Multithreaded krb5
A while back there was some discussion about the current krb5 module in FreeRADIUS being single threaded, and that it may no longer be necessary for it to be single threaded. It transpires that both MIT and Heimdal libraries are now thread safe, MIT since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 (documentation is fuzzy). I can't test beyond compiling the code against the kerberos library, and maybe setting up a test KDC/TGS. But for this to be put into the stable branch it really needs to be tested under load, against a range of keberos implementations. Were looking for volunteers, preferably a mix of deployments using either MIT or Heimdal. The new module should just drop in for any v2.1.x deployment once compiled, as it doesn't use any new core API functions. Change list: * Both - Check that krb5 library was compiled with threading support on startup. * Both - Clone context on each request to ensure thread safety. * Both - Move service principal parsing so it's done at intialisation only (instead of on every request). * Both - Improved return codes, will now reflect revoked access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well as bad password (REJECT), and other errors (FAIL). Before the module returned REJECT for almost everything. * Both - Mark module as thread safe, config check safe (will be validated on -C), and hup safe (config will be reloaded on SIGHUP) * Both - Switch more messages to use RDEBUG so they'll be printed in conditional debug (useful for production servers with radmin enabled). * MIT - Move service principal string to service principal conversion so that it's done at initialisation only (instead of on every request). * MIT - Move options configuration so they're done at initialisation only (instead of on every request). * MIT - Switch to using krb5_get_init_creds_password and krb5_verify_init_creds to validate TGT instead of old twisty logic. * MIT - Cache option removed as krb5_verify_init_creds disables the replay cache on its own. For those wanting to test: git clone g...@github.com:arr2036/freeradius-server.git cd freeradius-server git checkout threaded_krb5 Report issues on: http://bugs.freeradius.org, and send feedback to either the list or me directly. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compilling error
Cann’t compile for CYGWIN version 2.2.1 2.2.0(stable) gcc -I/cygdrive/d/fr/freeradius-server-2.2.1 -I/cygdrive/d/fr/freeradius-server-2.2.1/src -g -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG -I/cygdrive/d/fr/freeradius-server-2.2.1/libltdl -I/cygdrive/d/fr/freeradius-server-2.2.1/src -I/cygdrive/d/fr/freeradius-server-2.2.1/libltdlradeapclient.c -o radeapclient radeapclient.c:40:23: фатальная ошибка: eap_types.h: No such file or directory Компиляция прервана. builtin: recipe for target `radeapclient' failed make[6]: *** [radeapclient] Error 1 File eap_types.h is situated in src/modules/rlm_eap/lib_eap dir. If I launch gcc -I lib_eap, I get: ... /tmp/ccD7XqGk.o: In function `debug_packet': /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:182: undefined reference to `_fr_packet_codes' /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:195: undefined reference to `_vp_prints' /tmp/ccD7XqGk.o: In function `send_packet': /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:212: undefined reference to `_rad_send' /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:268: undefined reference to `_rad_verify' /tmp/ccD7XqGk.o: In function `process_eap_challenge': /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:502: undefined reference to `_pairfind' /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:503: undefined reference to `_pairfind' /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:521: undefined reference to `_pairfind' /cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:522: undefined reference to `_pairfind' ... As I found_pairfind is defined in xlat.c. How can I compile it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying other authentication methods when the first is invalid
Sorry for the wall of tet, I'd rather give too much info than not enough. Our FreeRADIUS server (version 2.1.8 running on Ubuntu 10.04 LTS x64, installed from packages) currently does mac-based authentication of hosts onto edge switches using perl scripts (rlm_perl) talking to the API for our network access control system. I would like to extend this to also be able to support 802.1x based authentication, but only for certain specific networks (ones with access to more important servers or similar. For example the finance network should need 802.1x to auth, but our student residence network shouldn't as then no games consoles and the like would work). The initial method I had set up was to look for the presence of an EAP-Message in the request in the authorize section, and call the eap module if EAP-Message was present to set Auth-Type to EAP and then do authentication using eap (tls or peap) (and then expect to hand off to perl in post_auth just for the VLAN assignment) or to call the perl module to set Auth-Type as Perl if there was no EAP-Message, and handle it in authenticate as a simple MAC auth using perl. (The reason for not just calling eap then perl all the time is that the rlm_perl module, despite my authorize subroutine containing simply $RAD_CHECK{'Auth-Type'} = 'Perl'; return RLM_MODULE_OK;, seems to alter the value of User-Name such that calling eap in authenticate *always* fails with the error Identity does not match User-Name, setting from EAP Identity. and rejects the user if perl has been called in authorize, even if it is called after eap and the eap stanza reads eap { ok = return }). This worked ! fine on our HP Procurve switches. Anyway, we have got some Juniper EX2200 switches. The problem with these is that they do mac-auth as a 'fake' 802.1x auth. The request has the User-Name attribute set to the MAC address correctly, but also has an EAP-Message present, it just doesn't contain anything we want to have to care about (It actually contains, once the eap header has been decoded, the md5 of the mac-address). This causes the eap module, if called in authorize, to think the request should be handled by itself and set Auth-Type to EAP and expect to do eap-md5 (even if the default-auth-type in eap.conf is set to something else, like peap). However, as we do not actually want to do an eap-md5 auth we have no Cleartext-Password anywhere for the tens of thousands of MAC addresses (with new ones every day, which we auth onto a special 'unregistered' network with limited access instead of rejecting) on our network. The eap module in this case returns 'invalid' in authentication, rather than 'reject'. I was hoping I could detect this and tell it to move on to perl if this happened. I can't seem to make that work. As soon as eap returns invalid, all further processing is halted for that request and FreeRADIUS jumps straight to the Post-Auth REJECT section. Can anyone suggest a way around this? I was originally thinking that I could use the perl module after eap in authorize to check if the decoded eap data was simply an md5 hash of the MAC, and set Auth-Type to Perl even though there was an EAP-Message in that case, but of course if I ever then do that check on a valid 802.1x auth EAP breaks (as I mentioned above). Thanks for any help anyone can offer -- Dan Meyers Lancaster University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying other authentication methods when the first is invalid
On 11/01/13 13:23, Meyers, Dan wrote: Anyway, we have got some Juniper EX2200 switches. The problem with these is that they do mac-auth as a 'fake' 802.1x auth. The request has the User-Name attribute set to the MAC address correctly, but also has an EAP-Message present, it just doesn't contain anything we want to have to care about (It actually contains, once the eap header has been decoded, the md5 of the mac-address). This causes the eap Wait, what? Seriously? Can you show a debug of one of these requests? module, if called in authorize, to think the request should be handled by itself and set Auth-Type to EAP and expect to do eap-md5 (even if the default-auth-type in eap.conf is set to something else, like peap). However, as we do not actually want to do an eap-md5 auth we have no Cleartext-Password anywhere for the tens of thousands of MAC addresses (with new ones every day, which we auth onto a special 'unregistered' network with limited access instead of rejecting) on our network. Hang on; is it EAP-MD5, or some fake EAP? If it's EAP-MD5, what is the switch using as the password? A fixed value, or the MAC address? You might find it's as simple as doing: authorize { ... if (EAP-Message) { if (User-Name =~ /[0-9a-f]{16}/) { # mac-based auth as EAP-MD5 update control { Cleartext-Password := %{User-Name} } } eap } else { my_perl } ... } The eap module in this case returns 'invalid' in authentication, rather than 'reject'. I was hoping I could detect this and tell it to move on to perl if this happened. I can't seem to make that work. As soon as eap returns invalid, all further processing is halted for that request and FreeRADIUS jumps straight to the Post-Auth REJECT section. Can anyone suggest a way around this? Maybe. I'd need to see a debug of one of these horribly broken-sounding EAP requests. If it's actually broken, you're hosed. If it's just doing EAP-MD5 for mac-auth with some fixed or well-known password, you just need to set that password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying other authentication methods when the first is invalid
Meyers, Dan wrote: Anyway, we have got some Juniper EX2200 switches. The problem with these is that they do mac-auth as a 'fake' 802.1x auth. The request has the User-Name attribute set to the MAC address correctly, but also has an EAP-Message present, it just doesn't contain anything we want to have to care about (It actually contains, once the eap header has been decoded, the md5 of the mac-address). That phrase is a trigger for me. contains the MD5 hash of the password is a horribly vague description. Where is this hash contained? Why is it contained, and not part of a well-defined EAP type? This causes the eap module, if called in authorize, to think the request should be handled by itself and set Auth-Type to EAP and expect to do eap-md5 (even if the default-auth-type in eap.conf is set to something else, like peap). However, as we do not actually want to do an eap-md5 auth we have no Cleartext-Password anywhere OK... so it's EAP-MD5. *PLEASE* just say this. The switch does EAP-MD5 with the MAC address as the password. That's *much* easier than reading a wall of text. ... As soon as eap returns invalid, all further processing is halted for that request and FreeRADIUS jumps straight to the Post-Auth REJECT section. That's how user rejection works. If you reject the user, you don't keep looking for more things to do. Can anyone suggest a way around this? I was originally thinking that I could use the perl module after eap in authorize to check if the decoded eap data was simply an md5 hash of the MAC, Huh? You *are* aware that the server comes with an EAP-MD5 module, right? Why not just use that? The wall of text indicates to me that you're lost in the weeds looking for a solution. The more you get lost, the bigger the description becomes, and the more complicated the solution. Once you (a) know it's EAP-MD5, and (b) know that the password is the MAC, and (c) know that the MAC is in the User-Name, the solution becomes rather obvious. Do what Phil says. It should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Reply Attributes
I'm sure this is an easy issue to solve, but my simple brain can't seem to put the pieces together. Any help would be greatly appreciated. I'm trying to authorize a login into a Cisco switch with admin privileges. Users: DEFAULT = LDAP-Group == Radius-Users Reply-Message = Welcome Message Test, Cisco-AVPair = shell:priv-lvl=15 Note: I've tried many different combinations of attributes with no luck. (Service-Type = Administrative-User, Service-Type = NAS-Prompt-User) Output: Sending Access-Accept of id 61 to 172.28.64.3 port 1645 Reply-Message = Welcome Message Test Cisco-AVPair = shell:priv-lvl=15 The switch login successfully shows Welcome Message Test, but still kicks into user exec mode without applying the Cisco-AVPair = shell:priv-lvl=15 I noticed that there is a mapping for the Reply-Message found in ldap.attrmap, but none for Cisco-AVPair. Is this why it's not working? If so, I have not been able to find the correct syntax for adding it to ldap.attrmap. Thanks in advance, T. Brady - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Reply Attributes
Switch config issue? Ensure your switch is configured to authorize over RADIUS as well as to authenticate over RADIUS. (sounds like its doing the latter but not the former) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different IP addresses from home radius server
We are using FreeRadius 2.1.12 as a proxy to a remote radius server. The remote server (not under our direct control) receives RADIUS request messages on one IP address, but sends the response out a different interface (and thus has a diffferent IP). FreeRadius is rejecting the response since the IP does not match that of the request. Is there a way to configure FreeRadius to allow this? Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP Reply Attributes
Switch config issue? Ensure your switch is configured to authorize over RADIUS as well as to authenticate over RADIUS. (sounds like its doing the latter but not the former) You were absolutely correct. I’m dumb and forgot that I removed the authorization statement from my switch awhile back. T. Brady - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl changing User-Name and proxy requests
I have an issue with rlm_perl changing the request User-Name attribute but the proxy request not honoring it. First I'll describe what I'm trying to accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that has some krb5 realm fixes in it. I have multiple realms that users can authenticate against: our division has replayable password (handled by kerberos) and one time passwords (handled by both YubiKeys and Crypto Card), our lab has replayable passwords (handled by AD) and a separate one time password system (handled by Crypto Card). For services that we want to allow replayable passwords (like IMAP access for instance), we want to allow the user to choose which service to use (division or lab). For services requiring OTP we want the user to choose which OTP token they want to use (some people have multiple because of external requirements). We want users to be able to change these auth preferences on their own and not have this require changing the RADIUS configuration (a.k.a., the users file) to do this. Our account information is kept in LDAP. This is all well and good except that usernames between the division and the lab aren't guaranteed to match - User A might have lastname as their division name, but lastnamefirst as their lab username. For the kerberos and AD request the RADIUS server can handle the request directly using rlm_krb5, but for all the OTP requests the server must proxy to the correct OTP server to handle the request. Here's my plan for accomplishing this. During authorization, rlm_ldap is used to make sure if the user is in LDAP. If not the request is rejected outright (this should help with brute force attempts bogging down all the servers for bogus attempts). Next an rlm_perl module is called to get the user's preferred realm and what username to use in that realm from LDAP. An example would be leggett@ yubi.division.example.com (signifying that I want to use YubiKey from my division). The rlm_perl module updates the request User-Name to be this preference and Auth-Type to be System (see http://pastie.org/5670077). Lastly rlm_realm checks the request to determine if it should be proxied or not. The problem is this: Everything works if the username doesn't change. For instance, if I'm legg...@yubi.division.example.com and legg...@crypto.example.com, things work. The User-Name change being done by rlm_perl is being recognized by rlm_realm and rlm_realm is routing to the proper realm; however, rlm_realm seems to want to clobbe! r User-Name in its own way, so that by the time proxying happens User-Name is set to whatever the initial username was - if I started the process as leggett and wanted my username to eventually be ti.legg...@crypto.example.com, by the time it reaches the proxy phase my User-Name attribute has been reset back to leggett even if I rerun the rlm_perl module after rlm_realm (see http://pastie.org/5670076) I notice that rlm_suffix doesn't overwrite the Stripped-User-Name rlm_perl adds, but appends another entry. This is fine for my purposes since the rlm_perl one is added first subsequent calls use that value. I'm afraid the same is happening with User-Name in that rlm_perl is appending another entry instead of overwriting the ones there. So is there any way around this or am I completely insane with this approach? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
hi, dont play with User-Name, update/modify Stripped-User-Name instead and use that in the authn/authz stages alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On Jan 11, 2013, at 2:32 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: [snip] Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to cache the result of the LDAP lookup (once you have all this working)*. Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. So that was my first thought too. However, I have limited visibility into the remote lab crypto server and when I sent a request to with a realm included, it flat out dropped the request. Didn't reply at all. So I need the realm to so the proxy portion can hit the right destination, but I need the User-Name stripped so the remote server can understand it. -Arran PS: You know you want to test the threaded version of the updated rlm_krb5 module :) I do! Once I get this configuration working I'll be happy to try it. One of my todos for this whole config revamp is to stress test the environment against a brute force attack (we get them frequently). Then I'll have some before numbers to compare with the after. * Only use the rlm_cache module from 2.2.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On 11 Jan 2013, at 19:58, Ti Leggett legg...@mcs.anl.gov wrote: I have an issue with rlm_perl changing the request User-Name attribute but the proxy request not honoring it. First I'll describe what I'm trying to accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that has some krb5 realm fixes in it. I have multiple realms that users can authenticate against: our division has replayable password (handled by kerberos) and one time passwords (handled by both YubiKeys and Crypto Card), our lab has replayable passwords (handled by AD) and a separate one time password system (handled by Crypto Card). For services that we want to allow replayable passwords (like IMAP access for instance), we want to allow the user to choose which service to use (division or lab). For services requiring OTP we want the user to choose which OTP token they want to use (some people have multiple because of external requirements). We want users to be able to change these auth preferences on their own and not have this require changing the RADIUS configuration (a.k.a., the users file) to do this. Our account information is kept in LDAP. This is all well and good except that usernames between the division and the lab aren't guaranteed to match - User A might have lastname as their division name, but lastnamefirst as their lab username. For the kerberos and AD request the RADIUS server can handle the request directly using rlm_krb5, but for all the OTP requests the server must proxy to the correct OTP server to handle the request. Here's my plan for accomplishing this. During authorization, rlm_ldap is used to make sure if the user is in LDAP. If not the request is rejected outright (this should help with brute force attempts bogging down all the servers for bogus attempts). Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to cache the result of the LDAP lookup (once you have all this working)*. Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. -Arran PS: You know you want to test the threaded version of the updated rlm_krb5 module :) * Only use the rlm_cache module from 2.2.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On 01/11/2013 08:32 PM, Arran Cudbard-Bell wrote: Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. Isn't the problem the special request-username attribute? AFAICT the pairmove code handles this specially (fixup) but I'm not sure rlm_perl does the same? If that is the case, OP may find that putting the new username in an interim / temp variable then forcing update via unlang works: authorize { ... myperl update request { User-Name := %{The-Var} } ... } This is a WAG though... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dhcp sqlippool reauthenticate users every minute
Hi, I'm trying to set up FreeRADIUS 2.2 to act as an authentication and accounting system as well as a DHCP server. (I'm relaying DHCP requests from a pfSense box). I am trying to use sqlippools on FreeRADIUS, but I have noticed that my ippools are filling up quickly (I am only testing with two devices). I have pfSense configured to reauthenticate user every minute, so I believe that FreeRADIUS is running post-auth dhcp leasing each time the user is reauthenticated. FreeRADIUS is serving the same client a new IP address each minute. I have adjusted my policy conf to the below. I may be approaching this the wrong way, but this is essentially what I am trying to do: I want to have multiple pools on different subnets. When a new client connects to the network (they don't yet have a radius account) they are sent to a default (pending) pool. This may be on the 192.168.1/24 subnet. After they have set up their account and have been added to the RADIUS database, they will be given a pool-name, maybe `pool2`. `pool2` will be on a different subnet, for example, 192168.2/24. The pfsense box knows how to route these subnets, so that is not a problem. I only want clients to receive a different IP address if their pool-name changes for whatever reason, if there are no changes to their account, they shouldn't be leased a new IP every time they reauthenticate (every minute). Eventually I will disable the reauthenticate every minute feature as the production system would not be able to handle this many requests. Am I approaching this problem correctly? I have written some un-lang in the policy.conf file for handling some of this. I am getting hung up on this problem. The pool is getting exhausted in minutes since each client is leased a new ip every minute. Any help is appreciated! Thanks, Ethan …. dhcp_sqlippool.post-auth { # Do some minor hacks to the request so that it looks # like a RADIUS request to the SQL IP Pool module. # check whether the requester is a user or not, if they do not have a pool-name, send them to pfpriv by default if(%{sql: SELECT COUNT(*) FROM radcheck where username='%{DHCP-Client-Hardware-Address}' AND attribute='Pool-Name'} != 0) { update control { Pool-Name := %{sql: SELECT `value` FROM radcheck WHERE username = '%{DHCP-Client-Hardware-Address}' AND attribute='Pool-Name'} } } else { update control { Pool-Name := pfpriv # default pool if the user doesn't have an account } } update reply { DHCP-Domain-Name-Server = 192.168.1.1 # we will ultimately create a mysql table `radpoolinfo` to store per-pool attributes DHCP-Router-Address = 192.168.0.1 # this will also be in `radpoolinfo` eventually } update request { User-Name = DHCP-%{DHCP-Client-Hardware-Address} Calling-Station-Id = %{DHCP-Client-Hardware-Address} NAS-IP-Address = %{%{DHCP-Gateway-IP-Address}:-127.0.0.1} Acct-Status-Type = Start } # Call the actual module # # Uncomment this in order to really call it! dhcp_sqlippool #fail # Convert Framed-IP-Address to DHCP, but only if we # actually allocated an address. if (ok) { update reply { DHCP-Your-IP-Address = %{reply:Framed-IP-Address} } } } … - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On Jan 11, 2013, at 2:35 PM, a.l.m.bu...@lboro.ac.uk wrote: hi, dont play with User-Name, update/modify Stripped-User-Name instead and use that in the authn/authz stages How do I get the remote servers I'm proxying for to understand Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the Access-Request to the proxyied server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On 11 Jan 2013, at 20:49, Phil Mayers p.may...@imperial.ac.uk wrote: On 01/11/2013 08:32 PM, Arran Cudbard-Bell wrote: Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. Isn't the problem the special request-username attribute? It is, request-username appears to be pointing to the original User-Name pair instead of the new perl one. AFAICT the pairmove code handles this specially (fixup) but I'm not sure rlm_perl does the same? Yes, unfortunately. That would have been a nice simple fix. https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_perl/rlm_perl.c @leggett If you don't mind rebuilding the server, could you change: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/main/modcall.c#L686 And add: RDEBUG(Cached username is \%s\, list username is \%s\, request-username-vp_strvalue, pairfind(request-packet-vps, PW_USER_NAME)-vp_strvalue); Just after modcall_single() Run it in debug mode and you'll see exactly where the username isn't being updated. List username and cached username should always be in sync up until the call to suffix, at which point the cached username should be stripped of the realm. If that is the case, OP may find that putting the new username in an interim / temp variable then forcing update via unlang works: authorize { ... myperl update request { User-Name := %{The-Var} } ... } Yeah it should do. That calls radius_pairmove which has the magic update cache logic in it too. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
Hi, How do I get the remote servers I'm proxying for to understand Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the Access-Request to the proxyied server. ah, missed the proxy bit. as Phil says, use a temp value and then set User-Name to that just before the proxying occurs (using unlang) - but beware that particular authentication methods dont like User-Name to have changed (thinking some EAP clients) - so this may cause issues in the future or be the cause of issues you are facing. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcp sqlippool reauthenticate users every minute
Ethan Hayon wrote: Hi, I'm trying to set up FreeRADIUS 2.2 to act as an authentication and accounting system as well as a DHCP server. (I'm relaying DHCP requests from a pfSense box). Are you doing DHCP *and* RADIUS? I am trying to use sqlippools on FreeRADIUS, but I have noticed that my ippools are filling up quickly (I am only testing with two devices). I have pfSense configured to reauthenticate user every minute, so I believe that FreeRADIUS is running post-auth dhcp leasing each time the user is reauthenticated. FreeRADIUS is serving the same client a new IP address each minute. There's no need to believe anything. Run the server in debugging mode to see exactly what it's doing. Any IP allocation MUST be done on a key which is unique to each device. That key should remain the same across multiple re-authentications. So... is it? Please check. I want to have multiple pools on different subnets. When a new client connects to the network (they don't yet have a radius account) they are sent to a default (pending) pool. This may be on the 192.168.1/24 subnet. After they have set up their account and have been added to the RADIUS database, they will be given a pool-name, maybe `pool2`. `pool2` will be on a different subnet, for example, 192168.2/24. The pfsense box knows how to route these subnets, so that is not a problem. I only want clients to receive a different IP address if their pool-name changes for whatever reason, if there are no changes to their account, they shouldn't be leased a new IP every time they reauthenticate (every minute). This is what databases are for. If you want to map each client to a pool, you'll need a table with a client identifier column, and a pool-name column. Then, assign IPs based on the pool name, as looked up in the table. Am I approaching this problem correctly? I have written some un-lang in the policy.conf file for handling some of this. I am getting hung up on this problem. The pool is getting exhausted in minutes since each client is leased a new ip every minute. Solve that problem first. Run the server in debugging mode to see *why* it's assigning a new IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP addresses from home radius server
Greg Rutz wrote: We are using FreeRadius 2.1.12 as a proxy to a remote radius server. The remote server (not under our direct control) receives RADIUS request messages on one IP address, but sends the response out a different interface (and thus has a diffferent IP). FreeRadius is rejecting the response since the IP does not match that of the request. Is there a way to configure FreeRadius to allow this? No. Tell the administrator of the remote server to fix his system. RADIUS *requires* replies to come from the same IP. Anything else is broken. All RADIUS servers since 2000 or so should be able to work correctly when they have multiple IPs. The remote admin has no excuse for running a broken RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On Jan 11, 2013, at 3:21 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: @leggett If you don't mind rebuilding the server, could you change: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/main/modcall.c#L686 And add: RDEBUG(Cached username is \%s\, list username is \%s\, request-username-vp_strvalue, pairfind(request-packet-vps, PW_USER_NAME)-vp_strvalue); Just after modcall_single() Run it in debug mode and you'll see exactly where the username isn't being updated. List username and cached username should always be in sync up until the call to suffix, at which point the cached username should be stripped of the realm. Ok. I'm flumoxed: +- entering group pre-proxy {...} [pre_proxy_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d - /var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111 [pre_proxy_log] /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111 [pre_proxy_log] expand: %t - Fri Jan 11 15:38:05 2013 Cached username is ti.leggett, list username is ti.legg...@crypto.example.com ++[pre_proxy_log] returns ok Sending Access-Request of id 217 to 192.168.1.2 port 1812 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = host.division.example.com User-Name = leggett User-Password = password NAS-Identifier = sshd NAS-IP-Address = 192.168.1.1 NAS-Port = 9975 Proxy-State = 0x3831 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
Just after modcall_single() Or call_modsingle even... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slow Ldap Authorization
Version 2.1.10 Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down? LDAP Module: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = 172.28.64.10 identity = CN=User Name,OU=Phoenix_Users,DC=company,DC=com password = password basedn = DC=company,DC=com filter = ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{contr$ groupmembership_attribute = memberOf # base_filter = (objectclass=radiusprofile) # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 Debug: Ready to process requests. rad_recv: Access-Request packet from host 172.28.64.3 port 1645, id=98, length=85 User-Name = RadiusUser User-Password = password NAS-Port = 3 NAS-Port-Id = tty3 NAS-Port-Type = Virtual Calling-Station-Id = 172.28.64.119 NAS-IP-Address = 172.28.64.3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = RadiusUser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files]expand: DC=company,DC=com - DC=company,DC=com [files] WARNING: Deprecated conditional expansion :-. See man unlang for details [files]... expanding second conditional [files]expand: %{User-Name} - RadiusUser [files]expand: ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) - ((sAMAccountName=RadiusUser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.28.64.10:389, authentication 0 [ldap] bind as CN=User Name,OU=Alaska_Users,DC=company,DC=com/password to 172.28.64.10:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in DC=company,DC=com, with filter ((sAMAccountName=RadiusUser)) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] ldap_release_conn: Release Id: 0 [files]expand: (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=company,DC=com, with filter ((cn=Radius-Users)(|((objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=User Name,OU=Alaska_Users,DC=company,DC=com, with filter (objectclass=*) [ldap] performing search in CN=Radius-Users,OU=Alaska_Users,DC=company,DC=com, with filter (cn=Radius-Users) rlm_ldap::ldap_groupcmp: User found in group Radius-Users [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 176 ++[files] returns ok [ldap] performing user authorization for RadiusUser [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap]... expanding second conditional [ldap]expand: %{User-Name} - RadiusUser [ldap]expand: ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) - ((sAMAccountName=RadiusUser)) [ldap]expand: DC=company,DC=com - DC=company,DC=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing
Re: rlm_perl changing User-Name and proxy requests
On 11 Jan 2013, at 20:51, Ti Leggett legg...@mcs.anl.gov wrote: On Jan 11, 2013, at 2:35 PM, a.l.m.bu...@lboro.ac.uk wrote: hi, dont play with User-Name, update/modify Stripped-User-Name instead and use that in the authn/authz stages How do I get the remote servers I'm proxying for to understand Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the Access-Request to the proxyied server. It's not, it's an internal attribute which doesn't get copied into the proxy request. In pre-proxy you can add update proxy-request { User-Name := %{%{Stripped-User-Name}:-%{User-Name}} } Which will fix the issue. Where is that User-Name value in the proxy request coming from, is it the one from the original request? Could you include more debug output? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Ldap Authorization
On 11 Jan 2013, at 22:15, Tyler Brady tbr...@stc-comm.com wrote: Version 2.1.10 Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down? No that's not normal, it should be under 100ms if not faster. Uh it's following three referrals having to establish a new connection each time, that may be why it's so slow. You should also check that you have the appropriate indexes configured. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
C External Program
Hi I wrote the following code to accept any user/pass in a C external program: Main() { fprintf (stdout, Auth-Type := Accept\n); return 0; } It works well with PAP but does not work in CHAP/MSCHAP. I know I should return Cleartext-Password but I want to permit any user/pass to loggin in. So how can I do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP addresses from home radius server
On 1/11/13 2:35 PM, Alan DeKok wrote: No. Tell the administrator of the remote server to fix his system. RADIUS *requires* replies to come from the same IP. Anything else is broken. All RADIUS servers since 2000 or so should be able to work correctly when they have multiple IPs. The remote admin has no excuse for running a broken RADIUS server. Turned out to be a broken load balancer on the remote server's network. Thank you for your quick response. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcp sqlippool reauthenticate users every minute
Thanks for the response Alan. I am using DHCP and RADIUS. I was initially using FreeRADIUS for captive portal user authentication and accounting for a pfsense router (using the DHCP server built into the pfsense box). The DHCP server on pfsense limits us to only serving IPs on a singe subnet. We are now trying to use FreeRADIUS as a DHCP server as well by associating user accounts with ippools through Pool-Name. When I run the server in debug mode the Acct-Unique-Session-ID remains the same across the interim accounting updates. However, re-authentications don't seem to have a unique key associated with them. Each time the user is reauthenticated, dhcp_sqlippool.post-auth is triggered and the script I added is executed. I plan to create a table radippoolinfo that will store ip pool specific info such as router address, net mask, dns servers, etc… In my post-auth policy, I am updating control with the proper pool-name (with an unlang), changing some other reply attributes, then calling dhcp_sqlippool. What I am doing doesn't feel right. I am very new to this, does this sound like the proper way of handling the serving of ip's on multiple subnets. DHCP-Domain-Name-Server and DHCP-Router-Address will change between pools. I guess I'm asking if I am approaching this correctly: Using unlang in policy.conf to handle these rules. Sorry to put such a long debug message in here. I pulled out one authorization request, but they all look the same. It looks like This is what my authorization looks like: The request comes in with a framed ip of 192.168.0.43, but it tries to serve it 192.168.0.50. It reallocates a new IP for each auth every minute. rad_recv: Access-Request packet from host 192.168.1.1 port 7053, id=32, length=142 NAS-IP-Address = [redacted] NAS-Identifier = pfsense.localdomain User-Name = b8:8d:12:10:8d:f6 User-Password = [redacted] Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 30 Framed-IP-Address = 192.168.0.43 Called-Station-Id = [redacted] Calling-Station-Id = b8:8d:12:10:8d:f6 Thu Jan 10 23:53:34 2013 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Thu Jan 10 23:53:34 2013 : Info: +- entering group authorize {...} Thu Jan 10 23:53:34 2013 : Info: ++[preprocess] returns ok Thu Jan 10 23:53:34 2013 : Info: ++[chap] returns noop Thu Jan 10 23:53:34 2013 : Info: ++[mschap] returns noop Thu Jan 10 23:53:34 2013 : Info: ++[digest] returns noop Thu Jan 10 23:53:34 2013 : Info: [suffix] No '@' in User-Name = b8:8d:12:10:8d:f6, looking up realm NULL Thu Jan 10 23:53:34 2013 : Info: [suffix] No such realm NULL Thu Jan 10 23:53:34 2013 : Info: ++[suffix] returns noop Thu Jan 10 23:53:34 2013 : Info: [eap] No EAP-Message, not doing EAP Thu Jan 10 23:53:34 2013 : Info: ++[eap] returns noop Thu Jan 10 23:53:34 2013 : Info: [files] users: Matched entry DEFAULT at line 93 Thu Jan 10 23:53:34 2013 : Info: ++[files] returns ok Thu Jan 10 23:53:34 2013 : Info: [sql] expand: %{User-Name} - b8:8d:12:10:8d:f6 Thu Jan 10 23:53:34 2013 : Info: [sql] sql_set_user escaped user -- 'b8:8d:12:10:8d:f6' Thu Jan 10 23:53:34 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 0 Thu Jan 10 23:53:34 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'b8:8d:12:10:8d:f6' ORDER BY id Thu Jan 10 23:53:34 2013 : Info: [sql] User found in radcheck table Thu Jan 10 23:53:34 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'b8:8d:12:10:8d:f6' ORDER BY id Thu Jan 10 23:53:34 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'b8:8d:12:10:8d:f6' ORDER BY priority Thu Jan 10 23:53:34 2013 : Debug: rlm_sql (sql): Released sql socket id: 0 Thu Jan 10 23:53:34 2013 : Info: ++[sql] returns ok Thu Jan 10 23:53:34 2013 : Info: ++[expiration] returns noop Thu Jan 10 23:53:34 2013 : Info: ++[logintime] returns noop Thu Jan 10 23:53:34 2013 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP Thu Jan 10 23:53:34 2013 : Info: ++[pap] returns noop Thu Jan 10 23:53:34 2013 : Info: Found Auth-Type = Accept Thu Jan 10 23:53:34 2013 : Info: Auth-Type = Accept, accepting the user Thu
Re: dhcp sqlippool reauthenticate users every minute
Ethan Hayon wrote: When I run the server in debug mode the Acct-Unique-Session-ID remains the same across the interim accounting updates. However, re-authentications don't seem to have a unique key associated with them. That makes no sense. There is *nothing* unique to each user you can key off of? Name? MAC address? In my post-auth policy, I am updating control with the proper pool-name (with an unlang), changing some other reply attributes, then calling dhcp_sqlippool. What I am doing doesn't /feel/ right. I am very new to this, does this sound like the proper way of handling the serving of ip's on multiple subnets. DHCP-Domain-Name-Server and DHCP-Router-Address will change between pools. Get one thing working first. Only then look at the next thing. I guess I'm asking if I am approaching this correctly: Using unlang in policy.conf to handle these rules. unlang is for policy rules. Databases are for data. You've got some kind of mixup between the two. Sorry to put such a long debug message in here. I pulled out one authorization request, but they all look the same. It looks like They don't all look the same. They contain different information for each user. How else does the server tell users apart? This is what my authorization looks like: The request comes in with a framed ip of 192.168.0.43, but it tries to serve it 192.168.0.50. The default queries use Calling-Station-Id to track IP addresses. They *also* assume that the NAS sends accounting packets, so that each user has an accounting entry in SQL. It reallocates a new IP for each auth every minute. Probably because the NAS isn't sending accounting data. So the IP is never tracked in SQL. So... did you look in the SQL database to see what's there? Is it tracking the IP? Does the user have an accounting record? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcp sqlippool reauthenticate users every minute
On Jan 11, 2013, at 6:38 PM, Alan DeKok al...@deployingradius.com wrote: Hi Alan, Thanks for the response Ethan Hayon wrote: When I run the server in debug mode the Acct-Unique-Session-ID remains the same across the interim accounting updates. However, re-authentications don't seem to have a unique key associated with them. That makes no sense. There is *nothing* unique to each user you can key off of? Name? MAC address? Yes, MAC address is unique for each user. The MAC should be a unique identifier when assigning IP's. In my post-auth policy, I am updating control with the proper pool-name (with an unlang), changing some other reply attributes, then calling dhcp_sqlippool. What I am doing doesn't /feel/ right. I am very new to this, does this sound like the proper way of handling the serving of ip's on multiple subnets. DHCP-Domain-Name-Server and DHCP-Router-Address will change between pools. Get one thing working first. Only then look at the next thing. Good point I guess I'm asking if I am approaching this correctly: Using unlang in policy.conf to handle these rules. unlang is for policy rules. Databases are for data. You've got some kind of mixup between the two. Sorry for the misunderstanding. I understand this. I'm just making sure it is normal to use unlang in the policy.conf to perform sql queries and use the results to build up a response. Again, I need to get this working before worrying about that. Sorry to put such a long debug message in here. I pulled out one authorization request, but they all look the same. It looks like They don't all look the same. They contain different information for each user. How else does the server tell users apart? I am only using one device right now, so the auth requests look the same, hence why I only included one below. The auth requests will look different if i introduce more devices into the system. This is what my authorization looks like: The request comes in with a framed ip of 192.168.0.43, but it tries to serve it 192.168.0.50. The default queries use Calling-Station-Id to track IP addresses. They *also* assume that the NAS sends accounting packets, so that each user has an accounting entry in SQL. It reallocates a new IP for each auth every minute. Probably because the NAS isn't sending accounting data. So the IP is never tracked in SQL. So... did you look in the SQL database to see what's there? Is it tracking the IP? Does the user have an accounting record? Yes, the NAS is sending accounting data. This is what redacct looks like (some columns omitted) +---+--+--+---+---+---+-+-+ | radacctid | acctsessionid| acctuniqueid | username | nasipaddress | callingstationid | calledstationid | framedipaddress | +---+--+--+---+---+---+-+-+ |17 | 9e90e1a3b02da713 | 068649e121f096f2 | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89 | 192.168.0.40| |18 | 61ebc2f61333e8d4 | 857f2f856c1ea384 | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89 | 192.168.0.43| |19 | a8aed7c0d9ce3bd1 | 541ef5a9672cc6e7 | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89 | 192.168.0.43| |20 | 5bd18f3ccb1edf8a | e3c55f048d9a680b | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89 | 192.168.0.43| |21 | 72ad87c6b43a08b4 | e427b47f54737c4f | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89 | 192.168.0.43| |22 | bff889e83c3b469b | 70ec2fe5fa197bcc | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89 | 192.168.0.43| +---+--+--+---+---+---+-+-+ So there is an accounting record for each user and each user session. Right now, I'm thinking there is a mismatch either in the nasipaddress or some other attribute. The NAS has a WAN ip of 98.109.201.89 and a LAN IP of 192.168.1.1. The RADIUS server is on LAN at 192.168.1.2. I have noticed that sometimes the nasipaddress appears as 192.168.1.1 and other times as 98.109.201.89. I think I am going to start with a fresh install of freeradius. I messed with too many queries (such as adjusting the Pool-Key) and I am worried that I have created a mess. Ethan Hayon Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html