Re: Failed login lockout protection in FreeRADIUS

[mr. s]

For edification, what its worth.. Heres the question asked by the author of
the article, I was referring to, and the answer from Alan D. --

Here’s my question and response from Alan T DeKok al...@freeradius.org about
this. You can check with him on more details if needed or send to the
mailing list.

** **

>> Does FR support an account lockout feature to block users after so many
failed password attempts?

** **

  Yes.  It's not enabled in the default configuration, but you can make

*any* policy decision based on *any* data source, including logs.




Cheers -

On Fri, Sep 14, 2012 at 10:25 AM, Marinko Tarlać  wrote:

> Nice option but please keep in mind that suspended routers can behave like
> a brute force attacker and you'll lock them too.
>
>
> On 14.9.2012 15:36, Phil Mayers wrote:
>
>> On 14/09/12 13:57, mr. s wrote:
>>
>>> Hello,
>>>
>>> I was reading an article in computer world comparing a few RADIUS
>>> servers.
>>>
>>> It said that FreeRADIUS had "failed login lockout protection", however I
>>> can't find that particular verbiage in the FreeRADIUS documentation, FAQ
>>> or HowTos.
>>>
>>
>> What are you asking here? How to lock out a user after X failed logins?
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html 
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Customization of RADIUS reply

[Alan DeKok]

Václav Pernica wrote:
> I’m configuring the FreeRADIUS together with the Oracle DB. I need to
> get the user authenticated and in the reply provide the parameter
> "mailbox_fullname" from the DB.

  Does the RADIUS client understand that attribute?

> The Oracle DB has for my purpose only one view which contains the
> following columns.
> 
> mailbox_id,mailbox_email,mailbox_fullname,mailbox_password
> 
> I created new attribute in dictionary:
> 
> ATTRIBUTE   Full-Mailbox-Name   3000string

  You need to read the comments in raddb/dictionary.  It explains how to
send new attributes in a RADIUS packet.

  Hint: you're doing it wrong.

  This is documented.

> The user authentication works, however I need to have in the reply the
> value of “mailbox_fullname” from DB query. Instead of it, there is
> nothing.  Could you please advise how to get in the reply
> “mailbox_fullname” for the corresponding mailbox_email?

  Read the file you edited:  raddb/dictionary

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Customization of RADIUS reply

[Václav Pernica]

Hello

I’m configuring the FreeRADIUS together with the Oracle DB. I need to get the user 
authenticated and in the reply provide the parameter "mailbox_fullname" from 
the DB.
The Oracle DB has for my purpose only one view which contains the following 
columns.

mailbox_id,mailbox_email,mailbox_fullname,mailbox_password

I created new attribute in dictionary:

ATTRIBUTE   Full-Mailbox-Name   3000string

And customized the SQL queries as following (dialup.conf):

   authorize_check_query = "SELECT 
mailbox_id,mailbox_email,'Cleartext-Password',mailbox_password,':=' FROM 
${authcheck_table} WHERE mailbox_email = '%{SQL-User-Name}' ORDER BY mailbox_id"
   authorize_reply_query = "SELECT 
mailbox_id,mailbox_email,'Full-Mailbox-Name',mailbox_fullname,':=' FROM 
${authreply_table} WHERE mailbox_email = '%{SQL-User-Name}' ORDER BY mailbox_id"

The user authentication works, however I need to have in the reply the value of 
“mailbox_fullname” from DB query. Instead of it, there is nothing.  Could you 
please advise how to get in the reply “mailbox_fullname” for the corresponding 
mailbox_email?

Here is the sample radtest output and in attachment full output from debug mode.

radtest -x a0012 password localhost 0 testing123

Sending Access-Request of id 26 to 127.0.0.1 port 1812
   User-Name = "a0012"
   User-Password = "password"
   NAS-IP-Address = 10.7.96.25
   NAS-Port = 0
   Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=26, length=20

Thanks a lot!
Vaclav

# radiusd -X
FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Sep 13 
2012 at 13:34:43
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file 
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/s

Re: generating ssl certs in debian squeeze

[austin wonderly]

did the trick, thanks :D (had been making a silly mistake with one of the
cert files)

On Sat, Sep 15, 2012 at 3:05 AM, Alan DeKok wrote:

> austin wonderly wrote:
> > hello, thanks for the tip, although unfortunately im am still getting
> > problems
>
>   Google "EAP-TLS freeradius" gets you this link:
>
> http://freeradius.org/doc/EAPTLS.pdf
>
>   Follow it, and it WILL WORK.
>
>   The Wiki also contains documentation, and points to my web site:
>
> http://deployingradius.com/documents/configuration/eap.html
>
>   Follow the instructions, and it will work.
>
>   You've missed a step somewhere.  eapol_test is providing a client
> cert, signed by a CA unknown to FreeRADIUS.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

max_queue_size > 65536

[Arran Cudbard-Bell]

A friendly heads up.

The bug fixes item "Use max_queue_size in threading code" refers to an issue in 
the threading code where the value used to initialise the request queue, was 
different to the value used to check when the max entries had been added into 
the queue, thus if you'd set the config item max_queue_size to something larger 
than 65536 and actually used more than that number of queue slots the server 
would crash.

This config item was previously undocumented so hopefully few people have 
altered it.

If you have and you're using a version < 2.2.0, please remove the config item 
to set it back to defaults, or set it to a value less  than 65536.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy and requests queue

[AemNet]

On 17/09/2012 10:44, Alan DeKok wrote:

   Upgrade.


I'll do it asap



   Each request is handled separately from each other request, no matter
where it came from, and no matter where it was proxied to.  Each home
server is handled separately from each other home server.


Ok that's what i want to read.



   The short answer is that the server works, and doesn't do anything stupid.


Sure! Freeradius is an excellent software! Thank you very much for your 
answer.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: users file case sensitive

[Phil Mayers]

On 09/17/2012 11:00 AM, Gregg Douglas wrote:

Hi,

Background:

FreeRadius Version: 2.1.1-7.10.1
Users are stored in LDAP, I am using the users file to assign static
IP Addresses to certain users.


It seems that the users file is case sensitive, I found a few articles
on the net regarding this, but none really supplied a definitive answer.

Is there a way to prevent the users file from being case sensitive ? If
not, what is the recommended method to elegantly avoid this problem.


files myfiles {
  key = "%{lower:%{User-Name}}"
  ...
}

...or something similar.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c

[Arran Cudbard-Bell]

On 17 Sep 2012, at 10:34, Stefan Winter  wrote:

> Hi,
> 
 --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl
> 
>>>  Are you sure?  The "openssl SEGV" problem is almost always because you
>>> have two versions of OpenSSL installed.
>>> 
>>>  What is likely happening is that the compile stage is picking up the
>>> system-supplied OpenSSL include files.  The way to test this is to
>>> rename / move them, do the build, and then the install.
>>> 
>>>  If it now works, it was picking up OpenSSL X, and linking against
>>> OpenSSL Y.
>> 
>> Hm, okay... will do.
> 
> That was it indeed. Had to change the include path above to
> --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include
> 
> because configure adds the openssl/ sub-path on its own. Now it works
> like a charm (as usual :-) ).
> 
> Thanks!

Also you have a typo in your config, should be "earli", assuming the 
Reply-Message is meant to be read with a piratey accent.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

users file case sensitive

[Gregg Douglas]

Hi,

Background:

FreeRadius Version: 2.1.1-7.10.1
Users are stored in LDAP, I am using the users file to assign static IP
Addresses to certain users.


It seems that the users file is case sensitive, I found a few articles on
the net regarding this, but none really supplied a definitive answer.

Is there a way to prevent the users file from being case sensitive ? If
not, what is the recommended method to elegantly avoid this problem.

Regards
Gregg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c

[Stefan Winter]

Hi,

>>> --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl

>>   Are you sure?  The "openssl SEGV" problem is almost always because you
>> have two versions of OpenSSL installed.
>>
>>   What is likely happening is that the compile stage is picking up the
>> system-supplied OpenSSL include files.  The way to test this is to
>> rename / move them, do the build, and then the install.
>>
>>   If it now works, it was picking up OpenSSL X, and linking against
>> OpenSSL Y.
> 
> Hm, okay... will do.

That was it indeed. Had to change the include path above to
--with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include

because configure adds the openssl/ sub-path on its own. Now it works
like a charm (as usual :-) ).

Thanks!

Stefan

> 
> Stefan
> 
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re:

[Fajar A. Nugraha]

On Mon, Sep 17, 2012 at 4:05 PM, QASIM RAO  wrote:
> hi,
>
> i want to test performance of my radius server. can any body give me
> suggestion how i can perform performance test of my radius server. i have
> check some performance testing tools like (radlogin,radtest,Evolynx RADIUS
> Load Test tool) but they are not working according to my requirement i want
> to send bulk number of request including additional attributes i have
> included in my server.

There's radclient, included in the server. Handy when you want highly
customized attributes for each request.

There's also radperf: http://networkradius.com/radperf.html

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c

[Stefan Winter]

Hi,

>> Today, I compiled with
>>
>> --with-openssl
>> --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl
>>
>> --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib
>>
>> the path is in ld.so.conf, and ldd shows that linking against this new
>> version works.
> 
>   Are you sure?  The "openssl SEGV" problem is almost always because you
> have two versions of OpenSSL installed.
> 
>   What is likely happening is that the compile stage is picking up the
> system-supplied OpenSSL include files.  The way to test this is to
> rename / move them, do the build, and then the install.
> 
>   If it now works, it was picking up OpenSSL X, and linking against
> OpenSSL Y.

Hm, okay... will do.

Stefan

> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[no subject]

[QASIM RAO]

hi,
i want to test performance of my radius server. can any body give me suggestion 
how i can perform performance test of my radius server. i have check some 
performance testing tools like (radlogin,radtest,Evolynx RADIUS Load Test tool) 
but they are not working according to my requirement i want to send bulk number 
of request including additional attributes i have included in my server. 

regards,
Qasim Rao -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy and requests queue

[Alan DeKok]

AemNet wrote:
>  I've a question about the management of the queue in freeradius 2.1.12.

  Upgrade.

> Let's assume my server are used for local authentication for the realm
> mydomanin.org and proxy the request for the realm remote.org (a pool
> with a single home server). Let's assume also that max_servers and
> max_spare_server are sets correctly.

  Those thread settings have NOTHING to do with proxying.  You can proxy
requests even in single-threaded mode.

> What happens if the home server for the proxy takes too long to respond?

  The server handles it gracefully.

> The requests for the local side are ignored or have their own queue?

  The inputs && outputs are completely decoupled.  It would be a bad
design to tightly couple them.

> And
> if my proxy are used for different realm (remote1.org, remote2.org
> etc...) all with their own single home_server what happens if a remote
> home server takes too long to respond?

  The server handles it gracefully.

  Each request is handled separately from each other request, no matter
where it came from, and no matter where it was proxied to.  Each home
server is handled separately from each other home server.

> To make a long story short it's possible that a problem on a remote home
> server (that receives a huge number of requests) blocks the requests for
> my local server?

  No.

> I know this can be a stupid question but I didn't find an answer in the
> wiki or in the docs (probably I've searched in the wrong place or the
> wrong terms sorry)

  The short answer is that the server works, and doesn't do anything stupid.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy and requests queue

[AemNet]

Hi everybody
 I've a question about the management of the queue in freeradius 2.1.12.
Let's assume my server are used for local authentication for the realm 
mydomanin.org and proxy the request for the realm remote.org (a pool 
with a single home server). Let's assume also that max_servers and 
max_spare_server are sets correctly.
What happens if the home server for the proxy takes too long to respond? 
The requests for the local side are ignored or have their own queue? And 
if my proxy are used for different realm (remote1.org, remote2.org 
etc...) all with their own single home_server what happens if a remote 
home server takes too long to respond?
To make a long story short it's possible that a problem on a remote home 
server (that receives a huge number of requests) blocks the requests for 
my local server?


Thanks

I know this can be a stupid question but I didn't find an answer in the 
wiki or in the docs (probably I've searched in the wrong place or the 
wrong terms sorry)


PS: sorry for my English
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault when linking 2.2.0 against openSSL 1.0.1c

[Alan DeKok]

Stefan Winter wrote:
> until today, I have been running FreeRADIUS 2.2.0 successfully with a
> system-supplied openSSL.
> 
> Today, I compiled with
> 
> --with-openssl
> --with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl
> 
> --with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib
> 
> the path is in ld.so.conf, and ldd shows that linking against this new
> version works.

  Are you sure?  The "openssl SEGV" problem is almost always because you
have two versions of OpenSSL installed.

  What is likely happening is that the compile stage is picking up the
system-supplied OpenSSL include files.  The way to test this is to
rename / move them, do the build, and then the install.

  If it now works, it was picking up OpenSSL X, and linking against
OpenSSL Y.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Segmentation fault when linking 2.2.0 against openSSL 1.0.1c

[Stefan Winter]

Hi,

until today, I have been running FreeRADIUS 2.2.0 successfully with a
system-supplied openSSL.

Today, I compiled with

--with-openssl
--with-openssl-includes=/usr/local/freeradius/openssl-1.0.1c/include/openssl

--with-openssl-libraries=/usr/local/freeradius/openssl-1.0.1c/lib

the path is in ld.so.conf, and ldd shows that linking against this new
version works.

However, when running PEAP on this version, I get a segmentation fault now:

[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "test.edur...@education.lu"
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Reply-Message = "What shall we do with the drunken sailor? What
shall we do with the drunken sailor? What shall we do with the drunken
sailor - early in the morning? Give him eduroam."
Segmentation fault

The repetition of that attribute is NOT an error; it's there to inflate
the packet beyond 1500 bytes to trigger UDP fragmentation (this is our
Nagios testing).

In 2.2.0 against the old openSSL version, everything works fine -
Access-Accept. Any hints?

Greetings,

Stefan winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html