Re: Encode multiple sub-attributes in single vsa?
On Tue, Oct 9, 2012 at 6:36 PM, Alan DeKok al...@deployingradius.com wrote: Build it from source, with ./configure --enable-developer It worked, Thanks! F.R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
No. You cannot do a successful auth against an incorrect password as you haven't got agreement from both ends and therefore no keying material required for WPA-RADIUS...therefore no key for the wireless association. Password change can only be performed INSIDE the PEAP negotiation. As has already been said, latest version already supports this...some clients do to. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
Return rlm_module_updated alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All and Logging
Possiblebut unlikely to get what you want if you are using EAP methods and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: store encypted passwords
U should use crypt function on mysql when update crypt-password value I.e: update radcheck set value=crypt('password') where ATTRIBUTE='crypt-password' and USERNAME='foo'; Or maybe you mean stay plaintext is from debuged running freeradius? It should be like that because pap auth, for make sure auth is using the crypted password one just remove cleartext-password record for apropiate user. I had use crypt password w ubuntu freeradius and workin good Cmiiw and sorry for my bad english Regards Bandel On Oct 9, 2012 9:10 PM, jon jon free9...@gmail.com wrote: I was mixed up on what table I am talking about its the radcheck table. I was using navicat to set the attribute to Crypt-Password and refreshing the database. The password stayed in plain text. On Mon, Oct 8, 2012 at 4:29 PM, Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, first, please use the correct way of quoting for mailing list. This is to say, write your comments below the original text that it refers to. That way readers who pick up a thread later can follow more easily. But now back to topic. Am Montag 08 Oktober 2012, 16:17:52 schrieb jon jon: On Mon, Oct 8, 2012 at 4:02 PM, Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, I have set up FreeRADIUS Version 2.1.10 on an Ubuntu server 12.04, Mysql Server version: 5.5.24. Everything is up and running but the users passwords are stored in plain text in raddacct. I tried changing the attribute to Crypt-Password but it doesn't change anything. What do you mean by doesn't change anything? If you have changed the attribute name to Crypt-Password and you also modified the attribute's value accordingly, what do you expect? If it still works, then be happy. doesn't change anything = password is still showing as plain text. What do mean by modified the attribute's value accordingly? You wrote that you changed clear text passwords to crypt-passwords. This means to me you updated your database, hence your database does not show clear text passwords anymore. What exactly did you do, when you changed from clear text to crypt-passwords? I assumed to did something like this: UPDATE radcheck set attribute = 'Crypt-Password', value = SOME_FANCY_CONVERT_FUNCTION( value ) WHERE some_senseful_condition_here; Anyway, I now notice that you were speaking of radacct. This table is not to show any password at all. Do I need to make a change to a config file also? Not sure what type of encryption would be best one that works MD5? For a copatibilty of password encryption schemes and protocols, see here: http://deployingradius.com/documents/protocols/compatibility.html Thanks, Matthias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
On 10/10/2012 12:31 AM, Jason Agress wrote: Hi all, We're currently using Microsoft IAS for RADIUS on our Cisco managed wireless network. We do wireless logon on our clients, which requires the user to first authenticate to RADIUS to initiate the wireless connection, then authenticate against Active Directory to complete the login process. The problem we run into is when a user's password expires and RADIUS authentication is unsuccessful; since the wireless connection cannot be made, AD cannot be contacted to authenticate the user and, ideally, prompt to change the password. I've read lots about this problem with FreeRADIUS and have seen some implied solutions, but nothing concrete. So here's my question: With FreeRADIUS, is there a way to allow successful RADIUS authentication with an expired password? You can't do that, no. Successful auth against AD requires AD to cooperate, and it won't do that if the password has expired - but see right at the very end. As Alan says, you can instead do MSCHAP password changes with the master branch of FreeRADIUS and a client that supports it. But TBH I'm surprised this isn't working with IAS. What software are you running on the clients? Any non-standard supplicants? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
On 10/10/2012 03:21 AM, Jason Agress wrote: Will that allow successful RADIUS authentication - and, therefore wireless access - before the password change is initiated? Because our clients are Macs that won't prompt for password change until after they are connected to the wireless and authenticating against AD. Ah. Then no, mschap password changes won't help. FreeRADIUS just calls out to AD to auth users. If AD refuses to auth because the password is expired, the only thing you can do is a password change, which requires client support. Since you're using Macs, you do have one option - change your EAP method to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth types you can force an accept on. Other auth types use challenge/response methods that require both side to prove to each other that they know the credentials. To implement this, you'd: 1. Install FreeRADIUS 2. Get EAP working with a local user 3. Get EAP working with AD users via Samba Everything up to this point is documented - see the wiki or deployingradius.com. Once you've got that far, you need to setup two things: * TTLS * A script to auth PAP against AD, wrapping ntlm_auth The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, check for expired and force a success. Anyway - if you're willing to move from PEAP to TTLS, get the basics working then if you need advice, ask here again - people will be glad to help. It's relatively straightforward, but all the pieces might not be documented in obvious places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encode multiple sub-attributes in single vsa?
On 10/10/2012 04:56 AM, Fajar A. Nugraha wrote: Interestingly enough, debian packages enable that option while redhat doesn't. What are the performance implications of enabling it? Is it something huge, or only several-percent-penalty and careful-you-can-shoot-yourself-in-the-foot kind of thing? I'm not sure there are any performance implications per-se. If I read the ./configure script correctly, what it primarily does is enable debugging symbols (-g) and a whole bunch of C warnings. However, debugging symbols are conditionally enabled if the compiler supports them further up anyway, so really it's just the warnings AFACIT. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-transmits arriving via a different proxy / EAP duplicate detection
On 09/10/12 19:17, alan buxey wrote: Hi, As I iterate through our logging config, I'm gaining increasing visibility of all kinds of peculiar stuff. This one I spotted today - we are seeing remote RADIUS servers (eduroam visited sites) sending retransmits via different intermediate proxies. I've seen this a couple of times int he past - and recently too. the recent one was fixed by ensuring that the RADIUS server was listening only The pattern we see is quite odd. I suspect the core issue is being exacerbated by misbehaving clients or visited-site radius servers. The reason I suspect this is that, if it were genuine packet loss, you'd expect to see retransmits at all stages of the EAP session. But we almost exclusive see retransmits in response to a reject (very common) or an accept (rarely). In particular, there seem to be some sites where retransmits come in if we send a reject. I don't know if this is a particular supplicant or a particular radius server. Or maybe I'm mis-reading the evidence. But it does seem odd... I'm wondering whether to open a JRS support ticket or not (any suggestions ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-transmits arriving via a different proxy / EAP duplicate detection
Phil Mayers wrote: First, the FreeRADIUS duplicate detect / retransmit logic doesn't apply because the source IP, shared secret, Proxy-State and Message-Authenticator are all different, even though all other attributes are identical. This is correct behaviour AFAICT from the RFCs. Second, because the retransmits aren't eaten by the duplicate detection, they arrive as real packets in the server core, but are rejected because the State attribute is no longer valid - this is because FR mutates State on every round-trip, mixing in the EAP type/id/exchange number. There is a solution. But it involves new code. Does anyone have any thoughts on the matter? Absent RADIUS-over-TCP, this seems like a really tricky one... Nah. Create a new state tracking module. a) runs before sending reply, and caches State - request/reply b) runs on receiving packet, and looks for duplicate state if found, and request looks similar, send duplicate reply That would bypass all of the EAP code, and add another layer of duplicate detection after the packets are duplicate code. There should really also be a state tracking API in the server core. Certain modules (i.e. securid) roll their own, and it's not overly efficient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec
Could you implement (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Challenge (11) Enter otp: 97350 server response type = Access-Accept (2) This sort of thing with rlm_exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
Thanks, that makes sense. Just out of curiosity, which types of clients typically support the MSCHAP password change? Does Windows? Alan Buxey a.l.m.bu...@lboro.ac.uk writes: No. You cannot do a successful auth against an incorrect password as you haven't got agreement from both ends and therefore no keying material required for WPA-RADIUS...therefore no key for the wireless association. Password change can only be performed INSIDE the PEAP negotiation. As has already been said, latest version already supports this...some clients do to. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
This is very promising! Thank you! Is there any significant downside to using EAP-TTLS/PAP over PEAP? FreeRadius users mailing list freeradius-users@lists.freeradius.org writes: On 10/10/2012 03:21 AM, Jason Agress wrote: Will that allow successful RADIUS authentication - and, therefore wireless access - before the password change is initiated? Because our clients are Macs that won't prompt for password change until after they are connected to the wireless and authenticating against AD. Ah. Then no, mschap password changes won't help. FreeRADIUS just calls out to AD to auth users. If AD refuses to auth because the password is expired, the only thing you can do is a password change, which requires client support. Since you're using Macs, you do have one option - change your EAP method to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth types you can force an accept on. Other auth types use challenge/response methods that require both side to prove to each other that they know the credentials. To implement this, you'd: 1. Install FreeRADIUS 2. Get EAP working with a local user 3. Get EAP working with AD users via Samba Everything up to this point is documented - see the wiki or deployingradius.com. Once you've got that far, you need to setup two things: * TTLS * A script to auth PAP against AD, wrapping ntlm_auth The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, check for expired and force a success. Anyway - if you're willing to move from PEAP to TTLS, get the basics working then if you need advice, ask here again - people will be glad to help. It's relatively straightforward, but all the pieces might not be documented in obvious places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
Hi, Thanks, that makes sense. Just out of curiosity, which types of clients typically support the MSCHAP password change? Does Windows? Windows does - I've used it. for 'incorrect try again' and for 'change password' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expired Active Directory Passwords Wireless Authentication
Hi, Is there any significant downside to using EAP-TTLS/PAP over PEAP? A few things, one is that you really need to trust the CA/RADIUS server - as your credentials are all passed in the clear inside the TLS tunnel - so if you are talking to a dodgy server you then send them everything secondly...many clients dont support it nativelyso you need to install an extra supplicant to do it. not an issue if you are only trying to ensure that Mac users can change password when things are wonky and Windows users use PEAP (which has the 'change/incorrect' support - but how do you stop Mac users using PEAP and still getting themselves stuck? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: .rpmnew files during RPM upgrade
On 10/09/2012 08:57 PM, Fajar A. Nugraha wrote: On Wed, Oct 10, 2012 at 5:39 AM, John Dennis jden...@redhat.com wrote: On 09/11/2012 07:42 AM, Alan DeKok wrote: Jonathan Gazeley wrote: It seems to me that the broken behaviour is not with RPM but with FreeRADIUS. Can the regular expression that includes config files and modules be tweaked to exclude *.rpmnew files? As always, patches are welcome. O.K. I did just that. The freeradius-2.2.0 RPM's I've been pushing now includes a patch to ignore config filenames that should be excluded from being loaded. I'll send the patch to the developers list via a github pull request. The list is hardcoded, at the moment it excludes: Any basename beginning with a dot (.) Any basename beginning with a hash (i.e. pound sign, octothorp) (#) Any basename ending with a tilde (~) Any basename ending with the substring .rpmsave Any basename ending with the substring .rpmnew Any basename ending with the substring .bak Can you please add .dpkg-new, .dpkg-dist, and .dpkg-old as well? Sure, no problem, done. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Query help
I have been looking at this further am I am having trouble finding the answer. Is anyone able to point me into the right direction. -Original Message- From: Jonathan Bastin [mailto:jonathan.bas...@peerpointinternet.co.uk] Sent: 09 October 2012 14:56 To: 'FreeRadius users mailing list' Subject: RE: Query help This is the full dump I get rad_recv: Access-Request packet from host 193.000.221.00 port 1645, id=213, length=141 Framed-Protocol = PPP User-Name = 02085000...@peerpointinternet.co.uk CHAP-Password = 0x045f3e13da52acf8b9e784c0c125ed102f Connect-Info = 11066368/1094656 NAS-Port-Type = Virtual NAS-Port = 832 NAS-Port-Id = Uniq-Sess-ID832 Service-Type = Framed-User NAS-IP-Address = 193.000.221.00 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} - 02085000...@peerpointinternet.co.uk [sql] sql_set_user escaped user -- '02085000...@peerpointinternet.co.uk' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '02085000...@peerpointinternet.co.uk' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = '02085000...@peerpointinternet.co.uk' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '02085000...@peerpointinternet.co.uk' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Serg_100GB' ORDER BY id [sql] User found in group Serg_100GB [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Serg_100GB' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++? if (%{sql: SELECT radgroupcheck.value FROM radusergroup Inner Join ++radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname ++WHERE radusergroup.username = '%{User-Name}' AND ++radgroupcheck.attribute = 'CS-Total-Octets-Monthly';}= %{sql: ++SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct WHERE ++UserName='%{User-Name}' AND AcctStartTime ++(DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY));}) sql_xlat expand: %{User-Name} - 02085000...@peerpointinternet.co.uk sql_set_user escaped user -- '02085000...@peerpointinternet.co.uk' expand: SELECT radgroupcheck.value FROM radusergroup Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute = 'CS-Total-Octets-Monthly'; - SELECT radgroupcheck.value FROM radusergroup Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username = '02085000...@peerpointinternet.co.uk' AND radgroupcheck.attribute = 'CS-Total-Octets-Monthly'; rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql: SELECT radgroupcheck.value FROM radusergroup Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute = 'CS-Total-Octets-Monthly';} - 10737500 sql_xlat expand: %{User-Name} - 02085000...@peerpointinternet.co.uk sql_set_user escaped user -- '02085000...@peerpointinternet.co.uk' expand: SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime (DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY)); - SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct WHERE UserName='02085000...@peerpointinternet.co.uk' AND AcctStartTime (DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY)); rlm_sql (sql): Reserving sql socket id: 2 sql_xlat finished rlm_sql (sql): Released sql socket id: 2 expand:
Re: Query help
On 10/10/12 14:23, Jonathan Bastin wrote: I have been looking at this further am I am having trouble finding the answer. Is anyone able to point me into the right direction. You might find it a bit easier to debug if you perform the two SQL queries (for the quota, and the current limit) separately, then compare the values. For example: update control { Tmp-Integer-0 := %{sql:select quota_limit ...} Tmp-Integer-1 := %{sql:select sum(...) from radacct where ...} } if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) { reject } This will at least make it more obvious what is going on. To be frank, I can't really understand what's going on in that debug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Realm in table radacct
Hello together, I have setuped a radius system like eduroam with 3 server. I use daloradius for user and accounting management. Authentication and accounting works with realm, but the field realm is empty in table radacct. Furthermore, I want to know how I use / configure Hot Spots in daloradius. I can't find any description about that. It's rly hard to learn freeradius without a good wiki or something else. There are two locations A @sb-dfki.de and B @kl-dfki.de with their radius server. And a global Server only for Radius proxyforwarding. I've got my client and an access point 172.16.18.82 on location A. I think my configuration is ok. If not, pls tell me. You can see my Debuglogs with a Login by mar...@kl-dfki.de Location A http://pastebin.com/A1HNtSeu Location B http://pastebin.com/Q2DWbTes Thank you! Xylakant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Query help
Thank you so much for the pointer. I am with you I couldn't understand the last debug. Here is the new one. rad_recv: Access-Request packet from host 193.000.221.000 port 1645, id=19, length=141 Framed-Protocol = PPP User-Name = 0208...@peerpointinternet.co.uk CHAP-Password = 0x048bf9799185d69af262db5d5c0e4c9ba2 Connect-Info = 11066368/1094656 NAS-Port-Type = Virtual NAS-Port = 903 NAS-Port-Id = Uniq-Sess-ID903 Service-Type = Framed-User NAS-IP-Address = 193.000.221.000 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} - 0208...@peerpointinternet.co.uk [sql] sql_set_user escaped user -- '0208...@peerpointinternet.co.uk' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '0208...@peerpointinternet.co.uk' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = '0208...@peerpointinternet.co.uk' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '0208...@peerpointinternet.co.uk' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Serg_100GB' ORDER BY id [sql] User found in group Serg_100GB [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Serg_100GB' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok sql_xlat expand: %{User-Name} - 0208...@peerpointinternet.co.uk sql_set_user escaped user -- '0208...@peerpointinternet.co.uk' expand: SELECT radgroupcheck.value FROM radusergroup Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute = 'CS-Total-Octets-Monthly'; - SELECT radgroupcheck.value FROM radusergroup Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username = '0208...@peerpointinternet.co.uk' AND radgroupcheck.attribute = 'CS-Total-Octets-Monthly'; rlm_sql (sql): Reserving sql socket id: 1 sql_xlat finished rlm_sql (sql): Released sql socket id: 1 expand: %{sql: SELECT radgroupcheck.value FROM radusergroup Inner Join radgroupcheck ON radusergroup.groupname = radgroupcheck.groupname WHERE radusergroup.username = '%{User-Name}' AND radgroupcheck.attribute = 'CS-Total-Octets-Monthly';} - 10737500 sql_xlat expand: %{User-Name} - 0208...@peerpointinternet.co.uk sql_set_user escaped user -- '0208...@peerpointinternet.co.uk' expand: SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime (DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY)); - SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct WHERE UserName='0208...@peerpointinternet.co.uk' AND AcctStartTime (DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY)); rlm_sql (sql): Reserving sql socket id: 0 sql_xlat finished rlm_sql (sql): Released sql socket id: 0 expand: %{sql:SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime (DATE_SUB(CURDATE(),INTERVAL DAYOFMONTH(CURDATE())DAY));} - 64695817844 ++[control] returns ok ++? if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) expand: %{control:Tmp-Integer-1} - 271308404 ? Evaluating (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) - TRUE ++? if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) - TRUE ++- entering if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) {...} +++[reject] returns reject ++- if (control:Tmp-Integer-0 %{control:Tmp-Integer-1}) returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -
Re: No Realm in table radacct
xylak...@vorsicht-bissig.de wrote: Authentication and accounting works with realm, but the field realm is empty in table radacct. Does the accounting packet have a username with a realm? The debug log says no. Please *read* the debug log. It has a lot of information and can be hard to understand. But it shouldn't be hard to look for an accounting packet, and then look for realm. If there are no references to realm... that explains why the realm isn't in the radacct table. You can see my Debuglogs with a Login by mar...@kl-dfki.de No. Read the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query help
Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. Yes. All numbers in RADIUS are 32-bit. I think v3 will extend the internal code in the server to use 64-bit numbers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Query help
Dam. Is anyone able to assist me convert to perl as I am only a novice programmer at best. I am willing to make a donation to who that helps or a different location on confirmation of code working. -Original Message- From: freeradius-users-bounces+jonathan.bastin=peerpointinternet.co.uk@lists.freer adius.org [mailto:freeradius-users-bounces+jonathan.bastin=peerpointinternet.co.uk@lis ts.freeradius.org] On Behalf Of Alan DeKok Sent: 10 October 2012 15:36 To: FreeRadius users mailing list Subject: Re: Query help Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. Yes. All numbers in RADIUS are 32-bit. I think v3 will extend the internal code in the server to use 64-bit numbers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. The author's incumbent expressions, views and thoughts are their own and not necessarily representative of those of the Peer Point Internet Ltd or associated companies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Yes I, know. I always read the debug. But I don't know to change it! My biggest problem is, that I can't find any good descriptions about freeradius config. Everything I learn by reading other stuff from forum and blogs. The wiki of freeradius is bad. I've got a old book Radius from O'reilley, but this so about freeradius v1. So couldy you help me? Thank you Original-Nachricht Datum: Wed, 10 Oct 2012 10:32:02 -0400 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: No Realm in table radacct xylak...@vorsicht-bissig.de wrote: Authentication and accounting works with realm, but the field realm is empty in table radacct. Does the accounting packet have a username with a realm? The debug log says no. Please *read* the debug log. It has a lot of information and can be hard to understand. But it shouldn't be hard to look for an accounting packet, and then look for realm. If there are no references to realm... that explains why the realm isn't in the radacct table. You can see my Debuglogs with a Login by mar...@kl-dfki.de No. Read the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query help
On 10/10/12 15:25, Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. If this is the case I presume my only resort it perl. If this is the case could someone help me convert this? You could divide by some large factor inside the SQL database, which is likely using 64-bit or arbitrary precision internally. e.g. select sum() / 100 select quota / 100 ...to convert to megabytes, and then compare like that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
I am too much a newbie to understand what you are suggesting. Should I replace: return RLM_MODULE_OK with: return RLM_MODULE_UPDATED in the perl script? On Tue, Oct 9, 2012 at 11:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Return rlm_module_updated alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
xylak...@vorsicht-bissig.de wrote: Yes I, know. I always read the debug. But I don't know to change it! The User-Name comes from the user. Log in using a realm, and FreeRADIUS will use it. My biggest problem is, that I can't find any good descriptions about freeradius config. I guess the thousands of lines of documentation in the config files don't help. Everything I learn by reading other stuff from forum and blogs. The wiki of freeradius is bad. It is written by volunteers. I've got a old book Radius from O'reilley, but this so about freeradius v1. And it's content is largely copied from the FreeRADIUS documentation. So couldy you help me? With *what*? Ask good questions. What do you want to do? Magically invent a realm where none exists? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
The user mar...@kl-dfki.de is saved in the mySql database as user markus on Server B. So i activate module suffix to check for the realm and then it checks this user in the database. This works, but the server answers only, that he knows markus, not mar...@kl-dfki.de. What should I do to configure my radiusserver to recive the realm of markus? THX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
On 09/10/12 23:32, Andrew Precht wrote: to: module = /etc/raddb/sjpl.pl Also, in the perl file I have uncommented the line: func_authenticate = authenticate Next, in /etc/raddb/sites-enabled/default I added perl to the authenticate {} section. Your problem is that the script is just wrong. You're running in the authorize section: Access-Request packet from host 192.168.251.93 port 50827, id=0, length=54 User-Name = 21197904090320 User-Password = 1533 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} rlm_perl: Added pair User-Name = 21197904090320 rlm_perl: Added pair User-Password = 1533 ++[perl] returns ok ...but you're not arranging for yourself to be run in the authenticate section: ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 21197904090320, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: ...i.e. Auth-Type is unset, so authenticate never runs. There are many ways to solve this. Here's one: authorize { ... perl if (ok) { update control { Auth-Type = perl } } ... } authenticate { ... Auth-Type perl { perl } ... } Alternatively you could make your perl script set the Auth-Type item in the control list. And so on. The point is you need to set an Auth-Type, and make your perl script handle it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
A quick guess, your mysql user-name is set to be stripped-user-name? Check sql.conf and dialup.conf alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
On 10/10/12 18:30, Andrew Precht wrote: Found Auth-Type = perl # Executing group from file /etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: perl_embed:: module = /etc/raddb/sjpl.pl , func = authenticate exit status= Undefined subroutine main::get called at /etc/raddb/sjpl.pl line 92. Pretty clear - you've got a bug in the perl script. Fix it. You need a func_authenticate in your perl script, and it needs to *work*. Fix the code on line 92 of the script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorization with rlm_sql not working
Stefano Zanmarchi wrote: Hi, our Freeradius is working fine with PEAP (NT hash passwords stored in Openldap). We'd like to add MAC authorization using Mysql: only people with MAC contained in radcheck should have access (provided they also type in the right password!). So you need to check passwords, and allow only known MACs. Radcheck has only one entry: +++++---+ | id | username | attribute | op | value | +++++---+ | 1 | uto.u...@studenti.unipd.it | Calling-Station-Id | == | 98-4B-4A-F5-BF-40 | +++++---+ See the rlm_sql documentation. This entry says: for user uto.u...@studenti.unipd.it, check that Calling-Station-Id is 98-4B-4A-F5-BF-40. It doesn't *do* anything with that information. The problem is that uto.u...@studenti.unipd.it gets an AccessAccept packet, regardless of his Calling-Station-Id. Yes. Because you're probably also checking passwords, and allowing good passwords with bad MACs. Don't know if it's related but strangely (to me) when uto.u...@studenti.unipd.it has Calling-Station-Id 98-4B-4A-F5-BF-40 (the one in radcheck) radiusd performs this sql query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'uto.u...@studenti.unipd.it' ORDER BY id and the radiusd -X output shows [sql] User found in radcheck table Same user, different Calling-Station-Id (73-1C-5C-B4-E0-55, not the one in radcheck), shows [sql] User uto.u...@studenti.unipd.it not found. Exactly. The user and MAC entry is found when it matches. It's not found when it doesn't match. I enclose these files: Please don't. You can fix the issue by doing: authorize { ... sql if (notfound) { reject } ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius force authentication reject for some users?
Hi List, I am using radius based otp ubikey authentication like this: http://www.linuxforu.com/2011/08/setip-two-factor-authentication-using-openotp/ is there nice way to reject some users? just want to reject radius authentication for user foo. this user has account on otp, but want to reject all authentication attempts on radius? is there option to force-reject-authentication for user foo2,foo3? on freeradius? thanks, -- Eero - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
OK. I think I've got the script fixed. But, I'm now getting: Denied access by RADIUS Here is my debug: Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /var/run/radiusd libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16
Re: your mail
Andrew, It appears that the problem is in your perl script: ++[perl] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject You need to fix your script. You can run it by hand with perl -d to see how it behaves, or insert print statements in it, etc., until it works the way it should. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html