date:20130111

2013-01-11 Thread Черкендов Александр Армаисович

A while back there was some discussion about the current krb5 module in 
FreeRADIUS being single threaded, and that it may no longer be necessary for it 
to be single threaded.

It transpires that both MIT and Heimdal libraries are now thread safe, MIT 
since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 
(documentation is fuzzy).

I can't test beyond compiling the code against the kerberos library, and maybe 
setting up a test KDC/TGS. But for this to be put into the stable branch it 
really needs to be tested under load, against a range of keberos 
implementations.

Were looking for volunteers, preferably a mix of deployments using either MIT 
or Heimdal. The new module should just drop in for any v2.1.x deployment once 
compiled, as it doesn't use any new core API functions.

Change list:
* Both - Check that krb5 library was compiled with threading support on 
startup.
* Both - Clone context on each request to ensure thread safety.
* Both - Move service principal parsing so it's done at intialisation 
only  (instead of on every request).
* Both - Improved return codes, will now reflect revoked 
access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well 
as bad password (REJECT), and other errors (FAIL). Before the module returned 
REJECT for almost everything.
* Both - Mark module as thread safe, config check safe (will be 
validated on -C), and hup safe (config will be reloaded on SIGHUP)
* Both - Switch more messages to use RDEBUG so they'll be printed in 
conditional debug (useful for production servers with radmin enabled).
* MIT - Move service principal string to service principal conversion 
so that it's done at initialisation only  (instead of on every request).
* MIT - Move options configuration so they're done at initialisation 
only  (instead of on every request).
* MIT - Switch to using krb5_get_init_creds_password and 
krb5_verify_init_creds to validate TGT instead of old twisty logic.
* MIT - Cache option removed as krb5_verify_init_creds disables the 
replay cache on its own.

For those wanting to test:
git clone g...@github.com:arr2036/freeradius-server.git
cd freeradius-server
git checkout threaded_krb5

Report issues on: http://bugs.freeradius.org, and send feedback to either the 
list or me directly.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Compilling error

Cann’t compile for CYGWIN version 2.2.1  2.2.0(stable) 
gcc -I/cygdrive/d/fr/freeradius-server-2.2.1 
-I/cygdrive/d/fr/freeradius-server-2.2.1/src -g -O2 -Wall -D_GNU_SOURCE 
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG 
-I/cygdrive/d/fr/freeradius-server-2.2.1/libltdl 
-I/cygdrive/d/fr/freeradius-server-2.2.1/src 
-I/cygdrive/d/fr/freeradius-server-2.2.1/libltdlradeapclient.c   -o 
radeapclient
radeapclient.c:40:23: фатальная ошибка: eap_types.h: No such file or directory
Компиляция прервана.
builtin: recipe for target `radeapclient' failed
make[6]: *** [radeapclient] Error 1

File eap_types.h is situated in  src/modules/rlm_eap/lib_eap dir. If I launch 
gcc -I lib_eap, I get:
...
/tmp/ccD7XqGk.o: In function `debug_packet':
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:182: 
undefined reference to `_fr_packet_codes'
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:195: 
undefined reference to `_vp_prints'
/tmp/ccD7XqGk.o: In function `send_packet':
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:212: 
undefined reference to `_rad_send'
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:268: 
undefined reference to `_rad_verify'
/tmp/ccD7XqGk.o: In function `process_eap_challenge':
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:502: 
undefined reference to `_pairfind'
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:503: 
undefined reference to `_pairfind'
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:521: 
undefined reference to `_pairfind'
/cygdrive/d/fr/freeradius-server-2.2.1/src/modules/rlm_eap/radeapclient.c:522: 
undefined reference to `_pairfind'
...
As I found_pairfind is defined in xlat.c. 
How can I compile it?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Trying other authentication methods when the first is invalid

2013-01-11 Thread Meyers, Dan

Sorry for the wall of tet, I'd rather give too much info than not enough.

Our FreeRADIUS server (version 2.1.8 running on Ubuntu 10.04 LTS x64, installed 
from packages) currently does mac-based authentication of hosts onto edge 
switches using perl scripts (rlm_perl) talking to the API for our network 
access control system. I would like to extend this to also be able to support 
802.1x based authentication, but only for certain specific networks (ones with 
access to more important servers or similar. For example the finance network 
should need 802.1x to auth, but our student residence network shouldn't as then 
no games consoles and the like would work).

The initial method I had set up was to look for the presence of an EAP-Message 
in the request in the authorize section, and call the eap module if EAP-Message 
was present to set Auth-Type to EAP and then do authentication using eap (tls 
or peap) (and then expect to hand off to perl in post_auth just for the VLAN 
assignment) or to call the perl module to set Auth-Type as Perl if there was no 
EAP-Message, and handle it in authenticate as a simple MAC auth using perl. 
(The reason for not just calling eap then perl all the time is that the 
rlm_perl module, despite my authorize subroutine containing simply 
$RAD_CHECK{'Auth-Type'} = 'Perl'; return RLM_MODULE_OK;, seems to alter the 
value of User-Name such that calling eap in authenticate *always* fails with 
the error Identity does not match User-Name, setting from EAP Identity. and 
rejects the user if perl has been called in authorize, even if it is called 
after eap and the eap stanza reads eap { ok = return }). This worked !
 fine on our HP Procurve switches.

Anyway, we have got some Juniper EX2200 switches. The problem with these is 
that they do mac-auth as a 'fake' 802.1x auth. The request has the User-Name 
attribute set to the MAC address correctly, but also has an EAP-Message 
present, it just doesn't contain anything we want to have to care about (It 
actually contains, once the eap header has been decoded, the md5 of the 
mac-address). This causes the eap module, if called in authorize, to think the 
request should be handled by itself and set Auth-Type to EAP and expect to do 
eap-md5 (even if the default-auth-type in eap.conf is set to something else, 
like peap). However, as we do not actually want to do an eap-md5 auth we have 
no Cleartext-Password anywhere for the tens of thousands of MAC addresses (with 
new ones every day, which we auth onto a special 'unregistered' network with 
limited access instead of rejecting) on our network.

The eap module in this case returns 'invalid' in authentication, rather than 
'reject'. I was hoping I could detect this and tell it to move on to perl if 
this happened. I can't seem to make that work. As soon as eap returns invalid, 
all further processing is halted for that request and FreeRADIUS jumps straight 
to the Post-Auth REJECT section. Can anyone suggest a way around this? I was 
originally thinking that I could use the perl module after eap in authorize to 
check if the decoded eap data was simply an md5 hash of the MAC, and set 
Auth-Type to Perl even though there was an EAP-Message in that case, but of 
course if I ever then do that check on a valid 802.1x auth EAP breaks (as I 
mentioned above). 

Thanks for any help anyone can offer

-- 
Dan Meyers
Lancaster University

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trying other authentication methods when the first is invalid

2013-01-11 Thread Phil Mayers


On 11/01/13 13:23, Meyers, Dan wrote:


Anyway, we have got some Juniper EX2200 switches. The problem with
these is that they do mac-auth as a 'fake' 802.1x auth. The request
has the User-Name attribute set to the MAC address correctly, but
also has an EAP-Message present, it just doesn't contain anything we
want to have to care about (It actually contains, once the eap header
has been decoded, the md5 of the mac-address). This causes the eap


Wait, what? Seriously? Can you show a debug of one of these requests?


module, if called in authorize, to think the request should be
handled by itself and set Auth-Type to EAP and expect to do eap-md5
(even if the default-auth-type in eap.conf is set to something else,
like peap). However, as we do not actually want to do an eap-md5 auth
we have no Cleartext-Password anywhere for the tens of thousands of
MAC addresses (with new ones every day, which we auth onto a special
'unregistered' network with limited access instead of rejecting) on
our network.


Hang on; is it EAP-MD5, or some fake EAP?

If it's EAP-MD5, what is the switch using as the password? A fixed 
value, or the MAC address?


You might find it's as simple as doing:

authorize {
  ...
  if (EAP-Message) {
if (User-Name =~ /[0-9a-f]{16}/) {
  # mac-based auth as EAP-MD5
  update control {
Cleartext-Password := %{User-Name}
  }
}
eap
  }
  else {
my_perl
  }
  ...
}





The eap module in this case returns 'invalid' in authentication,
rather than 'reject'. I was hoping I could detect this and tell it to
move on to perl if this happened. I can't seem to make that work. As
soon as eap returns invalid, all further processing is halted for
that request and FreeRADIUS jumps straight to the Post-Auth REJECT
section. Can anyone suggest a way around this?


Maybe. I'd need to see a debug of one of these horribly broken-sounding 
EAP requests. If it's actually broken, you're hosed. If it's just doing 
EAP-MD5 for mac-auth with some fixed or well-known password, you just 
need to set that password.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trying other authentication methods when the first is invalid

Meyers, Dan wrote:
 Anyway, we have got some Juniper EX2200 switches. The problem with these is 
 that they do mac-auth as a 'fake' 802.1x auth. The request has the User-Name 
 attribute set to the MAC address correctly, but also has an EAP-Message 
 present, it just doesn't contain anything we want to have to care about (It 
 actually contains, once the eap header has been decoded, the md5 of the 
 mac-address).

  That phrase is a trigger for me.  contains the MD5 hash of the
password is a horribly vague description.  Where is this hash
contained?  Why is it contained, and not part of a well-defined EAP type?

 This causes the eap module, if called in authorize, to think the request 
 should be handled by itself and set Auth-Type to EAP and expect to do eap-md5 
 (even if the default-auth-type in eap.conf is set to something else, like 
 peap). However, as we do not actually want to do an eap-md5 auth we have no 
 Cleartext-Password anywhere

  OK... so it's EAP-MD5.  *PLEASE* just say this.

  The switch does EAP-MD5 with the MAC address as the password.

  That's *much* easier than reading a wall of text.

 ... As soon as eap returns invalid, all further processing is halted for that 
 request and FreeRADIUS jumps straight to the Post-Auth REJECT section.

  That's how user rejection works.  If you reject the user, you don't
keep looking for more things to do.

 Can anyone suggest a way around this? I was originally thinking that I could 
 use the perl module after eap in authorize to check if the decoded eap data 
 was simply an md5 hash of the MAC,

  Huh?  You *are* aware that the server comes with an EAP-MD5 module,
right?  Why not just use that?

  The wall of text indicates to me that you're lost in the weeds
looking for a solution.  The more you get lost, the bigger the
description becomes, and the more complicated the solution.

  Once you (a) know it's EAP-MD5, and (b) know that the password is the
MAC, and (c) know that the MAC is in the User-Name, the solution becomes
rather obvious.

  Do what Phil says.  It should work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP Reply Attributes

2013-01-11 Thread Tyler Brady

I'm sure this is an easy issue to solve, but my simple brain can't seem to put 
the pieces together. Any help would be greatly appreciated.

I'm trying to authorize a login into a Cisco switch with admin privileges.

Users:

DEFAULT =   LDAP-Group == Radius-Users
 Reply-Message = Welcome Message Test,
 Cisco-AVPair = shell:priv-lvl=15

Note: I've tried many different combinations of attributes with no luck. 
(Service-Type = Administrative-User,  Service-Type = NAS-Prompt-User)

Output:

Sending Access-Accept of id 61 to 172.28.64.3 port 1645
Reply-Message = Welcome Message Test
Cisco-AVPair = shell:priv-lvl=15


The switch login successfully shows Welcome Message Test, but still kicks 
into user exec mode without applying the Cisco-AVPair = shell:priv-lvl=15


I noticed that there is a mapping for the Reply-Message found in ldap.attrmap, 
but none for Cisco-AVPair. Is this why it's not working? If so, I have not been 
able to find the correct syntax for adding it to ldap.attrmap.


Thanks in advance,

T. Brady
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Reply Attributes

2013-01-11 Thread Alan Buxey

Switch config issue? Ensure your switch is configured to authorize over RADIUS 
as well as to authenticate over RADIUS.
(sounds like its doing the latter but not the former)

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Different IP addresses from home radius server

2013-01-11 Thread Greg Rutz

We are using FreeRadius 2.1.12 as a proxy to a remote radius server.  
The remote server (not under our direct control) receives RADIUS request 
messages on one IP address, but sends the response out a different 
interface (and thus has a diffferent IP). FreeRadius is rejecting the 
response since the IP does not match that of the request.  Is there a 
way to configure FreeRadius to allow this?


Greg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP Reply Attributes

2013-01-11 Thread Tyler Brady

Switch config issue? Ensure your switch is configured to authorize over RADIUS 
as well as to authenticate over RADIUS.
(sounds like its doing the latter but not the former)

You were absolutely correct. I’m dumb and forgot that I removed the 
authorization statement from my switch awhile back.

T. Brady




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_perl changing User-Name and proxy requests

I have an issue with rlm_perl changing the request User-Name attribute but the 
proxy request not honoring it. First I'll describe what I'm trying to 
accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that 
has some krb5 realm fixes in it.

I have multiple realms that users can authenticate against: our division has 
replayable password (handled by kerberos) and one time passwords (handled by 
both YubiKeys and Crypto Card), our lab has replayable passwords (handled by 
AD) and a separate one time password system (handled by Crypto Card). For 
services that we want to allow replayable passwords (like IMAP access for 
instance), we want to allow the user to choose which service to use (division 
or lab). For services requiring OTP we want the user to choose which OTP token 
they want to use (some people have multiple because of external requirements). 
We want users to be able to change these auth preferences on their own and not 
have this require changing the RADIUS configuration (a.k.a., the users file) to 
do this. Our account information is kept in LDAP.

This is all well and good except that usernames between the division and the 
lab aren't guaranteed to match - User A might have lastname as their division 
name, but lastnamefirst as their lab username. For the kerberos and AD request 
the RADIUS server can handle the request directly using rlm_krb5, but for all 
the OTP requests the server must proxy to the correct OTP server to handle the 
request.

Here's my plan for accomplishing this.

During authorization, rlm_ldap is used to make sure if the user is in LDAP. If 
not the request is rejected outright (this should help with brute force 
attempts bogging down all the servers for bogus attempts). Next an rlm_perl 
module is called to get the user's preferred realm and what username to use in 
that realm from LDAP. An example would be leggett@ yubi.division.example.com 
(signifying that I want to use YubiKey from my division). The rlm_perl module 
updates the request User-Name to be this preference and Auth-Type to be System 
(see http://pastie.org/5670077). Lastly rlm_realm checks the request to 
determine if it should be proxied or not. The problem is this: Everything works 
if the username doesn't change. For instance, if I'm 
legg...@yubi.division.example.com and legg...@crypto.example.com, things work. 
The User-Name change being done by rlm_perl is being recognized by rlm_realm 
and rlm_realm is routing to the proper realm; however, rlm_realm seems to want 
to clobbe!
 r User-Name in its own way, so that by the time proxying happens User-Name is 
set to whatever the initial username was - if I started the process as leggett 
and wanted my username to eventually be ti.legg...@crypto.example.com, by the 
time it reaches the proxy phase my User-Name attribute has been reset back to 
leggett even if I rerun the rlm_perl module after rlm_realm (see 
http://pastie.org/5670076)

I notice that rlm_suffix doesn't overwrite the Stripped-User-Name rlm_perl 
adds, but appends another entry. This is fine for my purposes since the 
rlm_perl one is added first subsequent calls use that value. I'm afraid the 
same is happening with User-Name in that rlm_perl is appending another entry 
instead of overwriting the ones there.

So is there any way around this or am I completely insane with this approach?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests

2013-01-11 Thread A . L . M . Buxey

hi,

dont play with User-Name, update/modify Stripped-User-Name instead and use that 
in the
authn/authz stages

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests


On Jan 11, 2013, at 2:32 PM, Arran Cudbard-Bell a.cudba...@freeradius.org 
wrote:

 [snip]
 
 Yeah it'll just bog down your LDAP server instead. You should use rlm_cache 
 to cache the result of the LDAP lookup (once you have all this working)*.
 
 Have you added nostrip for all the realms? The only way I can see it 
 clobbering username is if stripping is enabled.

So that was my first thought too. However, I have limited visibility into the 
remote lab crypto server and when I sent a request to with a realm included, it 
flat out dropped the request. Didn't reply at all. So I need the realm to so 
the proxy portion can hit the right destination, but I need the User-Name 
stripped so the remote server can understand it.

 -Arran
 
 PS: You know you want to test the threaded version of the updated rlm_krb5 
 module :)

I do! Once I get this configuration working I'll be happy to try it. One of my 
todos for this whole config revamp is to stress test the environment against a 
brute force attack (we get them frequently). Then I'll have some before numbers 
to compare with the after.

 
 * Only use the rlm_cache module from 2.2.1
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests


On 11 Jan 2013, at 19:58, Ti Leggett legg...@mcs.anl.gov wrote:

 I have an issue with rlm_perl changing the request User-Name attribute but 
 the proxy request not honoring it. First I'll describe what I'm trying to 
 accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 
 that has some krb5 realm fixes in it.
 
 I have multiple realms that users can authenticate against: our division has 
 replayable password (handled by kerberos) and one time passwords (handled by 
 both YubiKeys and Crypto Card), our lab has replayable passwords (handled by 
 AD) and a separate one time password system (handled by Crypto Card). For 
 services that we want to allow replayable passwords (like IMAP access for 
 instance), we want to allow the user to choose which service to use (division 
 or lab). For services requiring OTP we want the user to choose which OTP 
 token they want to use (some people have multiple because of external 
 requirements). We want users to be able to change these auth preferences on 
 their own and not have this require changing the RADIUS configuration 
 (a.k.a., the users file) to do this. Our account information is kept in LDAP.
 
 This is all well and good except that usernames between the division and the 
 lab aren't guaranteed to match - User A might have lastname as their division 
 name, but lastnamefirst as their lab username. For the kerberos and AD 
 request the RADIUS server can handle the request directly using rlm_krb5, but 
 for all the OTP requests the server must proxy to the correct OTP server to 
 handle the request.
 
 Here's my plan for accomplishing this.
 
 During authorization, rlm_ldap is used to make sure if the user is in LDAP. 
 If not the request is rejected outright (this should help with brute force 
 attempts bogging down all the servers for bogus attempts).

Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to 
cache the result of the LDAP lookup (once you have all this working)*.

Have you added nostrip for all the realms? The only way I can see it clobbering 
username is if stripping is enabled.

-Arran

PS: You know you want to test the threaded version of the updated rlm_krb5 
module :)

* Only use the rlm_cache module from 2.2.1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests

2013-01-11 Thread Phil Mayers


On 01/11/2013 08:32 PM, Arran Cudbard-Bell wrote:


Have you added nostrip for all the realms? The only way I can see it
clobbering username is if stripping is enabled.


Isn't the problem the special request-username attribute? AFAICT the 
pairmove code handles this specially (fixup) but I'm not sure rlm_perl 
does the same?


If that is the case, OP may find that putting the new username in an 
interim / temp variable then forcing update via unlang works:


authorize {
  ...
  myperl
  update request {
User-Name := %{The-Var}
  }
  ...
}

This is a WAG though...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

dhcp sqlippool reauthenticate users every minute

2013-01-11 Thread Ethan Hayon

Hi, I'm trying to set up FreeRADIUS 2.2 to act as an authentication and 
accounting system as well as a DHCP server. (I'm relaying DHCP requests from a 
pfSense box).

I am trying to use sqlippools on FreeRADIUS, but I have noticed that my ippools 
are filling up quickly (I am only testing with two devices). I have pfSense 
configured to reauthenticate user every minute, so I believe that FreeRADIUS is 
running post-auth dhcp leasing each time the user is reauthenticated. 
FreeRADIUS is serving the same client a new IP address each minute. 

I have adjusted my policy conf to the below. I may be approaching this the 
wrong way, but this is essentially what I am trying to do:

I want to have multiple pools on different subnets. When a new client connects 
to the network (they don't yet have a radius account) they are sent to a 
default (pending) pool. This may be on the 192.168.1/24 subnet. After they have 
set up their account and have been added to the RADIUS database, they will be 
given a pool-name, maybe `pool2`. `pool2` will be on a different subnet, for 
example, 192168.2/24. The pfsense box knows how to route these subnets, so that 
is not a problem. I only want clients to receive a different IP address if 
their pool-name changes for whatever reason, if there are no changes to their 
account, they shouldn't be leased a new IP every time they reauthenticate 
(every minute).

Eventually I will disable the reauthenticate every minute feature as the 
production system would not be able to handle this many requests. 

Am I approaching this problem correctly? I have written some un-lang in the 
policy.conf file for handling some of this. I am getting hung up on this 
problem. The pool is getting exhausted in minutes since each client is leased a 
new ip every minute.

Any help is appreciated!
Thanks,
Ethan

….
dhcp_sqlippool.post-auth {
#  Do some minor hacks to the request so that it looks
#  like a RADIUS request to the SQL IP Pool module.

# check whether the requester is a user or not, if they do not 
have a pool-name, send them to pfpriv by default
if(%{sql: SELECT COUNT(*) FROM radcheck where 
username='%{DHCP-Client-Hardware-Address}' AND attribute='Pool-Name'} != 0) {
update control {
Pool-Name := %{sql: SELECT `value` FROM 
radcheck WHERE username = '%{DHCP-Client-Hardware-Address}' AND 
attribute='Pool-Name'}
} 
}
else {
update control {
Pool-Name := pfpriv # default pool if the 
user doesn't have an account
}
}

update reply {
DHCP-Domain-Name-Server = 192.168.1.1 # we will 
ultimately create a mysql table `radpoolinfo` to store per-pool attributes
DHCP-Router-Address = 192.168.0.1 # this will also be 
in `radpoolinfo` eventually
}   
 update request {
User-Name = DHCP-%{DHCP-Client-Hardware-Address}
Calling-Station-Id = %{DHCP-Client-Hardware-Address}
NAS-IP-Address = 
%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}
Acct-Status-Type = Start
 }

#  Call the actual module
#
#  Uncomment this in order to really call it!
dhcp_sqlippool
#fail

#  Convert Framed-IP-Address to DHCP, but only if we
#  actually allocated an address.
if (ok) {
update reply {
DHCP-Your-IP-Address = 
%{reply:Framed-IP-Address}
}
}
}
…
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests


On Jan 11, 2013, at 2:35 PM, a.l.m.bu...@lboro.ac.uk wrote:

 hi,
 
 dont play with User-Name, update/modify Stripped-User-Name instead and use 
 that in the
 authn/authz stages

How do I get the remote servers I'm proxying for to understand 
Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the 
Access-Request to the proxyied server.

 alan
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests

On 11 Jan 2013, at 20:49, Phil Mayers p.may...@imperial.ac.uk wrote:

On 01/11/2013 08:32 PM, Arran Cudbard-Bell wrote:

Have you added nostrip for all the realms? The only way I can see it
clobbering username is if stripping is enabled.

Isn't the problem the special request-username attribute?

It is, request-username appears to be pointing to the original User-Name pair
instead of the new perl one.

AFAICT the pairmove code handles this specially (fixup) but I'm not sure
rlm_perl does the same?

Yes, unfortunately. That would have been a nice simple fix.

https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_perl/rlm_perl.c

@leggett

If you don't mind rebuilding the server, could you change:

https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/main/modcall.c#L686

And add:

RDEBUG(Cached username is \%s\, list username is \%s\,
request-username-vp_strvalue, pairfind(request-packet-vps,
PW_USER_NAME)-vp_strvalue);

Just after modcall_single()

Run it in debug mode and you'll see exactly where the username isn't being
updated. List username and cached username should always be in sync up until
the call to suffix, at which point the cached username should be stripped of
the realm.

If that is the case, OP may find that putting the new username in an interim
/ temp variable then forcing update via unlang works:

authorize {
...
myperl
update request {
User-Name := %{The-Var}
}
...
}

Yeah it should do. That calls radius_pairmove which has the magic update cache
logic in it too.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests

2013-01-11 Thread A . L . M . Buxey

Hi,

 How do I get the remote servers I'm proxying for to understand 
 Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the 
 Access-Request to the proxyied server.

ah, missed the proxy bit. as Phil says, use a temp value and then set User-Name 
to that just before the
proxying occurs (using unlang) - but beware that particular authentication 
methods dont like User-Name
to have changed (thinking some EAP clients) - so this may cause issues in the 
future or be the cause
of issues you are facing.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dhcp sqlippool reauthenticate users every minute

Ethan Hayon wrote:
 Hi, I'm trying to set up FreeRADIUS 2.2 to act as an authentication and 
 accounting system as well as a DHCP server. (I'm relaying DHCP requests from 
 a pfSense box).

  Are you doing DHCP *and* RADIUS?

 I am trying to use sqlippools on FreeRADIUS, but I have noticed that my 
 ippools are filling up quickly (I am only testing with two devices). I have 
 pfSense configured to reauthenticate user every minute, so I believe that 
 FreeRADIUS is running post-auth dhcp leasing each time the user is 
 reauthenticated. FreeRADIUS is serving the same client a new IP address each 
 minute. 

  There's no need to believe anything.  Run the server in debugging
mode to see exactly what it's doing.

  Any IP allocation MUST be done on a key which is unique to each
device.  That key should remain the same across multiple re-authentications.

  So... is it?  Please check.

 I want to have multiple pools on different subnets. When a new client 
 connects to the network (they don't yet have a radius account) they are sent 
 to a default (pending) pool. This may be on the 192.168.1/24 subnet. After 
 they have set up their account and have been added to the RADIUS database, 
 they will be given a pool-name, maybe `pool2`. `pool2` will be on a different 
 subnet, for example, 192168.2/24. The pfsense box knows how to route these 
 subnets, so that is not a problem. I only want clients to receive a different 
 IP address if their pool-name changes for whatever reason, if there are no 
 changes to their account, they shouldn't be leased a new IP every time they 
 reauthenticate (every minute).

  This is what databases are for.  If you want to map each client to a
pool, you'll need a table with a client identifier column, and a
pool-name column.  Then, assign IPs based on the pool name, as looked
up in the table.

 Am I approaching this problem correctly? I have written some un-lang in the 
 policy.conf file for handling some of this. I am getting hung up on this 
 problem. The pool is getting exhausted in minutes since each client is leased 
 a new ip every minute.

  Solve that problem first.  Run the server in debugging mode to see
*why* it's assigning a new IP.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Different IP addresses from home radius server

Greg Rutz wrote:
 We are using FreeRadius 2.1.12 as a proxy to a remote radius server. 
 The remote server (not under our direct control) receives RADIUS request
 messages on one IP address, but sends the response out a different
 interface (and thus has a diffferent IP). FreeRadius is rejecting the
 response since the IP does not match that of the request.  Is there a
 way to configure FreeRadius to allow this?

  No.

  Tell the administrator of the remote server to fix his system.

  RADIUS *requires* replies to come from the same IP.  Anything else is
broken.  All RADIUS servers since 2000 or so should be able to work
correctly when they have multiple IPs.

  The remote admin has no excuse for running a broken RADIUS server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests


On Jan 11, 2013, at 3:21 PM, Arran Cudbard-Bell a.cudba...@freeradius.org 
wrote:

 @leggett
 
 If you don't mind rebuilding the server, could you change:
 
 https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/main/modcall.c#L686
 
 And add:
 
 RDEBUG(Cached username is \%s\, list username is \%s\, 
 request-username-vp_strvalue, pairfind(request-packet-vps, 
 PW_USER_NAME)-vp_strvalue);
 
 Just after modcall_single()
 
 Run it in debug mode and you'll see exactly where the username isn't being 
 updated. List username and cached username should always be in sync up until 
 the call to suffix, at which point the cached username should be stripped of 
 the realm.

Ok. I'm flumoxed:

+- entering group pre-proxy {...}
[pre_proxy_log] expand: 
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d - 
/var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111
[pre_proxy_log] 
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to 
/var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111
[pre_proxy_log] expand: %t - Fri Jan 11 15:38:05 2013
Cached username is ti.leggett, list username is 
ti.legg...@crypto.example.com
++[pre_proxy_log] returns ok
Sending Access-Request of id 217 to 192.168.1.2 port 1812
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = host.division.example.com
User-Name = leggett
User-Password = password
NAS-Identifier = sshd
NAS-IP-Address = 192.168.1.1
NAS-Port = 9975
Proxy-State = 0x3831

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests

 
 Just after modcall_single()

Or call_modsingle even...

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Slow Ldap Authorization

2013-01-11 Thread Tyler Brady

Version 2.1.10

Since adding LDAP authorization, my login time has slowed down quite a bit. It 
takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] 
fields and send an Access-Accept. Is this a normal amount of time, or is there 
something in my configuration that is causing this slow down?

LDAP Module:

ldap {
#
#  Note that this needs to match the name in the LDAP
#  server certificate, if you're using ldaps.
server = 172.28.64.10
identity = CN=User Name,OU=Phoenix_Users,DC=company,DC=com
password = password
basedn = DC=company,DC=com
filter = ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))
groupname_attribute = cn
groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{contr$
groupmembership_attribute = memberOf
# base_filter = (objectclass=radiusprofile)

#  How many connections to keep open to the LDAP server.
#  This saves time over opening a new LDAP socket for
#  every authentication request.
ldap_connections_number = 5


Debug:

Ready to process requests.
rad_recv: Access-Request packet from host 172.28.64.3 port 1645, id=98, 
length=85
User-Name = RadiusUser
User-Password = password
NAS-Port = 3
NAS-Port-Id = tty3
NAS-Port-Type = Virtual
Calling-Station-Id = 172.28.64.119
NAS-IP-Address = 172.28.64.3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = RadiusUser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [ldap] Entering ldap_groupcmp()
[files]expand: DC=company,DC=com - DC=company,DC=com
[files] WARNING: Deprecated conditional expansion :-.  See man unlang for 
details
[files]... expanding second conditional
[files]expand: %{User-Name} - RadiusUser
[files]expand: ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) - 
((sAMAccountName=RadiusUser))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 172.28.64.10:389, authentication 0
  [ldap] bind as CN=User Name,OU=Alaska_Users,DC=company,DC=com/password to 
172.28.64.10:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in DC=company,DC=com, with filter 
((sAMAccountName=RadiusUser))
  [ldap] rebind to URL 
ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
  [ldap] rebind to URL 
ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
  [ldap] ldap_release_conn: Release Id: 0
[files]expand: 
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
 - (|((objectClass=GroupOfNames)(member=CN\3dUser 
Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser
 Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in DC=company,DC=com, with filter 
((cn=Radius-Users)(|((objectClass=GroupOfNames)(member=CN\3dUser 
Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser
 Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom
  [ldap] rebind to URL 
ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
  [ldap] rebind to URL 
ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in CN=User Name,OU=Alaska_Users,DC=company,DC=com, 
with filter (objectclass=*)
  [ldap] performing search in 
CN=Radius-Users,OU=Alaska_Users,DC=company,DC=com, with filter (cn=Radius-Users)
rlm_ldap::ldap_groupcmp: User found in group Radius-Users
  [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
[ldap] performing user authorization for RadiusUser
[ldap] WARNING: Deprecated conditional expansion :-.  See man unlang for 
details
[ldap]... expanding second conditional
[ldap]expand: %{User-Name} - RadiusUser
[ldap]expand: ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) - 
((sAMAccountName=RadiusUser))
[ldap]expand: DC=company,DC=com - DC=company,DC=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing

Re: rlm_perl changing User-Name and proxy requests


On 11 Jan 2013, at 20:51, Ti Leggett legg...@mcs.anl.gov wrote:

 
 On Jan 11, 2013, at 2:35 PM, a.l.m.bu...@lboro.ac.uk wrote:
 
 hi,
 
 dont play with User-Name, update/modify Stripped-User-Name instead and use 
 that in the
 authn/authz stages
 
 How do I get the remote servers I'm proxying for to understand 
 Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the 
 Access-Request to the proxyied server.

It's not, it's an internal attribute which doesn't get copied into the proxy 
request.

In pre-proxy you can add

update proxy-request {
User-Name := %{%{Stripped-User-Name}:-%{User-Name}}
}

Which will fix the issue. Where is that User-Name value in the proxy request 
coming from, is it the one from the original request? Could you include more 
debug output?


-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow Ldap Authorization


On 11 Jan 2013, at 22:15, Tyler Brady tbr...@stc-comm.com wrote:

 Version 2.1.10
  
 Since adding LDAP authorization, my login time has slowed down quite a bit. 
 It takes 4 or 5 seconds longer for freeRadius to get through all of the 
 [ldap] fields and send an Access-Accept. Is this a normal amount of time, or 
 is there something in my configuration that is causing this slow down?

No that's not normal, it should be under 100ms if not faster.

Uh it's following three referrals having to establish a new connection each 
time, that may be why it's so slow. You should also check that you have the 
appropriate indexes configured.

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

C External Program

2013-01-11 Thread Ali Majdzadeh

Hi

I wrote the following code to accept any user/pass in a C external program:

Main()

{

fprintf (stdout, Auth-Type := Accept\n);

return 0;

}

It works well with PAP but does not work in CHAP/MSCHAP. I know I should
return Cleartext-Password but I want to permit any user/pass to loggin in.
So how can I do that?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Different IP addresses from home radius server

2013-01-11 Thread Greg Rutz


On 1/11/13 2:35 PM, Alan DeKok wrote:

   No.

   Tell the administrator of the remote server to fix his system.

   RADIUS *requires* replies to come from the same IP.  Anything else is
broken.  All RADIUS servers since 2000 or so should be able to work
correctly when they have multiple IPs.

   The remote admin has no excuse for running a broken RADIUS server.

Turned out to be a broken load balancer on the remote server's network.  
Thank you for your quick response.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dhcp sqlippool reauthenticate users every minute

2013-01-11 Thread Ethan Hayon

Thanks for the response Alan.

I am using DHCP and RADIUS. I was initially using FreeRADIUS for captive portal 
user authentication and accounting for a pfsense router (using the DHCP server 
built into the pfsense box). The DHCP server on pfsense limits us to only 
serving IPs on a singe subnet. 
We are now trying to use FreeRADIUS as a DHCP server as well by associating 
user accounts with ippools through Pool-Name. 

When I run the server in debug mode the Acct-Unique-Session-ID remains the same 
across the interim accounting updates. However, re-authentications don't seem 
to have a unique key associated with them. 
Each time the user is reauthenticated, dhcp_sqlippool.post-auth is triggered 
and the script I added is executed. I plan to create a table radippoolinfo that 
will store ip pool specific info such as router address, net mask, dns servers, 
etc…

In my post-auth policy, I am updating control with the proper pool-name (with 
an unlang), changing some other reply attributes, then calling dhcp_sqlippool. 
What I am doing doesn't feel right. I am very new to this, does this sound like 
the proper way of handling the serving of ip's on multiple subnets. 
DHCP-Domain-Name-Server and DHCP-Router-Address will change between pools. 

I guess I'm asking if I am approaching this correctly: Using unlang in 
policy.conf to handle these rules. 


Sorry to put such a long debug message in here. I pulled out one authorization 
request, but they all look the same. It looks like 

This is what my authorization looks like:

The request comes in with a framed ip of 192.168.0.43, but it tries to serve it 
192.168.0.50. It reallocates a new IP for each auth every minute.

rad_recv: Access-Request packet from host 192.168.1.1 port 7053, id=32, 
length=142
NAS-IP-Address = [redacted]
NAS-Identifier = pfsense.localdomain
User-Name = b8:8d:12:10:8d:f6
User-Password = [redacted]
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 30
Framed-IP-Address = 192.168.0.43
Called-Station-Id = [redacted]
Calling-Station-Id = b8:8d:12:10:8d:f6
Thu Jan 10 23:53:34 2013 : Info: # Executing section authorize from file 
/usr/local/etc/raddb/sites-enabled/default
Thu Jan 10 23:53:34 2013 : Info: +- entering group authorize {...}
Thu Jan 10 23:53:34 2013 : Info: ++[preprocess] returns ok
Thu Jan 10 23:53:34 2013 : Info: ++[chap] returns noop
Thu Jan 10 23:53:34 2013 : Info: ++[mschap] returns noop
Thu Jan 10 23:53:34 2013 : Info: ++[digest] returns noop
Thu Jan 10 23:53:34 2013 : Info: [suffix] No '@' in User-Name = 
b8:8d:12:10:8d:f6, looking up realm NULL
Thu Jan 10 23:53:34 2013 : Info: [suffix] No such realm NULL
Thu Jan 10 23:53:34 2013 : Info: ++[suffix] returns noop
Thu Jan 10 23:53:34 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Jan 10 23:53:34 2013 : Info: ++[eap] returns noop
Thu Jan 10 23:53:34 2013 : Info: [files] users: Matched entry DEFAULT at line 93
Thu Jan 10 23:53:34 2013 : Info: ++[files] returns ok
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: %{User-Name} - 
b8:8d:12:10:8d:f6
Thu Jan 10 23:53:34 2013 : Info: [sql] sql_set_user escaped user -- 
'b8:8d:12:10:8d:f6'
Thu Jan 10 23:53:34 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: SELECT id, username, attribute, 
value, op   FROM radcheck   WHERE username = '%{SQL-User-Name}' 
  ORDER BY id - SELECT id, username, attribute, value, op   
FROM radcheck   WHERE username = 'b8:8d:12:10:8d:f6'   ORDER BY 
id
Thu Jan 10 23:53:34 2013 : Info: [sql] User found in radcheck table
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: SELECT id, username, attribute, 
value, op   FROM radreply   WHERE username = '%{SQL-User-Name}' 
  ORDER BY id - SELECT id, username, attribute, value, op   
FROM radreply   WHERE username = 'b8:8d:12:10:8d:f6'   ORDER BY 
id
Thu Jan 10 23:53:34 2013 : Info: [sql]  expand: SELECT groupname   FROM 
radusergroup   WHERE username = '%{SQL-User-Name}'   ORDER BY 
priority - SELECT groupname   FROM radusergroup   WHERE 
username = 'b8:8d:12:10:8d:f6'   ORDER BY priority
Thu Jan 10 23:53:34 2013 : Debug: rlm_sql (sql): Released sql socket id: 0
Thu Jan 10 23:53:34 2013 : Info: ++[sql] returns ok
Thu Jan 10 23:53:34 2013 : Info: ++[expiration] returns noop
Thu Jan 10 23:53:34 2013 : Info: ++[logintime] returns noop
Thu Jan 10 23:53:34 2013 : Info: [pap] WARNING: Auth-Type already set.  Not 
setting to PAP
Thu Jan 10 23:53:34 2013 : Info: ++[pap] returns noop
Thu Jan 10 23:53:34 2013 : Info: Found Auth-Type = Accept
Thu Jan 10 23:53:34 2013 : Info: Auth-Type = Accept, accepting the user
Thu

Re: dhcp sqlippool reauthenticate users every minute