper script around eapol_test because it produces much output. Those are all access-accept, aren't they? The second number (reading from http://wiki.eduroam.cz/rad_eap_test/README) should be latency, not an indication that something failed. CMIIW. yes, sorry. understand that false ok, then it seams that radius server is ok, but the clients are generating false eap packets. i will post debug from those later, but debugging there is limited ;( -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius copy accounting
Yes Thanks But I tried to force in preacct with update reply { Realm += %{Realm} } but still no attribute realm in the packet proxied to other radius? Eric B. Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: Radius copy accounting (BELLIERE Eric) 2. Re: Radius copy accounting (Fajar A. Nugraha) 3. Re: Problem with EAP Authentication working not every time (stefan novak) -- *DISCLAIMER* This electronic transmission (and any attached document) is intended exclusively for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any disclosure, copying, distribution or other action based upon the information by persons or entities other than the intended recipient is prohibited. If you receive this message in error, please contact the sender and delete the material from any and all computers. Mobistar does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. *END OF DISCLAIMER* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
Hi, rad_eap_test is only a wrapper script around eapol_test because it produces much output. yes..and i believe it has a bug or 2 yes, sorry. understand that false ok, then it seams that radius server is ok, but the clients are generating false eap packets. i will post debug from those later, but debugging there is limited ;( when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius copy accounting
Hi, Yes Thanks But I tried to force in preacct with update reply { Realm += %{Realm} } but still no attribute realm in the packet proxied to other radius? ..and you were already told that 'Realm' is an internal attribute - you need to define your own attribute...or borrow another that isnt of concern - and then assign that eg http://www.lmgtfy.com/?q=FreeRadius+radrelay+proxying+the+Realm+attribute+to+the+home_serverl=1 please ask your site admins to stop blocking access to Google. see the first answer to this very same question - given by Matthew alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius copy accounting
On Wed, Aug 08, 2012 at 11:35:36AM +0200, BELLIERE Eric wrote: Yes Thanks But I tried to force in preacct with update reply { Realm += %{Realm} } This is pointless. but still no attribute realm in the packet proxied to other radius? Please re-read what I wrote: On Mon, Aug 06, 2012 at 01:39:06PM +0100, Matthew Newton wrote: Realm is an internal attribute (see dictionary.freeradius.internal) and as such doesn't appear in any packets in transit. So read dictionary.freeradius.internal: These attributes CANNOT go in the reply item list. Range: 1000+ Realm is 1045... It's an internal attribute ONLY. You can NOT get it to appear in a packet. To do so you need to copy to a different attribute that can go in the packet. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. no the real clients are Ubiquiti (www.ubnt.com) Nanostation M5 on Ubiquiti Rocket M5 AccessPoints. we encountered the problem that sometimes the rekey'ing from eap not works and disconnects the client. the radius logs then an access-reject now i am sure that the ubnt clients maybe the problem. now i am thinking of the next debug steps -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
Output from the ubnt client: Aug 7 07:15:18 wpa-supplicant: CTRL-EVENT-EAP-STARTED EAP authentication started Aug 7 07:15:21 wpa-supplicant: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected Aug 7 07:15:57 pppd[1714]: No response to 5 echo-requests Aug 7 07:15:57 pppd[1714]: Serial link appears to be disconnected. Aug 7 07:15:57 pppd[1714]: Connect time 719.4 minutes. Aug 7 07:15:57 pppd[1714]: Sent 144586850 bytes, received 1342640159 bytes. Aug 7 07:16:06 pppd[1714]: Connection terminated. Aug 7 07:16:06 pppd[1714]: Modem hangup Aug 7 07:16:22 pppd[1714]: Timeout waiting for PADO packets Aug 7 07:16:22 pppd[1714]: Unable to complete PPPoE Discovery Aug 7 07:16:30 dnsmasq[1716]: no servers found in /etc/resolv.conf, will retry Aug 7 07:16:31 wpa-supplicant: CTRL-EVENT-EAP-FAILURE EAP authentication failed Aug 7 07:16:33 wpa-supplicant: Authentication with 00:27:22:4c:9c:1a timed out. Aug 7 07:16:33 wireless: ath0 Sending disassoc to 00:27:22:4c:9c:1a. Reason: Station has left the basic service area and is disassociated (8). Aug 7 07:16:33 wireless: ath0 New Access Point/Cell address:Not-Associated Aug 7 07:16:33 wpa-supplicant: CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys -- kind regards, Stefan ___ www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
I'm not 100% sure but as I know the UBNT equipment has introduced RADIUS client support in firmw. 5.x which is still active and under development... RADIUS MAC authentication was introduced in latest firmware (5.5) so I believe that some things are still not as they should. On 8.8.2012 11:59, stefan novak wrote: when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. no the real clients are Ubiquiti (www.ubnt.com http://www.ubnt.com) Nanostation M5 on Ubiquiti Rocket M5 AccessPoints. we encountered the problem that sometimes the rekey'ing from eap not works and disconnects the client. the radius logs then an access-reject now i am sure that the ubnt clients maybe the problem. now i am thinking of the next debug steps -- kind regards, Stefan ___ www.epb.at http://www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set expiry timeout after first login
I have a user that has Session-Timeout set to 2 hours (7200sec). I want that user to have time for using its connection one day after first login. So, if after one day after he logged in first time, he didn't use his full amount of time, his account will be expired. Is there an attribute that can set expiry timeout after first login? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius copy accounting
Many thanks I have then create a new dictionary with IANA number of my entreprise and add a new attribute Now I can see it in the proxyed packet. Yes Thanks But I tried to force in preacct with update reply { Realm += %{Realm} } but still no attribute realm in the packet proxied to other radius? ..and you were already told that 'Realm' is an internal attribute - you need to define your own attribute...or borrow another that isnt of concern - and then assign that eg All info here :-) http://www.lmgtfy.com/?q=FreeRadius+radrelay+proxying+the+Realm+attribut e+to+the+home_serverl=1 Eric B. *** *DISCLAIMER* This electronic transmission (and any attached document) is intended exclusively for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any disclosure, copying, distribution or other action based upon the information by persons or entities other than the intended recipient is prohibited. If you receive this message in error, please contact the sender and delete the material from any and all computers. Mobistar does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. *END OF DISCLAIMER* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql returns fail for some stop requests
After moving MYSQL to a clustered environment, and moving all backup and not related tasks to slave hosts, It seems the issue is resolved, radius has been running for several days without any errors and/or sessions not being stopped. Thanks for all your help and suggestions, Amir. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OFF] InnoDB x MyISAM
Hi, I'm thinking about changing the engine of the radacct and radippool tables from MyISAM to InnoDB, as these tables suffers with a lot of updates and, in my head, row locking in this case could be better than table locking. Is that right? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius copy accounting
Cool. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OFF] InnoDB x MyISAM
Yes. That's the engine you should be using. I believe the current release has that by default. It really improves performancethen just tweak some innodb settings as per online performance guides for mysql.then after some more months of pain, migrate to postgresql. ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OFF] InnoDB x MyISAM
On Wed, Aug 8, 2012 at 7:38 PM, Antonio Modesto mode...@isimples.com.br wrote: Hi, I'm thinking about changing the engine of the radacct and radippool tables from MyISAM to InnoDB, as these tables suffers with a lot of updates and, in my head, row locking in this case could be better than table locking. Is that right? Correct. And it's already the default on dev version (https://github.com/alandekok/freeradius-server/commit/a5a633563085db8618c990c078ec6bbf80f5ec22). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, We're (again) close to releasing 2.2.0. This time for real. In order to make the server more future-proof, I've made some changes to the TTLS parser. This will solve issues in the long term. But it needs more testing now. Please try the git v2.1.x branch with various supplicants, and TTLS. Please post here if it works / fails. I've just installed it on one of our servers (today's GIT). Compiles and starts just fine; I've directed all our eduroam traffic at it (mix of PEAP and TTLS) and see lots of Access-Accepts. It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about SQLcounter and reject sessions
Hi everybody!! I have been using Freeradius as AAA of some wireless hotspots and it works great!! After reading the Rlm_sqlcounter wiki page I started to use it, and it also works great. This is the code of my sqlcounters: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(acctsessiontime) FROM radacct WHERE \ username='%{%k}' AND acctstarttime FROM_UNIXTIME('%b') } sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT (UNIX_TIMESTAMP( NOW() ) - IFNULL(UNIX_TIMESTAMP(acctst$ } Everything works fine, but now I have a question about the dailycounter: I have some users that I need to reject their sessions at midnight, because of that Im using the dailycounter... but I need that user can't login again (the user is valid only 1 day). In this moment the user can login again the next day. How can I do to invalid the user after midnight? An example of an user: radcheck table username: user1 User-Password := radusergroup table username: user1 groupname: 1day radusergroup table groupname: 1day Max-Daily-Session := 12000 Thanks a lot!! * **Andres Gomez* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Well... EAP-TLS seems not to work for me. My iPhone gets Rejects now. primary server (2.1.12): Wed Aug 8 12:57:46 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:27:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:30:18 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:31:04 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:42:39 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 13:42:43 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 14:43:41 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) Wed Aug 8 14:43:45 2012 : Auth: Login OK: [certuser-2010-...@restena.lu] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) backup server (2.2.0-pre): Wed Aug 8 15:35:44 2012 : Auth: Login incorrect: [certuser-2010-...@restena.lu/via Auth-Type = eap-staff] (from client radius-1-v4 port 2 cli 3C-D0-F8-AC-C0-41) I have neither touched the iPhone nor the server; primary and backup run the same configuration - synced via SVN. I can revert back to 2.1.12 on the backup to verify that that fixes it to be sure... Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OFF] InnoDB x MyISAM
Good, thanks guys! 2012/8/8 Fajar A. Nugraha l...@fajar.net On Wed, Aug 8, 2012 at 7:38 PM, Antonio Modesto mode...@isimples.com.br wrote: Hi, I'm thinking about changing the engine of the radacct and radippool tables from MyISAM to InnoDB, as these tables suffers with a lot of updates and, in my head, row locking in this case could be better than table locking. Is that right? Correct. And it's already the default on dev version ( https://github.com/alandekok/freeradius-server/commit/a5a633563085db8618c990c078ec6bbf80f5ec22 ). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atenciosamente, * Antônio Modesto Gerente de TI* Praça Getúlio Vargas, 77 – Sala 308 – Centro Santo Antônio do Monte – MG – CEP: 35560-000 Tel:(37) 3281-2800 Contato: isimp...@isimples.com.br http://www.isimples.com.br Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter informações confidenciais e/ou privilegiadas. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, por favor, não leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada nessas informações. Notifique o remetente imediatamente por e-mail e apague a mensagem permanentemente. Atenção: embora a Isimples Telecom, tome seus cuidados para garantir a ausência de vírus neste e-mail, a empresa não se responsabiliza por quaisquer perdas ou danos decorrentes do uso da mensagem e seus anexos. A segurança e ausência de erros na transmissão do e-mail não podem ser garantidas, já que as informações podem ser interceptadas, corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou, ainda, conter vírus. Recomendamos checar se o e-mail e seus anexos contém vírus, uma vez que nem a Isimples Telecom ou o remetente se responsabilizam pela transmissão destes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, I have neither touched the iPhone nor the server; primary and backup run the same configuration - synced via SVN. I can revert back to 2.1.12 on the backup to verify that that fixes it to be sure... Never mind; a file in sites-enabled was out of sync with the primary, and did something that never worked, also not with 2.1.12. Now working fine with 2.2.0-pre. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Hi, Well... EAP-TLS seems not to work for me. My iPhone gets Rejects now. radiusd -X debug output... you know the rules ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
hi, regarding testingmy 2 test/dev boxes are both now running the 3.x GIT release and so the configs are very different and wont work on 2.x - I'm not sure about whether I'd ever be running 2.2.x now anyway alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set expiry timeout after first login
I'm sure there are other ways to do this but I do it with a post auth query matching a specific max all session value. If it matches, it updates the attribute to expiration and sets the value 24hr from now. When I wrote it, freeradius only supported one post auth query so I use cases to match an hour, day, week, etc with an else for a non-match. On Aug 8, 2012, at 6:50 AM, Andrei Petru Mura mapand...@gmail.com wrote: I have a user that has Session-Timeout set to 2 hours (7200sec). I want that user to have time for using its connection one day after first login. So, if after one day after he logged in first time, he didn't use his full amount of time, his account will be expired. Is there an attribute that can set expiry timeout after first login? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing pre-2.2.0
Stefan Winter wrote: It's running only since a few minutes, so hard to make a long-term prediction, but at least there's no immediate problem in sight. Thanks. I'll try to get the release out this week. (finally) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about SQLcounter and reject sessions
On Wed, Aug 8, 2012 at 8:34 PM, Andres Gomez Ruiz andres.go...@urbalink.co wrote: I have some users that I need to reject their sessions at midnight, because of that Im using the dailycounter... IIRC that's not what dailycounter is for. but I need that user can't login again (the user is valid only 1 day). In this moment the user can login again the next day. How can I do to invalid the user after midnight? One way to do that was mentioned in the past. Try reading the archives: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-td5708187.html . In particular, look at Phil's post. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Online Users
Hi, On the online users gui page of dialup admin, there are serveral columns, one of the columns states name, which is after the caller ID column. I would like to know where this comes from, I have set the name on the user info page, but it doesn't seem like that works. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html