Re: getting rejected, please give me some light.
On 10/5/2012 12:07 AM, Matthew Newton wrote: You added 'bob' at the bottom of the 'users' file. Move it to the top. (And add pap back in). Matthew Now it works... as I said before.. the only problem was that I added the user name at the end of the file.. Indeed I am trying to read but since there is so much of it it's kind of hard to get it in a sec where to look at. Instead of the principle people writes a bunch of Instructions of how to do specific things... GOOD thing is the man pages which does what it needs. Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bugs.freeradius.org unavailable?
Hello, I understand. Thank you so much for all your help. Thanks, Endo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identifying Virtual-Server from Inner-Tunnel
On Thu, Oct 04, 2012 at 01:07:57PM -0600, Jordan Dohms wrote: > - Depending on the virtual server the request was received through, > call a different mschap module from the inner-tunnel or reject the > request. (not working) You've gone to the hassle of duplicating RADIUS server configs in your clients and sending requests to different ports, so you could do your check based on Packet-Dst-Port. > If there's a better/cleaner/simpler way to do this, I'm all ears. If there is something in the packet that can indicate which network is being connected to, you likely don't need to use two ports as you can just do it all in one server (testing based on that attribute). For example, with wireless networks, you can usually get the SSID in the request somehow. > virtual-server? Should I need to set a separate variable in the > outer-server and read it below? I guess that's another way of doing it. Personally unless functionality was a lot different (which it doesn't sound like it is), I'd probably do it all in one outer server and test based on request attribute or Packet-Dst-Port, but if it works then it's OK. Cheers Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting rejected, please give me some light.
On Thu, Oct 04, 2012 at 07:59:09PM +0200, Eliezer Croitoru wrote:
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "bob", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry bob at line 204
> ++[files] returns ok
> WARNING: Please update your configuration, and remove 'Auth-Type =
> Local' ### what is that means? what it refers to? i
> dont have the word loca at all in my files else then the defaults
> WARNING: Use the PAP or CHAP modules instead.
> User-Password in the request is correct.
This error is slightly misleading. If you remove the pap module in
2.x, the server will internally authenticate in a similar way by
setting Auth-Type to 'Local', iff it is not already set.
It's an indication that you removed pap, as it will only occur if
no Auth-Type has been set, and there is a User-Password in the
request.
This will break in 3.0. You need to add pap back in again and not
rely on Local auth.
> [files] users: Matched entry DEFAULT at line 172
> ++[files] returns ok
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user #it's the basic as before so why the software
> saying that?what is the difference between the logins (a lot) that
> makes it's not work with users file?
You added 'bob' at the bottom of the 'users' file. Move it to the
top. (And add pap back in).
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
On Thu, Oct 04, 2012 at 05:45:30PM +0200, Matthias Nagel wrote: > WARNING: !! EAP session for state 0xABCDEFGHIJKLMNOP did not finish! ... > Has anybody an idea what the reason might be? We see it a lot less since we tweaked the EAP timers on our Cisco Wireless Controller. You don't say what APs or system you're using, but for example if it's the Cisco WLCs see https://supportforums.cisco.com/docs/DOC-12110 The issue would go /something/ like (I forget the precise details): User clicks connect (*) Types in username and password slowly EAP Identity Request would time out (20s or so) EAP session would get closed - client & controller would give up - error above User clicks login EAP session starts again either a) EAP completes and client connects or b) client realises that their EAP session got broken, and prompts the user for their password again - go back to '*'. Then... after after a couple of times, the controller might figure that the client has done some bad authentications, and ban them for a minute or so. We tweaked the timers to make the Identity Request time + max retries longer, and disabled the automatic banning of clients from invalid authentications. Generally now the only time we see that error is if we restart FreeRADIUS (in which case, EAP sessions in transit get broken, so it's the sort of thing I expect). You still sometimes see it if a client is on the edge of a radio cell, and moves out of range whilst connecting, for example, but it's nothing like as often as it used to be. In short, it's a client/NAS issue, as already stated. Hope that helps, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
Hi, > I found the entry > # fragment_size = 1024 > to be commented out. Does anybody has experiences with HP E-MSM 430 APs? > Probably, this is a dummy question: I always believed that the smallest MTU > that must be supported by an ethernet devices is 1500. Are there really APs > that support less? I did not find anything on that in the specifications of > my AP. And second question: Does a wrong value for fragment_size always fail? > Or to state it conversely: If a default fragment size of 1024 works most of > the time (as it does with me), can this still be a reason for the failure, if > it is too high? actually, wifi has bigger MTUs than that - around 2304 for payload - the problem is ethernet...which is USALLY 1500. if you DONT set this, then the RADIUS server will cram as much as possible into each packet...and this your certificate, its intermediates and CA root are all shover through some rather large packets... if you set this value - eg to 1024 then those packets are nice and tight. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
Hi, > >I cannot find any pattern, so I do not believe it to be a client side > >issue. > One thing: that logging only happens in "debug" mode. Most people > don't run in debug mode all the time, so as far as I know, it could > be normal - maybe everyone sees failure rates of that order? as Phil says, that message only appears in debug mode ...and debug mode runs in a single thread and slows the whole process down. if you have multiple clients trying to connect when in this state..and your server cannot deal with the client fast enough, then you run into timing issues...et voila, plenty of errors and did not finish errors etc. ensure your main EAP method is first in the list. use the caching feature so the clients dont have to go through the whole 12 trips etc ..and , as Phil says, with wireless you are dealing with the whole PHY issue - packets sent may have got scrambled, needed resending...if the air is 'busy' with duty cycles the client may not be able to transmit in a timely fashion - got 802.11b clients around? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting rejected, please give me some light.
On 10/04/2012 03:10 PM, Eliezer Croitoru wrote: On 10/4/2012 8:18 PM, John Dennis wrote: All the information you need is in the debug output you posted. Did you read it? I have tried but I am unable to understand what is wrong since it's a new language for me. Hint, you need the pap module for plaintext auth, it's enabled by default. Why did you disable it? The debug output even calls attention to this omission. I didnt disabled anything.. it's bulk freeradius settings with the only thing changed for sql and ok = return in the pap auth case to prevent trying sql (like in eap settings). You say you didn't disable anything and in the next sentence you say you insterted "ok = return" in pap. Your log shows pap is broken, gee I wonder why? Do not change anything you don't understand. I have tried to write username and password in the users which works for wifi EAP but not for NAS\LNS. You've set the Auth-Type, probably in the users file. Do not do that, the server will figure it out. In what section I possibly did that? There are no instructions from the FreeRADIUS doc which instructs you to do this. Why did you set it? I am looking for instructions but it seems like I missed something in understanding? What I have added is: bob Cleartext-Password := "Hello" and the client config to communicate the server I dont have any rules I have added to the original ones. I recompiled it from source and reinstalled it. pap is on etc.. Found out my problem... now I understood that it's like ACLS "first hits" in the users file. try reading doc/processing_users_file.rst there is no reject or whatever but it does have other "DEFAULT" things and since they exist they comes first before the username I inserted. at least That is what I understood after trying and it's working now fine. the next step SQL. Nope, the next step is to go back to square one and reinstall the default provided configuration. DO NOT edit anything unless you actually understand what you're doing. Follow the instructions on Alan's website in the howto section: http://deployingradius.com/ Also, the config files under raddb how a lot of documentation, spend some time reading it as well as the information under doc. Poke around Alan's website (above) as well as the FreeRADIUS Wiki. Do not follow any suggestions found on random website, usually they're wrong. Only follow instructions found in the tarball, the freeradius.org website, or deployingradius.com. Do not change anything you do not understand. Thanks, Elizer -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rebuilding a FR server
On 10/04/2012 02:46 PM, Andrew Precht wrote:
Hi users,
I'm attempting to setup a new virtual FR server on centos6, to replace
an aging FR 1.13-1.6.el5 server. I have got the new server setup per
the docs at freeradius.org.
I've run the simple test using radtest locally and I get an
Access-Accept. Also, using NTradPing remotely I get an Access-Accept.
So, I think I've got the basic freeradius and firewall setup
correctly.
Now the hard part... I have no documentation or knowledge base for the
old FR setup. It is used to authenticate WiFi users against a
proprietary system using a Sybase DB. From what I can tell, it's using
a perl script to talk to the db.
I say this because of two lines in the radiusd.conf. One is:
Auth-Type Perl { perl } and the other is: perl { module =
/etc/raddb/sjsu.pl }
My question is: Is it as easy as adding the same two lines to my new
FR 2.1.12 radiusd.conf and copying over the sjsu.pl to get it to use
the perl script?
Sorry, no it's not that easy :-(
FreeRADIUS 1.x and 2.x are *not* configuration compatible. Your best bet
is to start with the default out of the box 2.x config and make only
incremental changes based on a thorough understanding of how the server
works and what your requirements are. It's best to keep your config
files under source code control. If something breaks you can go back to
a working configuration, review history, etc.
Once that's working do everyone a favor unlike your predecessor and
document what you did and how it works (at the moment it sounds like
you're going to have to unravel what your predecessor did, only then can
you move forward).
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting rejected, please give me some light.
On 10/4/2012 8:18 PM, John Dennis wrote: All the information you need is in the debug output you posted. Did you read it? I have tried but I am unable to understand what is wrong since it's a new language for me. Hint, you need the pap module for plaintext auth, it's enabled by default. Why did you disable it? The debug output even calls attention to this omission. I didnt disabled anything.. it's bulk freeradius settings with the only thing changed for sql and ok = return in the pap auth case to prevent trying sql (like in eap settings). I have tried to write username and password in the users which works for wifi EAP but not for NAS\LNS. You've set the Auth-Type, probably in the users file. Do not do that, the server will figure it out. In what section I possibly did that? There are no instructions from the FreeRADIUS doc which instructs you to do this. Why did you set it? I am looking for instructions but it seems like I missed something in understanding? What I have added is: bob Cleartext-Password := "Hello" and the client config to communicate the server I dont have any rules I have added to the original ones. I recompiled it from source and reinstalled it. pap is on etc.. Found out my problem... now I understood that it's like ACLS "first hits" in the users file. there is no reject or whatever but it does have other "DEFAULT" things and since they exist they comes first before the username I inserted. at least That is what I understood after trying and it's working now fine. the next step SQL. Thanks, Elizer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Identifying Virtual-Server from Inner-Tunnel
I’m still fairly new at FreeRADIUS. Running 2.1.10 (we are planning
our upgrade shortly).
Kind of a two pronged question here...I'm encountering a particular
issue, but also would like to hear if my broad approach is suitable.
I am attempting to do the following:
- Use one FreeRADIUS server to authenticate for two different 802.1X
networks (EAP-PEAP / MSCHAP).
- Both will use the mschap module to interface with Microsoft Active Directory.
- The first 802.1X network will authenticate against DOMAIN1, the
second against both DOMAIN1 and DOMAIN2. The first network should
reject authentication attempts from DOMAIN2.
- All usernames are specified with a full realm / fqdn.
- The RADIUS clients (wireless access points) will all be the same for
the two networks.
What (I think) is the solution:
- In order for FreeRADIUS to distinguish what set of users (DOMAIN1 or
DOMAIN1/2) to authenticate against, I have setup two virtual servers
listening on different ports and (obviously) different names.
(working)
- The clients connect to FreeRADIUS over a different port depending on
the network they're attempting to connect to. (working)
- Setup realms for both DOMAIN1 and DOMAIN2 to have them both
authenticate locally. (working)
- Setup two mschap modules to call ntlm_auth command with the proper
DOMAIN string. (working)
- Depending on the realm provided, call a different mschap module from
the inner-tunnel. (working)
- Depending on the virtual server the request was received through,
call a different mschap module from the inner-tunnel or reject the
request. (not working)
If there's a better/cleaner/simpler way to do this, I'm all ears.
My issue:
Since its EAP-PEAP, the request passes through the outer and
inner-tunnel virtual servers. In my inner-tunnel, I'm doing an IF on
the Realm. That seems to be evaluating properly if I look at the
debug logs. If I do an IF on Virtual-Server it comes back with
'inner-tunnel'. If I do outer.request:Virtual-Server it oddly also
comes back with 'inner-tunnel'. How do I see the actual
virtual-server? Should I need to set a separate variable in the
outer-server and read it below?
Here is my attempted code in "server inner-tunnel"
authenticate {
Auth-Type MS-CHAP {
if ("%{outer.request:Virtual-Server}" == "secure") {
mschap_domain1
}
else {
if ("%{Realm}" == "domain1.fqdn.org") {
mschap_domain1
}
elsif ("%{Realm}" == "domain2.fqdn.org") {
mschap_domain2
}
}
}
eap
}
In my debug logs:
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +- entering group MS-CHAP {...}
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++? if
("%{outer.request:Virtual-Server}" == "secure")
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand:
%{outer.request:Virtual-Server} -> inner-tunnel
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating
("%{outer.request:Virtual-Server}" == "secure") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++? if
("%{outer.request:Virtual-Server}" == "secure") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++- entering else else {...}
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" ==
"domain1.fqdn.org")
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} ->
domain2.fqdn.org
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}"
== "domain1.fqdn.org") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" ==
"domain1.fqdn.org") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" ==
"domain2.fqdn.org")
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} ->
domain2.fqdn.org
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}"
== "domain2.fqdn.org") -> TRUE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" ==
"domain2.fqdn.org") -> TRUE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++- entering elsif
("%{Realm}" == "domain2.fqdn.org") {...}
Any suggestions for what I'm doing wrong or maybe a better way to tackle it?
Thanks,
Jordan Dohms
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rebuilding a FR server
Hi users,
I'm attempting to setup a new virtual FR server on centos6, to replace
an aging FR 1.13-1.6.el5 server. I have got the new server setup per
the docs at freeradius.org.
I've run the simple test using radtest locally and I get an
Access-Accept. Also, using NTradPing remotely I get an Access-Accept.
So, I think I've got the basic freeradius and firewall setup
correctly.
Now the hard part... I have no documentation or knowledge base for the
old FR setup. It is used to authenticate WiFi users against a
proprietary system using a Sybase DB. From what I can tell, it's using
a perl script to talk to the db.
I say this because of two lines in the radiusd.conf. One is:
Auth-Type Perl { perl } and the other is: perl { module =
/etc/raddb/sjsu.pl }
My question is: Is it as easy as adding the same two lines to my new
FR 2.1.12 radiusd.conf and copying over the sjsu.pl to get it to use
the perl script?
Please advise, thanks for any help...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting rejected, please give me some light.
On 10/04/2012 01:59 PM, Eliezer Croitoru wrote: I am new with freeradius and I probably didnt understood something yet about how to configure everything: I can authenticate using command line but and on radius wifi but not on NAS\LNS that I' m getting rejected. the logs with couple comments on it: All the information you need is in the debug output you posted. Did you read it? Hint, you need the pap module for plaintext auth, it's enabled by default. Why did you disable it? The debug output even calls attention to this omission. You've set the Auth-Type, probably in the users file. Do not do that, the server will figure it out. There are no instructions from the FreeRADIUS doc which instructs you to do this. Why did you set it? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
getting rejected, please give me some light.
I am new with freeradius and I probably didnt understood something yet
about how to configure everything:
I can authenticate using command line but and on radius wifi but not on
NAS\LNS that I' m getting rejected.
the logs with couple comments on it:
rad_recv: Access-Request packet from host 192.168.10.159 port 54933,
id=211, length=43
User-Name = "bob"
User-Password = "Hello"
# Executing section authorize from file
/opt/fradius-2.2.0/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry bob at line 204
++[files] returns ok
WARNING: Please update your configuration, and remove 'Auth-Type =
Local' ### what is that means? what it refers to? i dont
have the word loca at all in my files else then the defaults
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
# Executing section post-auth from file
/opt/fradius-2.2.0/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 211 to 192.168.10.159 port 54933
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 211 with timestamp +2391
##this is the rejected request
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.131 port 19606,
id=134, length=152
NAS-Identifier = "NAS"
NAS-IP-Address = 192.168.10.131
Acct-Session-Id = "9358763-re0-3"
NAS-Port = 3
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00270e08e1c0"
NAS-Port-Id = "re0"
Vendor-12341-Attr-12 = 0x7265302d33
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Client-Endpoint:0 = "00:27:0e:08:e1:c0"
User-Name = "bob"
User-Password = "Hello"
# Executing section authorize from file
/opt/fradius-2.2.0/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user #it's the basic as before so why the software saying
that?what is the difference between the logins (a lot) that makes it's
not work with users file?
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file
/opt/fradius-2.2.0/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 11 for 1 seconds
Going to the next request
Thanks,
Eliezer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
On 04/10/12 18:10, Matthias Nagel wrote: That would be nice, indeed. But if the reason is signal strengh of a WiFi, then the numbers heavily depend on your WiFi coverage. So it is difficult to compare. Sure. As Alan says, it's the client that's going away. Maybe search the logs of your wireless kit for radio-layer events. To be honest, the rest of my suggestions are unlikely to help - it's probably just wifi packet loss. We see this a lot. EAP seems to be particularly susceptible to being interrupted, because it runs in lockstep and upper-layer retransmits are simpler than something like TCP. I did not find "max_sessions" anywhere in the config files. Where is https://github.com/FreeRADIUS/freeradius-server/blob/v2.1.x/raddb/eap.conf#L61 of my AP. And second question: Does a wrong value for fragment_size always fail? Or to state it conversely: If a default fragment size of 1024 works most of the time (as it does with me), can this still be a reason for the failure, if it is too high? I doubt it. I think it's set to 1024 "to be safe" and handle things like weird IPSec tunnel MTUs, etc. At the moment I do the following: I pick the hex number from the error message and look for an access challenge, that has the same number in its "State" AVP. If this is the wrong way to do, then all I said before is non-sense. That's right. The hex number in the message is the State value. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
Hello,
Am Donnerstag 04 Oktober 2012, 17:09:35 schrieb Phil Mayers:
> On 04/10/12 16:45, Matthias Nagel wrote:
> >
> > I cannot find any pattern, so I do not believe it to be a client side
> > issue.
> >
> > Has anybody an idea what the reason might be? If anybody wants to see
> > a full debug output or a tcpdump, I can provide you with plenty of
> > that. But I could not find anything.
>
> One thing: that logging only happens in "debug" mode. Most people don't
> run in debug mode all the time, so as far as I know, it could be normal
> - maybe everyone sees failure rates of that order?
That would be nice, indeed. But if the reason is signal strengh of a WiFi, then
the numbers heavily depend on your WiFi coverage. So it is difficult to compare.
> Anyway, first things - check your "eap {}" module config, specifically
> ensure that max_sessions is high enough to support your load, that
> timer_expire isn't too low, and if applicable, that your TLS session
> caching is ok (size, particularly).
I did not find "max_sessions" anywhere in the config files. Where is it
supposed to be set and what is the default if not set? "timer_expire" is 60
seconds. The cache size for session resumption is set to 0. I read that this
means "infinite" somewhere. I see a lot of session resumptions that work.
I found the entry
# fragment_size = 1024
to be commented out. Does anybody has experiences with HP E-MSM 430 APs?
Probably, this is a dummy question: I always believed that the smallest MTU
that must be supported by an ethernet devices is 1500. Are there really APs
that support less? I did not find anything on that in the specifications of my
AP. And second question: Does a wrong value for fragment_size always fail? Or
to state it conversely: If a default fragment size of 1024 works most of the
time (as it does with me), can this still be a reason for the failure, if it is
too high?
> Otherwise - I assume you are authenticating wireless clients?
Half-half. It is a HP 5412 chassis solution with an integrated MSM 765zl WiFi
controller. Most clients are wired (desktop pcs) and some clients (Smartphones,
Tablets, Laptops) are wireless. But yes, if I (hopefully correctly) link the
error message to the corresponding access challenge, most errors are from
wireless sessions.
> Are you able to determine where the EAP sessions have got to before they
> hang up? Are they still in TLS setup, or inner-tunnel? Does it hang up
> after e.g. the EAP-MSCHAP challenge?
I am not sure, if I do the linking between error message and access challenge
correctly. But if I do so, there is no particular point.
> Regrettably the "session did not finish" logging isn't great, so
> determining this is hard - I keep meaning to see if it can be improved
> e.g. log some attributes from the original packet, log the state of the
> EAP session, etc.
At the moment I do the following: I pick the hex number from the error message
and look for an access challenge, that has the same number in its "State" AVP.
If this is the wrong way to do, then all I said before is non-sense.
Matthias
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued attributes
Lorenzo Milesi wrote: > Is it possible to use Multi-valued attributes? > I have > group1 NAS-Identifier =~ nas01|nas02 > group2 NAS-Identifier =~ nas03|nas04 > > I'd like some users which are in group1 to access ALSO group2 nases. > Is it possible to do that, without creating a dedicated group? You'd have to do the group checks individually. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multi-valued attributes
Hi. Is it possible to use Multi-valued attributes? I have group1 NAS-Identifier =~ nas01|nas02 group2 NAS-Identifier =~ nas03|nas04 I'd like some users which are in group1 to access ALSO group2 nases. Is it possible to do that, without creating a dedicated group? thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
Matthias Nagel wrote: > I cannot find any pattern, so I do not believe it to be a client side issue. It's always an issue with the client, WiFi, or AP. It's not an issue with FreeRADIUS. Why? All of the EAP is driven by the client. > Of course, one can argue to ignore the warning as it works most of the time, > but I do not like indeterministically behaving IT systems, hence it preys on > my mind. > > Has anybody an idea what the reason might be? If anybody wants to see a full > debug output or a tcpdump, I can provide you with plenty of that. But I could > not find anything. You won't see it in a tcpdump. The *non* continuance of the EAP session is what FreeRADIUS is complaining about. tcpdump won't show you any more. Look on the client and/or the AP for the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
On 04/10/12 16:45, Matthias Nagel wrote:
I cannot find any pattern, so I do not believe it to be a client side
issue.
Of course, one can argue to ignore the warning as it works most of
the time, but I do not like indeterministically behaving IT systems,
hence it preys on my mind.
Has anybody an idea what the reason might be? If anybody wants to see
a full debug output or a tcpdump, I can provide you with plenty of
that. But I could not find anything.
One thing: that logging only happens in "debug" mode. Most people don't
run in debug mode all the time, so as far as I know, it could be normal
- maybe everyone sees failure rates of that order?
Anyway, first things - check your "eap {}" module config, specifically
ensure that max_sessions is high enough to support your load, that
timer_expire isn't too low, and if applicable, that your TLS session
caching is ok (size, particularly).
Otherwise - I assume you are authenticating wireless clients?
Unfortunately, wireless is funky. Clients can stop doing the EAP
exchange for all sorts of reasons - interference / packet loss, signal
strength issues (they moved to a different AP), prompting the user for
password / cert issuance, etc.
Are you able to determine where the EAP sessions have got to before they
hang up? Are they still in TLS setup, or inner-tunnel? Does it hang up
after e.g. the EAP-MSCHAP challenge?
Regrettably the "session did not finish" logging isn't great, so
determining this is hard - I keep meaning to see if it can be improved
e.g. log some attributes from the original packet, log the state of the
EAP session, etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Indeterministic EAP error
Hello,
sometimes I get the error
WARNING: !! EAP session for state 0xABCDEFGHIJKLMNOP did not finish!
in my log files / debug output. Before anybody says have a look at
http://deployingradius.com/documents/configuration/eap-problems.html
that will help, please read on, because I already have done that and I believe
the problem is a little bit more tricky.
I support PEAP+MsCHAPv2 only and 90% of time it just works. I am pretty sure
that the certificate is all right. If anybody wants to check it, one can find
it here
https://freeradius:eaper...@www.stud.uni-karlsruhe.de/~uzbii/hekauth-certs.pem
The certificate file includes all intermediate issuers and the trusted CA. The
CA is Germany's biggest telco, so most OSes ship with that by default. The
certificate also includes the X509v3 Extended Key Usage TLS Web Client and
Authentication and TLS Web Server Authentication in order to satisfy Windows
clients.
My radius config looks like that:
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/hekauth-key.pem
certificate_file = ${certdir}/hekauth-certs.pem
# CA_file =
CA_path = ${certdir}/empty-by-purpose/
If a new client connects for the very first time, most OSes automatically
detect the correct authentication scheme, ask for username and password,
present the certificate for confirmation and it works out of the box. (No
errors on neither client nor server side.)
Randomly, I get this error message although the respective client normally
works. In that case the client just restarts the authentication and then
succeeds on the second trial. Hence the only difference the user might notice
is an authentication that might take some milliseconds longer.
During the last four days there have been 1278 such errors, 2519 session, 9651
successful authentication attempts, i.e. each session triggered approximately
3.8 re-authentications, 93 different clients and at least 6 different OSes.
I cannot find any pattern, so I do not believe it to be a client side issue.
Of course, one can argue to ignore the warning as it works most of the time,
but I do not like indeterministically behaving IT systems, hence it preys on my
mind.
Has anybody an idea what the reason might be? If anybody wants to see a full
debug output or a tcpdump, I can provide you with plenty of that. But I could
not find anything.
Yours, Matthias
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin and PPPoE
Am 04.10.2012 04:09, schrieb Serge Paquin: > The NAS I have is a Cisco 7204VXR with an NPE-G2 so I assume (hope) it > supports Accounting Interim-Update. Cisco 7204VXR definitely supports interim accounting (period >= 5min). Look for: aaa accounting ... aaa accounting update newinfo periodic 5 Regards, Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
