Re: few accounting records with same radacctid
nobody? Le 07/02/2013 13:25, Hocine M a écrit : hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: few accounting records with same radacctid
On 02/08/2013 09:04 AM, Hocine M wrote: nobody? The only thing that stands out is the Called-Station-Id is different. This suggests to me that something about the accounting packets changes as the client moves around (associates to different APs) and that the accounting SQL queries you are using don't handle that. Which version of the server are you using, which SQL database, are you using the standard SQL query config and schema that comes with the server, and can you show a debug radiusd -X of an accounting packet (ideally a duplicate, but anything if not). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: few accounting records with same radacctid
Hi, In ma accounting table there are many records with the same radacctid for one username. as Phil says - and can be seen, different called-station-id - and different (NAS id) IP address - what are your accounting statements ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAc-Auth with EAP
I am setting up our Freeradius to do authentication for MAC address for windows PC. This is to enable PCs to connect to the AD to access Domain information just before Windows User Logon Screen. The PC is already connected to a Cisco switch port which has been configured 802.1x. I have stored list of authorized MAC addresses in a file called authorized_macs in Freeradius confdir. I have also set up appropriate commands in Authorize and Authentication sections of sites-enabled/default file for authorization and authentication. I can see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. Below is my Auth-Type statement which gets the system to do MAC address checking for PCs connecting with the hint “thehive”. The else statement is to cause all other requests to requests to be processed normally using mschap_ad (which is a function that calls ntlm_auth). Auth-Type MS-CHAP { if ( Hint == validmac) { authorized_macs update control { Auth-Type := Accept } } else { mschap_ad } } Below is the extract of the log highlighting successful mac address checking but still returned [eap] returns reject # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if (outer.Hint == validmac) [mschapv2] ? Evaluating (outer.Hint == validmac) - TRUE [mschapv2] ++? if (outer.Hint == validmac) - TRUE [mschapv2] ++- entering if (outer.Hint == validmac) {...} [authorized_macs] expand: %{Calling-Station-ID} - 00-1a-a0-b8-3b-73 +++[authorized_macs] returns noop ++- if (outer.Hint == thehive) returns noop ++ ... skipping else for request 14: Preceding if was taken [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [host/hive-rjm2.library.networcs.net] (from client 193.62.48.37 port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. -- 'Tunde Ogedengbe But thanks be to God, who gives me the VICTORY through my Lord Jesus CHRIST - 1 Corinthians 15:57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
On 08/02/13 12:52, Tunde Ogedengbe wrote: see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. This doesn't work. You can't force accept of an EAP session. The protocol is challenge/response and must complete correctly at both ends. Your approach won't work. Instead, you must configure pre-login 802.1x authentication correct on the Windows side, either using machine credentials or user creds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout anomalies
Hello all, I'm researching this anomaly myself in all the documentation, but thought it would also be helpful both to me and to others to post the problem here. SYMPTOM: Some Access-Period accounts (accounts which have X number of seconds to continue logging in and out starting from the very first login) are giving too much time -- that is, at some point they reload the full value of the account type and restart the count down. I discovered it while developing some interface code for our customer service dept. So far, this DOES NOT seem to be happening to all accounts. Moreover, the database info and radclient results are inconsistent on these accounts that ARE showing the anomaly. Here is an example of one such account, a development test account which I created for debugging purposes. It's value is 30 days (2592000 seconds) Radclient result: === # echo User-Name=cgitest,User-Password=cgitest | radclient -c 1 -n 3 -r 3 -t 3 -x 127.0.0.1:1812 auth -S shared Sending Access-Request of id 24 to 127.0.0.1 port 1812 User-Name = cgitest User-Password = cgitest rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=24, length=26 Session-Timeout = 2366393 === sql query: SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) FROM radacct WHERE UserName='cgitest' ORDER BY AcctStartTime LIMIT 1 \g +-+ | IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) | +-+ | 1447012 | +-+ === Ok, the problem here should be obvious but I'll explain these results for those who are impatient. The Session-Timeout number is way too large. As I stated previously, this is a 30 day account. It was counting down with no problems until a few days ago. It then mysteriously began reporting in the popup window which I was working on that it had 29.9 days left on it, after it had already counted down to something like 15 days. It simply seems to have reloaded itself, even though the sql query reports the accurate number of seconds which have actually expired. (1447012). So if we do the math: 2592000-1447012=1144988 (or roughly 13.25 days) should be the remaining time on this account. Not 27.38 days. Here is the sql counter from sqlcounter.conf: sqlcounter accessperiod { counter-name = Max-Access-Period-Time check-name = Access-Period reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = never query = “SELECT UNIX_TIMESTAMP() – UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = ‘%{%k}’ ORDER BY AcctStartTime LIMIT 1″ } (Before anyone bitches about the sql query being different, save your pixels -- no matter which style of query is used, the account reports that it began at the same time, there is truly no issue here that I can see). ALSO, BEFORE YOU ASK: There is only 1 radius server and only 1 sql server on the system. Besides, I have tested this exhaustively using different things like the public IP, the fqdn, etc etc. Results are the same - that is to say, wrong. lol Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Any insights would be greatly appreciated. I will post the resolution here (unless one of you smart lads or lasses beats me to it ;) ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues with Freeradius crashing after a sighup
Hi all, I've inherited a pair of Freeradius servers running Vsn 2.10 and have build a new server around the 2.2 source code. All of these servers exhibit the same problem in that after a SIGHUP to reload their configuration files the sometimes crash. Firstly the 2.1 servers We have 2 of them configured to support our wired and wireless auth user base. Each server has a primary auth function ( wired or wireless) and acts as a backup for the other server) These are running on an old Debian OS and make use of the Freeradius versions available through the apt-get package manager. Configuration wise everything uses password files and all logs are written to a local hard disk. We don't use SQL or AD or any other systems in the authentication or accounting process. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. At least once a day the freeradius daemon will crash just after the reload command. The normal logfiles (see below) just show the following with no indication of why the process crashed. Cfashes happen randomly on both servers, although the server handling the wireless network crashes more frequently than the one handling the wired network. Fri Feb 8 00:05:03 2013 : Info: HUP - loading modules Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.post-proxy Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.pre-proxy Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.access_reject Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.accounting_response Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module pap Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module files Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module accounting_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module auth_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module reply_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module pre_proxy_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module post_proxy_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module york_passwd Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module landb_device_info Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module switch_vlan_info Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module sql_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module suffix Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module mschap Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module mschap_default Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module detail Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server default Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server inner-tunnel Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server eduroam Freeradius version 2.2 - wireless server The 2.2 server was compiled from source on an Ubuntu 12.04 LTS VmWare server and has a slightly different configuration. Configuration files are used for MAC based authentication and for some standard users such as the university of york eduroam health check test account. For 802.1x authentication I use a back end AD system and authenticate all our real users against AD. Configuration files for MAC based authentication RADIUS clients and test users are generated once a day and the system is reloaded at midnight every day. The configuration used on this server is based upon the template one provided by UKERNA for their UK eduroam user base. This server can run for a couple of weeks before it crashes. I know I should run the daemon with the -X option and dump the output to a file, but given the random nature of these crashes, I'm not sure I'll have enough disk space to just run in debug mode and collect all the logs. Anyone else seen serve crashes on a reload? Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Alex Sharaz wrote: Firstly the 2.1 servers shrug Upgrade. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. See the changelog for 2.2.0. The passwd module had issues with older versions of the server. You can also reload individual modules. That will be less likely to have issues. i.e. $ radmin -e hup passwd Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in users file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) { if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed users file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers Date: Mon, 4 Feb 2013 10:32:22 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? That is *entirely* the wrong question. It's why you haven't solved the problem yet. Look at the *radius server* debug output. It's the one sending the Session-Timeout. You should be able to figure out where the session-timeout is coming from. Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Look at the debug output. Honestly. We say this DAILY on this list. There is no excuse for refusing to do that. Alan, take a deep breath. Of course I've looked at the debug output. Note my opening sentence, ol' pardner. ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? From the RADIUS server. This isn't magic. radclient doesn't invent attributes in reply packets. It receives them from the RADIUS server. Alan, take a deep breath. Of course I've looked at the debug output. Note my opening sentence, ol' pardner. ;) Well... your question about where does radclient get that value from is entirely missing the point. It gets it from the RADIUS server. I've said this. I have no idea how to convince you it's true. And the *only* way to debug the RADIUS server is to look at the debug output. And no, your original message did *not* say you had run the server in debugging mode. There's only a reference to creating an account for debugging purposes. There's no radiusd -X output. My frustration here is that the documentation and my messages cannot possibly be any more clear. Yet you're wandering around doing everything *but* what the documentation says, and then wondering why I'm getting annoyed. Run the server in debugging mode. Really. Do it. I mean it. If you want to track down the issue to a specific module, update the config to do: update reply { Reply-Message += A %{reply:Session-Timeout} } Cut paste that through various pieces of authorize, post-auth, etc. Change the A to B, C, etc. You should see 10-20 Reply-Messages in the Access-Accept. Each with a value for Session-Timeout. That lets you track *what* the value is, and *where* in the config the value is coming from. Then once you know it's a particular module, you can figure out how to fix that module. Right now, you're staring at the radclient output, wondering why the server isn't working. That's a mistake. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any interoperability issues with Aruba and Freeradius
Hi All, I'm sure the answer to this is nope, but ... At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a No against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of tweaking for Aruba? I really can't imaging that it would be the case, but just thought I'd check. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. 'Tunde Ogedengbe On 8 Feb 2013 13:18, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/02/13 12:52, Tunde Ogedengbe wrote: see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. This doesn't work. You can't force accept of an EAP session. The protocol is challenge/response and must complete correctly at both ends. Your approach won't work. Instead, you must configure pre-login 802.1x authentication correct on the Windows side, either using machine credentials or user creds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Alex Sharaz wrote: At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a No against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. I fail to see how that can be true. Aruba sells access points. Not supplicants. APs are supposed to pass EAP from the supplicant to the RADIUS server. With no changes. Unless Aruba is doing something *truly* stupid, it should work. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of tweaking for Aruba? I really can't imaging that it would be the case, but just thought I'd check. I haven't heard of any issues If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
On 08/02/13 16:09, Tunde Ogedengbe wrote: Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. Windows doesn't support that. Your options are: 1. Use the machine account 2. Use the user/password typed into the login box That's it - that's all windows supports. As for configuring it - right-click on the network adapter settings, select the authentication tab, click the additional settings button. The options should be self explanatory. If not, consult the microsoft docs: http://technet.microsoft.com/en-gb/magazine/2007.11.cableguy.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
On 08/02/13 16:19, Alan DeKok wrote: If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly. Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2 and mangling it? I seem to recall a flurry of posts to the list that were solved by turning all that off, but this was a couple of years ago. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 94, Issue 19
1st response On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok) 2. RE: [EAP/TLS] Authenfication through a certificate (vazoumana fofana) 3. Re: Session-Timeout anomalies (Bill Isaacs) 4. Re: Session-Timeout anomalies (Alan DeKok) 5. Any interoperability issues with Aruba and Freeradius (Alex Sharaz) 6. Re: MAc-Auth with EAP (Tunde Ogedengbe) -- Message: 1 Date: Fri, 08 Feb 2013 10:10:05 -0500 From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Issues with Freeradius crashing after a sighup Message-ID: 5115154d.5070...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Alex Sharaz wrote: Firstly the 2.1 servers shrug Upgrade. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. See the changelog for 2.2.0. The passwd module had issues with older versions of the server. You can also reload individual modules. That will be less likely to have issues. i.e. $ radmin -e hup passwd Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. Alan DeKok. -- Message: 2 Date: Fri, 8 Feb 2013 15:24:53 + From: vazoumana fofana zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: RE: [EAP/TLS] Authenfication through a certificate Message-ID: snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in users file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) { if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed users file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers Date: Mon, 4 Feb 2013 10:32:22 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html -- Message: 3 Date: Fri, 08 Feb 2013 09:35:59 -0600 From: Bill Isaacs bill.isa...@island-wifi.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Session-Timeout anomalies Message-ID: 51151b5f.6060...@island-wifi.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? That is *entirely* the wrong question. It's why you haven't solved the problem yet. Look at the *radius server* debug output. It's the one sending the Session-Timeout. You should be able to figure out where the session-timeout is coming from. Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Look at the debug output. Honestly. We say this DAILY on this list
Re: Issues with Freeradius crashing after a sighup
On Fri, Feb 08, 2013 at 10:10:05AM -0500, Alan DeKok wrote: Alex Sharaz wrote: Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. One workaround is to just do a restart instead of a reload. It's not likely to make much of a difference. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
here is the output : Evaluating (%{TLS-Client-Cert-Subject} =~//) - TRUE ++? if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) - TRUE ++- entering if (%{TLS-Client-Cert-Subject} =~ /\/O=\// ) {...} +++? if (%{TLS-Client-Cert-Subject} =~ /\/OU=\// ) expand: %{TLS-Client-Cert-Subject} - / ? Evaluating (%{TLS-Client-Cert-Subject} =~ /\/xxx\//) - TRUE +++? if (%{TLS-Client-Cert-Subject} =~ /\/x\// ) - TRUE +++- entering if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) {...} [noop] returns noop +++- if (%{TLS-Client-Cert-Subject} =~ /\/xxx\// ) returns noop +++ ... skipping else for request 21: Preceding if was taken ++- if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) returns noop Login OK: [xx] (from client xxx I understand that eap returns ok so user is authenticated. It's not what i want to do. i want client certificate to be authenticated by : - be in users files - have the right certificate From: a.l.m.bu...@lboro.ac.uk To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate Date: Fri, 8 Feb 2013 16:20:20 + As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regarding radius crashing on sigHUP
Alex Sharaz wrote: Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. |One workaround is to just do a restart instead of a reload. It's |not likely to make much of a difference. :-) that's what I ended up doing Rgds A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. Rgds Alex On 8 Feb 2013, at 16:46, freeradius-users-requ...@lists.freeradius.org wrote: Re: Any interoperability issues with Aruba and Freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
| See the changelog for 2.2.0. The passwd module had issues with |older versions of the server. | |You can also reload individual modules. That will be less likely to |have issues. i.e. | |$ radmin -e hup passwd | And from the control-socket code # # Control socket interface. # # HIGHLY experimental! It should NOT be used in production # environments. # The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues A On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok) 2. RE: [EAP/TLS] Authenfication through a certificate (vazoumana fofana) 3. Re: Session-Timeout anomalies (Bill Isaacs) 4. Re: Session-Timeout anomalies (Alan DeKok) 5. Any interoperability issues with Aruba and Freeradius (Alex Sharaz) 6. Re: MAc-Auth with EAP (Tunde Ogedengbe) -- Message: 1 Date: Fri, 08 Feb 2013 10:10:05 -0500 From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Issues with Freeradius crashing after a sighup Message-ID: 5115154d.5070...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Alex Sharaz wrote: Firstly the 2.1 servers shrug Upgrade. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. See the changelog for 2.2.0. The passwd module had issues with older versions of the server. You can also reload individual modules. That will be less likely to have issues. i.e. $ radmin -e hup passwd Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. Alan DeKok. -- Message: 2 Date: Fri, 8 Feb 2013 15:24:53 + From: vazoumana fofana zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: RE: [EAP/TLS] Authenfication through a certificate Message-ID: snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in users file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) { if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed users file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers Date: Mon, 4 Feb 2013 10:32:22 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html -- Message: 3 Date: Fri, 08 Feb 2013 09:35:59 -0600 From: Bill Isaacs bill.isa...@island-wifi.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Session-Timeout anomalies Message-ID: 51151b5f.6060...@island-wifi.com Content-Type: text/plain; charset=ISO-8859-1; format
Re: Any interoperability issues with Aruba and Freeradius
Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. That is a stupid response from them. If they follow the specs, they should pass EAP straight through to the RADIUS server. If they do anything else, they are *intentionally* breaking inter-operability. So you're forced to buy their crappy RADIUS server. All of the other WiFi vendors can get EAP to work. If Aruba can't, it's because (a) they're incompetent, or (b) being rude about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Alex Sharaz wrote: And from the control-socket code In older versions of the software. Version 2.2.0 does *not* have that text. The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues There are no security issues with using the control socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
I have to say that in their defence, the eap offloading is switched off by default and you do actually have to switch it on. A On 8 Feb 2013, at 17:27, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. That is a stupid response from them. If they follow the specs, they should pass EAP straight through to the RADIUS server. If they do anything else, they are *intentionally* breaking inter-operability. So you're forced to buy their crappy RADIUS server. All of the other WiFi vendors can get EAP to work. If Aruba can't, it's because (a) they're incompetent, or (b) being rude about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. I've got a strange thing here as well. In the inner-tunnel config there's a commented option that says uncomment this if you want to pass back the inner user-name attribute to the outer level. I uncommented this on my 2.2 server and tested that things worked o.k. using windoze, os/x and iOS clients manually configured. I then used the test utility from wpa-supplicant to try different combinations of inner/outer user-names and that worked as well. Imagine my surprise when I connected with my iPhone which was configured using our XpressConnect setup which failed telling me that i had an identity mismatch. When I commented out the config option again, my iPhone started working again. Interestingly enough even without the commented config, the User-Name appears in the outgoing Access-Accept packet. Haven't looked to see why yet, got other issues. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Think I just had senior moment. The server runs 2.2 code compiled from source but I copied all the configs over from the UKERNA freeradius sample and then amended them to run against our AD service. The UKERNA control-socket config does have the text. My fault Rgds Alex On 8 Feb 2013, at 17:31, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: And from the control-socket code In older versions of the software. Version 2.2.0 does *not* have that text. The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues There are no security issues with using the control socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Hi, * there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. stick something like this into your 'inner-tunnel authorize section: # Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply attributes # If we use both methods we get duplicate User-Name attributes. # if((%{outer.request:EAP-Type} == 'EAP-TTLS') (%{control:Auth-Type} == 'MSCHAP')) { update reply { User-Name := %{User-Name} } } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Hi, Anyone else seen serve crashes on a reload? dont HUP, do a restart. its clean and it pretty much just as quick. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Hi, |$ radmin -e hup passwd | And from the control-socket code # # Control socket interface. # # HIGHLY experimental! It should NOT be used in production # environments. # The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues Its been fine since 2.0 - I would ignore that error. I know of many sites that use it on their production servers - for a start, you need such thing if monitoring FreeRADIUS with munin etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Hi, Think I just had senior moment. The server runs 2.2 code compiled from source but I copied all the configs over from the UKERNA freeradius sample and then amended them to run against our AD service. The UKERNA control-socket config does have the text. My fault who is UKERNA? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
On 08/02/13 17:14, Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. Well, don't do offload - it's a pretty bad idea anyway, and vendors have a history of mangling it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM authentication not working
Hi folks, Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped. Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following: 1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used LongStringNumberOne for both the input and output passwords. Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system. 2.) Added the following lines to the end of /etc/freeradius/clients: client 192.168.2.0/24 { secret = LongStringNumberTwo shortname = mynet } 3.) Added the following line to the end of /etc/freeradius/users: DEFAULT Auth-Type = Pam 4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to: default_eap_type = ttls private_key_password = LongStringNumberOne 5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to: user = root 6.) In both /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel, I uncommented the pam entry in section authenticate. 7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified: @include common-auth @include common-account @include common-password @include common-session 8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows: Wireless Mode AP Wireless Network Mode Mixed Wireless Network Name (SSID) mynet Wireless Channel 6 - 2.437 GHz Wireless SSID BroadcastEnable Network Configuration Bridged Security Mode WPA2 Enterprise WPA Algorithms TKIP+AES RADIUS Server Address 192.168.2.12 RADIUS Server Port 1812 RADIUS Shared Secret LongStringNumberTwo Key Renewal Interval (in sec.) 3600 Unfortunately, after starting the server in debugging mode with freeradius -X, my client's authentication attempts get rejected and I get the following output from the freeradius server: = rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, length=245 Cleaning up request 6 ID 0 with timestamp +12 WARNING: !! WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! WARNING: !! Please read http://wiki.freeradius.org/ Certificate_Compatibility WARNING: !! User-Name = jwinius NAS-IP-Address = 192.168.2.2 Called-Station-Id = 0014bf72f676 Calling-Station-Id = 00110a81fb2b NAS-Identifier = 0014bf72f676 NAS-Port = 17 Framed-MTU = 1400 State = 0x2ecb21dd28cc340c8873b5871c637572 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700701500170301002073bdd7051dfb44f3caccd4c92... Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a0471b0 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = jwinius, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = jwinius State = 0xdbd7fca1dbd6f80c791225e3340ea6e4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/ inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = jwinius, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control]
Re: PAM authentication not working
Try by adding jwinius Cleartext-Password := xxx On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius jwin...@umrk.nl wrote: Hi folks, Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped. Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following: 1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used LongStringNumberOne for both the input and output passwords. Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system. 2.) Added the following lines to the end of /etc/freeradius/clients: client 192.168.2.0/24 { secret = LongStringNumberTwo shortname = mynet } 3.) Added the following line to the end of /etc/freeradius/users: DEFAULT Auth-Type = Pam 4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to: default_eap_type = ttls private_key_password = LongStringNumberOne 5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to: user = root 6.) In both /etc/freeradius/sites-enabled/**default and /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the pam entry in section authenticate. 7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified: @include common-auth @include common-account @include common-password @include common-session 8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows: Wireless Mode AP Wireless Network Mode Mixed Wireless Network Name (SSID) mynet Wireless Channel 6 - 2.437 GHz Wireless SSID BroadcastEnable Network Configuration Bridged Security Mode WPA2 Enterprise WPA Algorithms TKIP+AES RADIUS Server Address 192.168.2.12 RADIUS Server Port 1812 RADIUS Shared Secret LongStringNumberTwo Key Renewal Interval (in sec.) 3600 Unfortunately, after starting the server in debugging mode with freeradius -X, my client's authentication attempts get rejected and I get the following output from the freeradius server: ==**=== rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, length=245 Cleaning up request 6 ID 0 with timestamp +12 WARNING: !!**!!** !! WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! WARNING: !! Please read http://wiki.freeradius.org/ Certificate_Compatibility WARNING: !!**!!** !! User-Name = jwinius NAS-IP-Address = 192.168.2.2 Called-Station-Id = 0014bf72f676 Calling-Station-Id = 00110a81fb2b NAS-Identifier = 0014bf72f676 NAS-Port = 17 Framed-MTU = 1400 State = 0x2ecb21dd28cc340c8873b5871c63**7572 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700701500170301002073bdd7** 051dfb44f3caccd4c92... Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = jwinius, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = jwinius State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/
Re: PAM authentication not working
Sorry about the incomplete previous email, Try by adding jwinius Auth-Type = pam Cleartext-Password := xxx Deepti On Fri, Feb 8, 2013 at 12:31 PM, Deepti kulkarni deepti.kde...@gmail.comwrote: Try by adding jwinius Cleartext-Password := xxx On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius jwin...@umrk.nl wrote: Hi folks, Having managed to get freeradius 2.10 to run on Debian squeeze with a username and password defined in /etc/freeradius/users, I was hoping to take a step forward by getting it to authenticate users through PAM. But, that's not working out as I had hoped. Could sombody please tell me what's missing, or what I'm doing wrong? So far I have done the following: 1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the previous configuration to the /etc/freeradius/certs directory. To generate them, each time I used LongStringNumberOne for both the input and output passwords. Among the encryption files generated are ca.pem, dh, server.key and server.pem. The ca.pem file was also copied to my laptop's /etc/certs directory and is used with wpasupplicant for testing the system. 2.) Added the following lines to the end of /etc/freeradius/clients: client 192.168.2.0/24 { secret = LongStringNumberTwo shortname = mynet } 3.) Added the following line to the end of /etc/freeradius/users: DEFAULT Auth-Type = Pam 4.) In /etc/freeradius/eap.conf I changed the values of the following two attributes to: default_eap_type = ttls private_key_password = LongStringNumberOne 5.) In /etc/freeradius/radiusd.conf I changed the value of the following attribute to: user = root 6.) In both /etc/freeradius/sites-enabled/**default and /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the pam entry in section authenticate. 7.) Some sources suggest changing it, but I chose to leave the contents of /etc/pam.d/radiusd unmodified: @include common-auth @include common-account @include common-password @include common-session 8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is configured as follows: Wireless Mode AP Wireless Network Mode Mixed Wireless Network Name (SSID) mynet Wireless Channel 6 - 2.437 GHz Wireless SSID BroadcastEnable Network Configuration Bridged Security Mode WPA2 Enterprise WPA Algorithms TKIP+AES RADIUS Server Address 192.168.2.12 RADIUS Server Port 1812 RADIUS Shared Secret LongStringNumberTwo Key Renewal Interval (in sec.) 3600 Unfortunately, after starting the server in debugging mode with freeradius -X, my client's authentication attempts get rejected and I get the following output from the freeradius server: ==**=== rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0, length=245 Cleaning up request 6 ID 0 with timestamp +12 WARNING: !!**!!** !! WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish! WARNING: !! Please read http://wiki.freeradius.org/ Certificate_Compatibility WARNING: !!**!!** !! User-Name = jwinius NAS-IP-Address = 192.168.2.2 Called-Station-Id = 0014bf72f676 Calling-Station-Id = 00110a81fb2b NAS-Identifier = 0014bf72f676 NAS-Port = 17 Framed-MTU = 1400 State = 0x2ecb21dd28cc340c8873b5871c63**7572 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700701500170301002073bdd7** 051dfb44f3caccd4c92... Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = jwinius, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
Re: PAM authentication not working
Deepti kulkarni wrote: Sorry about the incomplete previous email, Try by adding jwinius Auth-Type = pam Cleartext-Password := xxx That won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Jaap Winius wrote: ... [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication You can't use PAM and EAP-MD5 together. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Quoting Deepti kulkarni deepti.kde...@gmail.com: Try by adding jwinius Auth-Type = pam Cleartext-Password := xxx Thanks for your reply, but that makes virtually no difference. The result is the same and freeradius' debug output only changes slightly: ... [files] users: Matched entry jwinius at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 Cleartext-Password := xxx EAP-Message = 0x04010004 Message-Authenticator = 0x [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user jwinius [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject ... I should also mention that I've so far seen no activity in /var/log/auth.log, which I would expect if freeradius was actually making use of PAM, so I think a more basic issue is involved. Thanks anyway, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Quoting Alan DeKok al...@deployingradius.com: You can't use PAM and EAP-MD5 together. It's impossible. That sounds like important information! To turn off EAP, I commented out all of the lines related to EAP in /etc/freeradius/sites-enabled/default and in /etc/freeradius/sites-enabled/inner-tunnel. Unfortunately, the result is still the same, but freeradius' debug output has changed significantly: == ... rad_recv: Access-Request packet from host 192.168.2.2 port 1028, id=0, length=127 User-Name = jwinius NAS-IP-Address = 192.168.2.2 Called-Station-Id = 0014bf72f676 Calling-Station-Id = 00110a81fb2b NAS-Identifier = 0014bf72f676 NAS-Port = 17 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020c016a77696e697573 Message-Authenticator = 0x0695dc9b4d3f16a1fd94a9be695eb90d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = jwinius, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 211 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} rlm_pam: Attribute User-Password is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - jwinius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 192.168.2.2 port 1028 ... == Still no activity ion /var/log/auth.log. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Jaap Winius wrote: That sounds like important information! To turn off EAP, I commented out all of the lines related to EAP in /etc/freeradius/sites-enabled/default and in /etc/freeradius/sites-enabled/inner-tunnel. No. You can't turn off EAP. The client is sending EAP to the server. You need to change the client. And likely you can't, because it *needs* to do EAP. Unfortunately, the result is still the same, but freeradius' debug output has changed significantly: Read it. If the messages aren't clear, I really don't know what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
On 02/08/2013 09:50 AM, Alan DeKok wrote: Bill Isaacs wrote: Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? From the RADIUS server. This isn't magic. radclient doesn't invent attributes in reply packets. It receives them from the RADIUS server. Well... your question about where does radclient get that value from is entirely missing the point. It gets it from the RADIUS server. I've said this. I have no idea how to convince you it's true. Alan, you're so much more fun when you're not being myopic. lol Of course it's getting the answer from the radius server. You really think I don't know that? And the *only* way to debug the RADIUS server is to look at the debug output. And no, your original message did *not* say you had run the server in debugging mode. There's only a reference to creating an account for debugging purposes. There's no radiusd -X output. You're quite right Alan, it didn't. NOR did I say that it did. To paraphrase you, You're staring at the first sentence, wondering where the debug output is. That's a mistake. :D What I DID say was I'm researching this anomaly myself in all the documentation, but thought it would also be helpful /both to me and to others/ to post the problem here. (emphasis added). What I implied in the ensuing message was that it would be posted here once I tracked the message down, but that posting it and the solution in nice digestible pieces for those not familiar at all with radius would be helpful to them. I suspect if you went to decaf and quit asking 'why' others don't just do what should be done, you would have understood that. Take a deep breath. Read between the lines, and realize that if others understood radius the way you do, you'd be out of a job (at least on the board here). I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) ... why I'm getting annoyed. See decaf above. If you want to track down the issue to a specific module, update the config to do: update reply { Reply-Message += A %{reply:Session-Timeout} } Cut paste that through various pieces of authorize, post-auth, etc. Change the A to B, C, etc. You should see 10-20 Reply-Messages in the Access-Accept. Each with a value for Session-Timeout. That lets you track *what* the value is, and *where* in the config the value is coming from. Then once you know it's a particular module, you can figure out how to fix that module. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Alan, you're so much more fun when you're not being myopic. lol Of course it's getting the answer from the radius server. You really think I don't know that? I can only read what you write. You asked *twice* why radclient had that Session-Timeout. The second time, after I told you to look at the server. You then said you HAD mentioned you looked at the server output, when your messages made no such reference. I'm asking you to communicate clearly and honestly. If you can't do that, then you won't solve the problem. What I DID say was I'm researching this anomaly myself in all the documentation, but thought it would also be helpful /both to me and to others/ to post the problem here. (emphasis added). (a) looking at radclient, and (b) looking at the config, and NOT looking at the debug output. There are messages every day saying POST THE DEBUG OUTPUT. You didn't do that. You have failed the basic netiquette we ask for here. And then to top it off, get condescending to me when I point this out. What I implied in the ensuing message was that it would be posted here once I tracked the message down, You've failed to understand the need for the debug output. It is nearly everything you need to (a) debug, and (b) solve the problem. You don't post it here after you've come up with a solution. You post it here so that people with a clue can read it, and help you. but that posting it and the solution in nice digestible pieces for those not familiar at all with radius would be helpful to them. Nonsense. Again, you make it clear you don't understand. What is helpful is a *solution*. You posted a problem. You posted the wrong information about the problem. You are suggesting that people use the wrong *method* to track the problem down. You're wasting everyone's time. You're misleading future people, who will find your post, and potentially go down the wrong path. I suspect if you went to decaf and quit asking 'why' others don't just do what should be done, you would have understood that. I think you're being condescending and rude. Stop it. Take a deep breath. Read between the lines, and realize that if others understood radius the way you do, you'd be out of a job (at least on the board here). It doesn't take a rocket scientist to read the documentation, and post the debug output as suggested in the FAQ, man page, web pages, and daily on this list. You didn't do that. I really don't care why. The entire reason I'm an expert is that I'm willing to learn from others. I read the documentation, and I follow instructions. It's not hard. You don't do that. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Again Alan, read between the lines. I've been scanning these emails from this group for about year through google searches. What I've learned from this mailing list is that you routinely castigate people who ask questions on here. That's rude. Your tone is arrogant. And that's rude. Yes, I'm being condescending but it's in order to point out your rudeness -- hopefully in an entertaining way. You're apparently a hopeless case where that's concerned. What it seems to me that this thread needs is a set of discussions that don't include a staple diet of questioner-castigation, as you've done here to me. OF course I expected it, even counted on it, to make the point I'm making here. No one is being led down the wrong path. You just need to lighten up and be a little less arrogant. A little nicer. A human being. And the whole thing sailed right over your arrogant head. Read this exchange, and I rest my case right there. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. By the way Alan, I didn't need that spoon fed to me. I'm drawing out information for the benefit of others and frankly, just seeing if you have anything in your repertoire that doesn't include trying to belittle people who are asking for help. Jury is still out on that one, but wearing a frown as they deliberate. :) Now for the useful stuff. Here is the telling part of the freeradius -X output that I ran earlier this morning and printed out to use as a reference in my inquiries: [accessperiod] expand: %{sql:SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} - 231238 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238 rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout, value=2360762* ++[accessperiod] returns ok So, there's something fishy with the rlm_sqlcounter module. Looks like the place to start. Stay tuned, film at 11. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Again Alan, read between the lines. I've been scanning these emails from this group for about year through google searches. What I've learned from this mailing list is that you routinely castigate people who ask questions on here. That's rude. Your tone is arrogant. And that's rude. Yes, I'm being condescending but it's in order to point out your rudeness -- hopefully in an entertaining way. You're apparently a hopeless case where that's concerned. What it seems to me that this thread needs is a set of discussions that don't include a staple diet of questioner-castigation, as you've done here to me. OF course I expected it, even counted on it, to make the point I'm making here. No one is being led down the wrong path. You just need to lighten up and be a little less arrogant. A little nicer. A human being. And the whole thing sailed right over your arrogant head. Read this exchange, and I rest my case right there. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. By the way Alan, I didn't need that spoon fed to me. I'm drawing out information for the benefit of others and frankly, just seeing if you have anything in your repertoire that doesn't include trying to belittle people who are asking for help. Jury is still out on that one, but wearing a frown as they deliberate. :) Now for the useful stuff. Here is the telling part of the freeradius -X output that I ran earlier this morning and printed out to use as a reference in my inquiries: [accessperiod] expand: %{sql:SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} - 231238 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238 rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout, value=2360762* ++[accessperiod] returns ok So, there's something fishy with the rlm_sqlcounter module. Looks like the place to start. Stay tuned, film at 11. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Here is the telling part of the freeradius -X output that I ran earlier this morning and printed out to use as a reference in my inquiries: [accessperiod] expand: %{sql:SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} - 231238 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238 rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout, value=2360762* ++[accessperiod] returns ok So, there's something fishy with the rlm_sqlcounter module. All of this nonsense could have been prevented if you had posted this in your first message. The debug output is clear: 1) it runs a query: SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() - IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName = 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1 2) the query returns 231238 You can verify this by running the query manually. That's why it's printed out in debugging mode. 3) 2592000 - 231238 = 2360762 This is maybe grade 5 math. 4) sqlcounter returns 2370762. FreeRADIUS is working correctly. 5) Instead of following instructions, you wasted everyones time by ignoring the documentation, and then arguing about it 6) you still blame FreeRADIUS, *despite* the pretty clear debug output above. It doesn't take a RADIUS expert to figure it out. 7) Despite your poor attitude, I'm *still* trying to help you 8) If you respond by blaming me or putting me down, you will be unsubscribed and banned from this list. If you keep your messages technical, there's no problem. If you read the documentation, there's no problem. If you follow instructions, there's no problem. The entire problem is you refusing to follow instructions, and then arguing about it. You have this weird idea that I'm being rude for telling you to FOLLOW THE DOCUMENTATION. The only problem here is you. Fix your attitude, or you will be unsubscribed and banned. There are hundreds of people a month who post questions and get answers without any problem. Choose to be one of them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Alan, Being a moderator does NOT give you moral license to treat people like children. You're a rude man. Please ban me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html