Re: few accounting records with same radacctid
nobody? Le 07/02/2013 13:25, Hocine M a écrit : hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: few accounting records with same radacctid
On 02/08/2013 09:04 AM, Hocine M wrote: nobody? The only thing that stands out is the Called-Station-Id is different. This suggests to me that something about the accounting packets changes as the client moves around (associates to different APs) and that the accounting SQL queries you are using don't handle that. Which version of the server are you using, which SQL database, are you using the standard SQL query config and schema that comes with the server, and can you show a debug radiusd -X of an accounting packet (ideally a duplicate, but anything if not). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: few accounting records with same radacctid
Hi, In ma accounting table there are many records with the same radacctid for one username. as Phil says - and can be seen, different called-station-id - and different (NAS id) IP address - what are your accounting statements ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAc-Auth with EAP
I am setting up our Freeradius to do authentication for MAC address for
windows PC. This is to enable PCs to connect to the AD to access Domain
information just before Windows User Logon Screen. The PC is already
connected to a Cisco switch port which has been configured 802.1x.
I have stored list of authorized MAC addresses in a file called
authorized_macs in Freeradius confdir. I have also set up appropriate
commands in Authorize and Authentication sections of sites-enabled/default
file for authorization and authentication. I can see from the log that the
MAC addresses is checked and OK. But there is an [eap] returns reject just
after the mac address was successfully checked. I guess I need a way to
get radius to force an EAP accept after successful checking of the MAC
addresses.
Below is my Auth-Type statement which gets the system to do MAC address
checking for PCs connecting with the hint “thehive”. The else statement is
to cause all other requests to requests to be processed normally using
mschap_ad (which is a function that calls ntlm_auth).
Auth-Type MS-CHAP {
if ( Hint == validmac) {
authorized_macs
update control {
Auth-Type := Accept
}
}
else {
mschap_ad
}
}
Below is the extract of the log highlighting successful mac address
checking but still returned [eap] returns reject
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschapv2] ++? if (outer.Hint == validmac)
[mschapv2] ? Evaluating (outer.Hint == validmac) - TRUE
[mschapv2] ++? if (outer.Hint == validmac) - TRUE
[mschapv2] ++- entering if (outer.Hint == validmac) {...}
[authorized_macs] expand: %{Calling-Station-ID} - 00-1a-a0-b8-3b-73
+++[authorized_macs] returns noop
++- if (outer.Hint == thehive) returns noop
++ ... skipping else for request 14: Preceding if was taken
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/hive-rjm2.library.networcs.net] (from client
193.62.48.37 port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
--
'Tunde Ogedengbe
But thanks be to God, who gives me the VICTORY through my Lord Jesus
CHRIST - 1 Corinthians 15:57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
On 08/02/13 12:52, Tunde Ogedengbe wrote: see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. This doesn't work. You can't force accept of an EAP session. The protocol is challenge/response and must complete correctly at both ends. Your approach won't work. Instead, you must configure pre-login 802.1x authentication correct on the Windows side, either using machine credentials or user creds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout anomalies
Hello all,
I'm researching this anomaly myself in all the documentation, but
thought it would also be helpful both to me and to others to post the
problem here.
SYMPTOM: Some Access-Period accounts (accounts which have X number of
seconds to continue logging in and out starting from the very first
login) are giving too much time -- that is, at some point they reload
the full value of the account type and restart the count down. I
discovered it while developing some interface code for our customer
service dept. So far, this DOES NOT seem to be happening to all
accounts. Moreover, the database info and radclient results are
inconsistent on these accounts that ARE showing the anomaly.
Here is an example of one such account, a development test account which
I created for debugging purposes. It's value is 30 days (2592000 seconds)
Radclient result:
===
# echo User-Name=cgitest,User-Password=cgitest | radclient -c 1 -n 3
-r 3 -t 3 -x 127.0.0.1:1812 auth -S shared
Sending Access-Request of id 24 to 127.0.0.1 port 1812
User-Name = cgitest
User-Password = cgitest
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=24,
length=26
Session-Timeout = 2366393
===
sql query:
SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) FROM
radacct WHERE UserName='cgitest' ORDER BY AcctStartTime LIMIT 1 \g
+-+
| IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) |
+-+
| 1447012 |
+-+
===
Ok, the problem here should be obvious but I'll explain these results
for those who are impatient. The Session-Timeout number is way too
large. As I stated previously, this is a 30 day account. It was counting
down with no problems until a few days ago. It then mysteriously began
reporting in the popup window which I was working on that it had 29.9
days left on it, after it had already counted down to something like 15
days. It simply seems to have reloaded itself, even though the sql query
reports the accurate number of seconds which have actually expired.
(1447012). So if we do the math: 2592000-1447012=1144988 (or roughly
13.25 days) should be the remaining time on this account. Not 27.38 days.
Here is the sql counter from sqlcounter.conf:
sqlcounter accessperiod {
counter-name = Max-Access-Period-Time
check-name = Access-Period
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = never
query = “SELECT UNIX_TIMESTAMP() – UNIX_TIMESTAMP(AcctStartTime) FROM
radacct WHERE UserName = ‘%{%k}’ ORDER BY AcctStartTime LIMIT 1″
}
(Before anyone bitches about the sql query being different, save your
pixels -- no matter which style of query is used, the account reports
that it began at the same time, there is truly no issue here that I can
see).
ALSO, BEFORE YOU ASK: There is only 1 radius server and only 1 sql
server on the system. Besides, I have tested this exhaustively using
different things like the public IP, the fqdn, etc etc. Results are the
same - that is to say, wrong. lol
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left? Where is
Session-Timeout getting this information? Why is it only doing it on
some accounts and not others?
Any insights would be greatly appreciated. I will post the resolution
here (unless one of you smart lads or lasses beats me to it ;) ).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues with Freeradius crashing after a sighup
Hi all, I've inherited a pair of Freeradius servers running Vsn 2.10 and have build a new server around the 2.2 source code. All of these servers exhibit the same problem in that after a SIGHUP to reload their configuration files the sometimes crash. Firstly the 2.1 servers We have 2 of them configured to support our wired and wireless auth user base. Each server has a primary auth function ( wired or wireless) and acts as a backup for the other server) These are running on an old Debian OS and make use of the Freeradius versions available through the apt-get package manager. Configuration wise everything uses password files and all logs are written to a local hard disk. We don't use SQL or AD or any other systems in the authentication or accounting process. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. At least once a day the freeradius daemon will crash just after the reload command. The normal logfiles (see below) just show the following with no indication of why the process crashed. Cfashes happen randomly on both servers, although the server handling the wireless network crashes more frequently than the one handling the wired network. Fri Feb 8 00:05:03 2013 : Info: HUP - loading modules Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.post-proxy Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.pre-proxy Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.access_reject Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.accounting_response Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module pap Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module files Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module accounting_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module auth_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module reply_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module pre_proxy_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module post_proxy_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module york_passwd Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module landb_device_info Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module switch_vlan_info Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module sql_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module suffix Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module mschap Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module mschap_default Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module detail Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server default Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server inner-tunnel Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server eduroam Freeradius version 2.2 - wireless server The 2.2 server was compiled from source on an Ubuntu 12.04 LTS VmWare server and has a slightly different configuration. Configuration files are used for MAC based authentication and for some standard users such as the university of york eduroam health check test account. For 802.1x authentication I use a back end AD system and authenticate all our real users against AD. Configuration files for MAC based authentication RADIUS clients and test users are generated once a day and the system is reloaded at midnight every day. The configuration used on this server is based upon the template one provided by UKERNA for their UK eduroam user base. This server can run for a couple of weeks before it crashes. I know I should run the daemon with the -X option and dump the output to a file, but given the random nature of these crashes, I'm not sure I'll have enough disk space to just run in debug mode and collect all the logs. Anyone else seen serve crashes on a reload? Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Alex Sharaz wrote: Firstly the 2.1 servers shrug Upgrade. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. See the changelog for 2.2.0. The passwd module had issues with older versions of the server. You can also reload individual modules. That will be less likely to have issues. i.e. $ radmin -e hup passwd Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
i begin setting up configuration. bit i got two problems :
client with good certificate can be authenticated even if they're not in
users file.
I assume it's due to my code. Here is under authenticate section of default :
Auth-Type eap {
eap
if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) {
if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\//
) {
ok
}
else {
fail
}
It's like when condition is checked, it bypassed users file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
Date: Mon, 4 Feb 2013 10:32:22 -0500
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote:
i've got question about EAP/TLS and authentification for a client
through a certificate ?
I succeed setting up. But , i notice that freeradius matches client
login with certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?
Yes.
Read the eap.conf file, and the raddb/sites-available/default. This
is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? That is *entirely* the wrong question. It's why you haven't solved the problem yet. Look at the *radius server* debug output. It's the one sending the Session-Timeout. You should be able to figure out where the session-timeout is coming from. Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Look at the debug output. Honestly. We say this DAILY on this list. There is no excuse for refusing to do that. Alan, take a deep breath. Of course I've looked at the debug output. Note my opening sentence, ol' pardner. ;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote:
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives them from the RADIUS server.
Alan, take a deep breath. Of course I've looked at the debug output.
Note my opening sentence, ol' pardner. ;)
Well... your question about where does radclient get that value from
is entirely missing the point. It gets it from the RADIUS server. I've
said this. I have no idea how to convince you it's true.
And the *only* way to debug the RADIUS server is to look at the debug
output.
And no, your original message did *not* say you had run the server in
debugging mode. There's only a reference to creating an account for
debugging purposes. There's no radiusd -X output.
My frustration here is that the documentation and my messages cannot
possibly be any more clear. Yet you're wandering around doing
everything *but* what the documentation says, and then wondering why I'm
getting annoyed.
Run the server in debugging mode. Really. Do it. I mean it.
If you want to track down the issue to a specific module, update the
config to do:
update reply {
Reply-Message += A %{reply:Session-Timeout}
}
Cut paste that through various pieces of authorize, post-auth, etc.
Change the A to B, C, etc. You should see 10-20 Reply-Messages
in the Access-Accept. Each with a value for Session-Timeout. That lets
you track *what* the value is, and *where* in the config the value is
coming from.
Then once you know it's a particular module, you can figure out how to
fix that module.
Right now, you're staring at the radclient output, wondering why the
server isn't working. That's a mistake.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any interoperability issues with Aruba and Freeradius
Hi All, I'm sure the answer to this is nope, but ... At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a No against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of tweaking for Aruba? I really can't imaging that it would be the case, but just thought I'd check. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. 'Tunde Ogedengbe On 8 Feb 2013 13:18, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/02/13 12:52, Tunde Ogedengbe wrote: see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. This doesn't work. You can't force accept of an EAP session. The protocol is challenge/response and must complete correctly at both ends. Your approach won't work. Instead, you must configure pre-login 802.1x authentication correct on the Windows side, either using machine credentials or user creds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Alex Sharaz wrote: At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a No against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. I fail to see how that can be true. Aruba sells access points. Not supplicants. APs are supposed to pass EAP from the supplicant to the RADIUS server. With no changes. Unless Aruba is doing something *truly* stupid, it should work. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of tweaking for Aruba? I really can't imaging that it would be the case, but just thought I'd check. I haven't heard of any issues If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
On 08/02/13 16:09, Tunde Ogedengbe wrote: Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. Windows doesn't support that. Your options are: 1. Use the machine account 2. Use the user/password typed into the login box That's it - that's all windows supports. As for configuring it - right-click on the network adapter settings, select the authentication tab, click the additional settings button. The options should be self explanatory. If not, consult the microsoft docs: http://technet.microsoft.com/en-gb/magazine/2007.11.cableguy.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
On 08/02/13 16:19, Alan DeKok wrote: If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly. Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2 and mangling it? I seem to recall a flurry of posts to the list that were solved by turning all that off, but this was a couple of years ago. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 94, Issue 19
1st response
On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok)
2. RE: [EAP/TLS] Authenfication through a certificate
(vazoumana fofana)
3. Re: Session-Timeout anomalies (Bill Isaacs)
4. Re: Session-Timeout anomalies (Alan DeKok)
5. Any interoperability issues with Aruba and Freeradius
(Alex Sharaz)
6. Re: MAc-Auth with EAP (Tunde Ogedengbe)
--
Message: 1
Date: Fri, 08 Feb 2013 10:10:05 -0500
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Issues with Freeradius crashing after a sighup
Message-ID: 5115154d.5070...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Alex Sharaz wrote:
Firstly the 2.1 servers
shrug Upgrade.
password files are updated every 15 mins and are followed by a service
freeradius reload command to bring them on line.
See the changelog for 2.2.0. The passwd module had issues with
older versions of the server.
You can also reload individual modules. That will be less likely to
have issues. i.e.
$ radmin -e hup passwd
Anyone else seen serve crashes on a reload?
Unfortunately I've seen this before. I haven't seen enough
information to track it down and fix it, though.
Alan DeKok.
--
Message: 2
Date: Fri, 8 Feb 2013 15:24:53 +
From: vazoumana fofana zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: RE: [EAP/TLS] Authenfication through a certificate
Message-ID: snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl
Content-Type: text/plain; charset=iso-8859-1
i begin setting up configuration. bit i got two problems :
client with good certificate can be authenticated even if they're not in
users file.
I assume it's due to my code. Here is under authenticate section of default :
Auth-Type eap {
eap
if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) {
if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\//
) {
ok
}
else {
fail
}
It's like when condition is checked, it bypassed users file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
Date: Mon, 4 Feb 2013 10:32:22 -0500
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote:
i've got question about EAP/TLS and authentification for a client
through a certificate ?
I succeed setting up. But , i notice that freeradius matches client
login with certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?
Yes.
Read the eap.conf file, and the raddb/sites-available/default. This
is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- next part --
An HTML attachment was scrubbed...
URL:
http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html
--
Message: 3
Date: Fri, 08 Feb 2013 09:35:59 -0600
From: Bill Isaacs bill.isa...@island-wifi.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Session-Timeout anomalies
Message-ID: 51151b5f.6060...@island-wifi.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
That is *entirely* the wrong question. It's why you haven't solved
the problem yet.
Look at the *radius server* debug output. It's the one sending the
Session-Timeout. You should be able to figure out where the
session-timeout is coming from.
Where is
Session-Timeout getting this information? Why is it only doing it on
some accounts and not others?
Look at the debug output.
Honestly.
We say this DAILY on this list
Re: Issues with Freeradius crashing after a sighup
On Fri, Feb 08, 2013 at 10:10:05AM -0500, Alan DeKok wrote: Alex Sharaz wrote: Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. One workaround is to just do a restart instead of a reload. It's not likely to make much of a difference. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
here is the output :
Evaluating (%{TLS-Client-Cert-Subject} =~//) - TRUE
++? if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) - TRUE
++- entering if (%{TLS-Client-Cert-Subject} =~ /\/O=\// ) {...}
+++? if (%{TLS-Client-Cert-Subject} =~ /\/OU=\// )
expand: %{TLS-Client-Cert-Subject} -
/
? Evaluating (%{TLS-Client-Cert-Subject} =~ /\/xxx\//) - TRUE
+++? if (%{TLS-Client-Cert-Subject} =~ /\/x\// ) - TRUE
+++- entering if (%{TLS-Client-Cert-Subject} =~ /\/xx\// )
{...}
[noop] returns noop
+++- if (%{TLS-Client-Cert-Subject} =~ /\/xxx\// ) returns
noop
+++ ... skipping else for request 21: Preceding if was taken
++- if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) returns
noop
Login OK: [xx] (from client xxx
I understand that eap returns ok so user is authenticated.
It's not what i want to do.
i want client certificate to be authenticated by :
- be in users files
- have the right certificate
From: a.l.m.bu...@lboro.ac.uk
To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regarding radius crashing on sigHUP
Alex Sharaz wrote: Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. |One workaround is to just do a restart instead of a reload. It's |not likely to make much of a difference. :-) that's what I ended up doing Rgds A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. Rgds Alex On 8 Feb 2013, at 16:46, freeradius-users-requ...@lists.freeradius.org wrote: Re: Any interoperability issues with Aruba and Freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
| See the changelog for 2.2.0. The passwd module had issues with
|older versions of the server.
|
|You can also reload individual modules. That will be less likely to
|have issues. i.e.
|
|$ radmin -e hup passwd
|
And from the control-socket code
#
# Control socket interface.
#
# HIGHLY experimental! It should NOT be used in production
# environments.
#
The servers are in a production environment. I'd really like to try just
reloading the passwd module to see if it makes any difference to the server
stability but not at the detriment to any security type issues
A
On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok)
2. RE: [EAP/TLS] Authenfication through a certificate
(vazoumana fofana)
3. Re: Session-Timeout anomalies (Bill Isaacs)
4. Re: Session-Timeout anomalies (Alan DeKok)
5. Any interoperability issues with Aruba and Freeradius
(Alex Sharaz)
6. Re: MAc-Auth with EAP (Tunde Ogedengbe)
--
Message: 1
Date: Fri, 08 Feb 2013 10:10:05 -0500
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Issues with Freeradius crashing after a sighup
Message-ID: 5115154d.5070...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Alex Sharaz wrote:
Firstly the 2.1 servers
shrug Upgrade.
password files are updated every 15 mins and are followed by a service
freeradius reload command to bring them on line.
See the changelog for 2.2.0. The passwd module had issues with
older versions of the server.
You can also reload individual modules. That will be less likely to
have issues. i.e.
$ radmin -e hup passwd
Anyone else seen serve crashes on a reload?
Unfortunately I've seen this before. I haven't seen enough
information to track it down and fix it, though.
Alan DeKok.
--
Message: 2
Date: Fri, 8 Feb 2013 15:24:53 +
From: vazoumana fofana zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: RE: [EAP/TLS] Authenfication through a certificate
Message-ID: snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl
Content-Type: text/plain; charset=iso-8859-1
i begin setting up configuration. bit i got two problems :
client with good certificate can be authenticated even if they're not in
users file.
I assume it's due to my code. Here is under authenticate section of default :
Auth-Type eap {
eap
if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) {
if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\//
) {
ok
}
else {
fail
}
It's like when condition is checked, it bypassed users file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
Date: Mon, 4 Feb 2013 10:32:22 -0500
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote:
i've got question about EAP/TLS and authentification for a client
through a certificate ?
I succeed setting up. But , i notice that freeradius matches client
login with certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?
Yes.
Read the eap.conf file, and the raddb/sites-available/default. This
is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- next part --
An HTML attachment was scrubbed...
URL:
http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html
--
Message: 3
Date: Fri, 08 Feb 2013 09:35:59 -0600
From: Bill Isaacs bill.isa...@island-wifi.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: Session-Timeout anomalies
Message-ID: 51151b5f.6060...@island-wifi.com
Content-Type: text/plain; charset=ISO-8859-1; format
Re: Any interoperability issues with Aruba and Freeradius
Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. That is a stupid response from them. If they follow the specs, they should pass EAP straight through to the RADIUS server. If they do anything else, they are *intentionally* breaking inter-operability. So you're forced to buy their crappy RADIUS server. All of the other WiFi vendors can get EAP to work. If Aruba can't, it's because (a) they're incompetent, or (b) being rude about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Alex Sharaz wrote: And from the control-socket code In older versions of the software. Version 2.2.0 does *not* have that text. The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues There are no security issues with using the control socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
I have to say that in their defence, the eap offloading is switched off by default and you do actually have to switch it on. A On 8 Feb 2013, at 17:27, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. That is a stupid response from them. If they follow the specs, they should pass EAP straight through to the RADIUS server. If they do anything else, they are *intentionally* breaking inter-operability. So you're forced to buy their crappy RADIUS server. All of the other WiFi vendors can get EAP to work. If Aruba can't, it's because (a) they're incompetent, or (b) being rude about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. I've got a strange thing here as well. In the inner-tunnel config there's a commented option that says uncomment this if you want to pass back the inner user-name attribute to the outer level. I uncommented this on my 2.2 server and tested that things worked o.k. using windoze, os/x and iOS clients manually configured. I then used the test utility from wpa-supplicant to try different combinations of inner/outer user-names and that worked as well. Imagine my surprise when I connected with my iPhone which was configured using our XpressConnect setup which failed telling me that i had an identity mismatch. When I commented out the config option again, my iPhone started working again. Interestingly enough even without the commented config, the User-Name appears in the outgoing Access-Accept packet. Haven't looked to see why yet, got other issues. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Think I just had senior moment. The server runs 2.2 code compiled from source but I copied all the configs over from the UKERNA freeradius sample and then amended them to run against our AD service. The UKERNA control-socket config does have the text. My fault Rgds Alex On 8 Feb 2013, at 17:31, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: And from the control-socket code In older versions of the software. Version 2.2.0 does *not* have that text. The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues There are no security issues with using the control socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Hi,
* there is one problem that FreeRADIUS doesn't return the inner ID into the
outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is
nothing Aruba-specific and probably a configuration error in FreeRADIUS on
our part.
stick something like this into your 'inner-tunnel authorize section:
# Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply
attributes
# If we use both methods we get duplicate User-Name attributes.
#
if((%{outer.request:EAP-Type} == 'EAP-TTLS')
(%{control:Auth-Type} == 'MSCHAP')) {
update reply {
User-Name := %{User-Name}
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Hi, Anyone else seen serve crashes on a reload? dont HUP, do a restart. its clean and it pretty much just as quick. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Hi, |$ radmin -e hup passwd | And from the control-socket code # # Control socket interface. # # HIGHLY experimental! It should NOT be used in production # environments. # The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues Its been fine since 2.0 - I would ignore that error. I know of many sites that use it on their production servers - for a start, you need such thing if monitoring FreeRADIUS with munin etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Hi, Think I just had senior moment. The server runs 2.2 code compiled from source but I copied all the configs over from the UKERNA freeradius sample and then amended them to run against our AD service. The UKERNA control-socket config does have the text. My fault who is UKERNA? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
On 08/02/13 17:14, Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. Well, don't do offload - it's a pretty bad idea anyway, and vendors have a history of mangling it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM authentication not working
Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a
username and password defined in /etc/freeradius/users, I was hoping
to take a step forward by getting it to authenticate users through
PAM. But, that's not working out as I had hoped.
Could sombody please tell me what's missing, or what I'm doing wrong?
So far I have done the following:
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in
the previous configuration to the /etc/freeradius/certs directory. To
generate them, each time I used LongStringNumberOne for both the
input and output passwords.
Among the encryption files generated are ca.pem, dh, server.key and
server.pem. The ca.pem file was also copied to my laptop's /etc/certs
directory and is used with wpasupplicant for testing the system.
2.) Added the following lines to the end of /etc/freeradius/clients:
client 192.168.2.0/24 {
secret = LongStringNumberTwo
shortname = mynet
}
3.) Added the following line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = Pam
4.) In /etc/freeradius/eap.conf I changed the values of the following
two attributes to:
default_eap_type = ttls
private_key_password = LongStringNumberOne
5.) In /etc/freeradius/radiusd.conf I changed the value of the
following attribute to:
user = root
6.) In both /etc/freeradius/sites-enabled/default and
/etc/freeradius/sites-enabled/inner-tunnel, I uncommented the pam
entry in section authenticate.
7.) Some sources suggest changing it, but I chose to leave the
contents of /etc/pam.d/radiusd unmodified:
@include common-auth
@include common-account
@include common-password
@include common-session
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and
is configured as follows:
Wireless Mode AP
Wireless Network Mode Mixed
Wireless Network Name (SSID) mynet
Wireless Channel 6 - 2.437 GHz
Wireless SSID BroadcastEnable
Network Configuration Bridged
Security Mode WPA2 Enterprise
WPA Algorithms TKIP+AES
RADIUS Server Address 192.168.2.12
RADIUS Server Port 1812
RADIUS Shared Secret LongStringNumberTwo
Key Renewal Interval (in sec.) 3600
Unfortunately, after starting the server in debugging mode with
freeradius -X, my client's authentication attempts get rejected and
I get the following output from the freeradius server:
=
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,
length=245
Cleaning up request 6 ID 0 with timestamp +12
WARNING:
!!
WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/
Certificate_Compatibility
WARNING:
!!
User-Name = jwinius
NAS-IP-Address = 192.168.2.2
Called-Station-Id = 0014bf72f676
Calling-Station-Id = 00110a81fb2b
NAS-Identifier = 0014bf72f676
NAS-Port = 17
Framed-MTU = 1400
State = 0x2ecb21dd28cc340c8873b5871c637572
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700701500170301002073bdd7051dfb44f3caccd4c92...
Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a0471b0
# Executing section authorize from file /etc/freeradius/sites-enabled/
default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = jwinius, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 7 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd5111997f0ba6cee99e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = jwinius
State = 0xdbd7fca1dbd6f80c791225e3340ea6e4
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/
inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = jwinius, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control]
Re: PAM authentication not working
Try by adding
jwinius Cleartext-Password := xxx
On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius jwin...@umrk.nl wrote:
Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a
username and password defined in /etc/freeradius/users, I was hoping to
take a step forward by getting it to authenticate users through PAM. But,
that's not working out as I had hoped.
Could sombody please tell me what's missing, or what I'm doing wrong? So
far I have done the following:
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the
previous configuration to the /etc/freeradius/certs directory. To generate
them, each time I used LongStringNumberOne for both the input and output
passwords.
Among the encryption files generated are ca.pem, dh, server.key and
server.pem. The ca.pem file was also copied to my laptop's /etc/certs
directory and is used with wpasupplicant for testing the system.
2.) Added the following lines to the end of /etc/freeradius/clients:
client 192.168.2.0/24 {
secret = LongStringNumberTwo
shortname = mynet
}
3.) Added the following line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = Pam
4.) In /etc/freeradius/eap.conf I changed the values of the following two
attributes to:
default_eap_type = ttls
private_key_password = LongStringNumberOne
5.) In /etc/freeradius/radiusd.conf I changed the value of the following
attribute to:
user = root
6.) In both /etc/freeradius/sites-enabled/**default and
/etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the pam
entry in section authenticate.
7.) Some sources suggest changing it, but I chose to leave the contents of
/etc/pam.d/radiusd unmodified:
@include common-auth
@include common-account
@include common-password
@include common-session
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is
configured as follows:
Wireless Mode AP
Wireless Network Mode Mixed
Wireless Network Name (SSID) mynet
Wireless Channel 6 - 2.437 GHz
Wireless SSID BroadcastEnable
Network Configuration Bridged
Security Mode WPA2 Enterprise
WPA Algorithms TKIP+AES
RADIUS Server Address 192.168.2.12
RADIUS Server Port 1812
RADIUS Shared Secret LongStringNumberTwo
Key Renewal Interval (in sec.) 3600
Unfortunately, after starting the server in debugging mode with
freeradius -X, my client's authentication attempts get rejected and I get
the following output from the freeradius server:
==**===
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,
length=245
Cleaning up request 6 ID 0 with timestamp +12
WARNING: !!**!!**
!!
WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/
Certificate_Compatibility
WARNING: !!**!!**
!!
User-Name = jwinius
NAS-IP-Address = 192.168.2.2
Called-Station-Id = 0014bf72f676
Calling-Station-Id = 00110a81fb2b
NAS-Identifier = 0014bf72f676
NAS-Port = 17
Framed-MTU = 1400
State = 0x2ecb21dd28cc340c8873b5871c63**7572
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700701500170301002073bdd7**
051dfb44f3caccd4c92...
Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0
# Executing section authorize from file /etc/freeradius/sites-enabled/
default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = jwinius, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 7 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/**default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = jwinius
State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/
Re: PAM authentication not working
Sorry about the incomplete previous email,
Try by adding
jwinius Auth-Type = pam
Cleartext-Password := xxx
Deepti
On Fri, Feb 8, 2013 at 12:31 PM, Deepti kulkarni deepti.kde...@gmail.comwrote:
Try by adding
jwinius Cleartext-Password := xxx
On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius jwin...@umrk.nl wrote:
Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a
username and password defined in /etc/freeradius/users, I was hoping to
take a step forward by getting it to authenticate users through PAM. But,
that's not working out as I had hoped.
Could sombody please tell me what's missing, or what I'm doing wrong? So
far I have done the following:
1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the
previous configuration to the /etc/freeradius/certs directory. To generate
them, each time I used LongStringNumberOne for both the input and output
passwords.
Among the encryption files generated are ca.pem, dh, server.key and
server.pem. The ca.pem file was also copied to my laptop's /etc/certs
directory and is used with wpasupplicant for testing the system.
2.) Added the following lines to the end of /etc/freeradius/clients:
client 192.168.2.0/24 {
secret = LongStringNumberTwo
shortname = mynet
}
3.) Added the following line to the end of /etc/freeradius/users:
DEFAULT Auth-Type = Pam
4.) In /etc/freeradius/eap.conf I changed the values of the following two
attributes to:
default_eap_type = ttls
private_key_password = LongStringNumberOne
5.) In /etc/freeradius/radiusd.conf I changed the value of the following
attribute to:
user = root
6.) In both /etc/freeradius/sites-enabled/**default and
/etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the pam
entry in section authenticate.
7.) Some sources suggest changing it, but I chose to leave the contents
of /etc/pam.d/radiusd unmodified:
@include common-auth
@include common-account
@include common-password
@include common-session
8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is
configured as follows:
Wireless Mode AP
Wireless Network Mode Mixed
Wireless Network Name (SSID) mynet
Wireless Channel 6 - 2.437 GHz
Wireless SSID BroadcastEnable
Network Configuration Bridged
Security Mode WPA2 Enterprise
WPA Algorithms TKIP+AES
RADIUS Server Address 192.168.2.12
RADIUS Server Port 1812
RADIUS Shared Secret LongStringNumberTwo
Key Renewal Interval (in sec.) 3600
Unfortunately, after starting the server in debugging mode with
freeradius -X, my client's authentication attempts get rejected and I get
the following output from the freeradius server:
==**===
rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,
length=245
Cleaning up request 6 ID 0 with timestamp +12
WARNING: !!**!!**
!!
WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!
WARNING: !! Please read http://wiki.freeradius.org/
Certificate_Compatibility
WARNING: !!**!!**
!!
User-Name = jwinius
NAS-IP-Address = 192.168.2.2
Called-Station-Id = 0014bf72f676
Calling-Station-Id = 00110a81fb2b
NAS-Identifier = 0014bf72f676
NAS-Port = 17
Framed-MTU = 1400
State = 0x2ecb21dd28cc340c8873b5871c63**7572
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700701500170301002073bdd7**
051dfb44f3caccd4c92...
Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0
# Executing section authorize from file /etc/freeradius/sites-enabled/
default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = jwinius, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 7 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/**default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
Re: PAM authentication not working
Deepti kulkarni wrote: Sorry about the incomplete previous email, Try by adding jwinius Auth-Type = pam Cleartext-Password := xxx That won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Jaap Winius wrote: ... [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication You can't use PAM and EAP-MD5 together. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Quoting Deepti kulkarni deepti.kde...@gmail.com:
Try by adding
jwinius Auth-Type = pam
Cleartext-Password := xxx
Thanks for your reply, but that makes virtually no difference. The
result is the same and freeradius' debug output only changes slightly:
...
[files] users: Matched entry jwinius at line 211
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
Cleartext-Password := xxx
EAP-Message = 0x04010004
Message-Authenticator = 0x
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user jwinius
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
...
I should also mention that I've so far seen no activity in
/var/log/auth.log, which I would expect if freeradius was actually
making use of PAM, so I think a more basic issue is involved.
Thanks anyway,
Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Quoting Alan DeKok al...@deployingradius.com:
You can't use PAM and EAP-MD5 together. It's impossible.
That sounds like important information! To turn off EAP, I commented
out all of the lines related to EAP in
/etc/freeradius/sites-enabled/default and in
/etc/freeradius/sites-enabled/inner-tunnel. Unfortunately, the result
is still the same, but freeradius' debug output has changed
significantly:
==
...
rad_recv: Access-Request packet from host 192.168.2.2 port 1028, id=0,
length=127
User-Name = jwinius
NAS-IP-Address = 192.168.2.2
Called-Station-Id = 0014bf72f676
Calling-Station-Id = 00110a81fb2b
NAS-Identifier = 0014bf72f676
NAS-Port = 17
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020c016a77696e697573
Message-Authenticator = 0x0695dc9b4d3f16a1fd94a9be695eb90d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = jwinius, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 211
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = PAM
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
rlm_pam: Attribute User-Password is required for authentication.
++[pam] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - jwinius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.2.2 port 1028
...
==
Still no activity ion /var/log/auth.log.
Cheers,
Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authentication not working
Jaap Winius wrote: That sounds like important information! To turn off EAP, I commented out all of the lines related to EAP in /etc/freeradius/sites-enabled/default and in /etc/freeradius/sites-enabled/inner-tunnel. No. You can't turn off EAP. The client is sending EAP to the server. You need to change the client. And likely you can't, because it *needs* to do EAP. Unfortunately, the result is still the same, but freeradius' debug output has changed significantly: Read it. If the messages aren't clear, I really don't know what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
On 02/08/2013 09:50 AM, Alan DeKok wrote:
Bill Isaacs wrote:
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives them from the RADIUS server.
Well... your question about where does radclient get that value from
is entirely missing the point. It gets it from the RADIUS server. I've
said this. I have no idea how to convince you it's true.
Alan, you're so much more fun when you're not being myopic. lol Of
course it's getting the answer from the radius server. You really think
I don't know that?
And the *only* way to debug the RADIUS server is to look at the debug
output.
And no, your original message did *not* say you had run the server in
debugging mode. There's only a reference to creating an account for
debugging purposes. There's no radiusd -X output.
You're quite right Alan, it didn't. NOR did I say that it did. To
paraphrase you, You're staring at the first sentence, wondering where
the debug output is. That's a mistake. :D
What I DID say was I'm researching this anomaly myself in all the
documentation, but thought it would also be helpful /both to me and to
others/ to post the problem here. (emphasis added).
What I implied in the ensuing message was that it would be posted here
once I tracked the message down, but that posting it and the solution
in nice digestible pieces for those not familiar at all with radius
would be helpful to them. I suspect if you went to decaf and quit
asking 'why' others don't just do what should be done, you would have
understood that.
Take a deep breath. Read between the lines, and realize that if others
understood radius the way you do, you'd be out of a job (at least on the
board here). I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
... why I'm
getting annoyed.
See decaf above.
If you want to track down the issue to a specific module, update the
config to do:
update reply {
Reply-Message += A %{reply:Session-Timeout}
}
Cut paste that through various pieces of authorize, post-auth, etc.
Change the A to B, C, etc. You should see 10-20 Reply-Messages
in the Access-Accept. Each with a value for Session-Timeout. That lets
you track *what* the value is, and *where* in the config the value is
coming from.
Then once you know it's a particular module, you can figure out how to
fix that module.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote: Alan, you're so much more fun when you're not being myopic. lol Of course it's getting the answer from the radius server. You really think I don't know that? I can only read what you write. You asked *twice* why radclient had that Session-Timeout. The second time, after I told you to look at the server. You then said you HAD mentioned you looked at the server output, when your messages made no such reference. I'm asking you to communicate clearly and honestly. If you can't do that, then you won't solve the problem. What I DID say was I'm researching this anomaly myself in all the documentation, but thought it would also be helpful /both to me and to others/ to post the problem here. (emphasis added). (a) looking at radclient, and (b) looking at the config, and NOT looking at the debug output. There are messages every day saying POST THE DEBUG OUTPUT. You didn't do that. You have failed the basic netiquette we ask for here. And then to top it off, get condescending to me when I point this out. What I implied in the ensuing message was that it would be posted here once I tracked the message down, You've failed to understand the need for the debug output. It is nearly everything you need to (a) debug, and (b) solve the problem. You don't post it here after you've come up with a solution. You post it here so that people with a clue can read it, and help you. but that posting it and the solution in nice digestible pieces for those not familiar at all with radius would be helpful to them. Nonsense. Again, you make it clear you don't understand. What is helpful is a *solution*. You posted a problem. You posted the wrong information about the problem. You are suggesting that people use the wrong *method* to track the problem down. You're wasting everyone's time. You're misleading future people, who will find your post, and potentially go down the wrong path. I suspect if you went to decaf and quit asking 'why' others don't just do what should be done, you would have understood that. I think you're being condescending and rude. Stop it. Take a deep breath. Read between the lines, and realize that if others understood radius the way you do, you'd be out of a job (at least on the board here). It doesn't take a rocket scientist to read the documentation, and post the debug output as suggested in the FAQ, man page, web pages, and daily on this list. You didn't do that. I really don't care why. The entire reason I'm an expert is that I'm willing to learn from others. I read the documentation, and I follow instructions. It's not hard. You don't do that. I'm trying to make this fun, and be worthwhile as a thread. So caaalm down. ok? I'll post the debug output along with what it reveals as soon as I've worked it all out thoroughly. Trust me. :) That is completely the wrong approach. You are misleading everyone else by suggesting that method. Stop it. Now *there* is a wholly useful piece of information. Bravo! Sooner or later, we'll clear out enough of the rants to expose goodies, no? :D I figured that it was hopeless to get you to follow the existing documentation. So maybe if I spoon-fed it to you in pieces you might think about it, and follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Again Alan, read between the lines. I've been scanning these emails
from this group for about year through google searches.
What I've learned from this mailing list is that you routinely castigate
people who ask questions on here. That's rude. Your tone is arrogant.
And that's rude.
Yes, I'm being condescending but it's in order to point out your
rudeness -- hopefully in an entertaining way. You're apparently a
hopeless case where that's concerned.
What it seems to me that this thread needs is a set of discussions that
don't include a staple diet of questioner-castigation, as you've done
here to me. OF course I expected it, even counted on it, to make the
point I'm making here. No one is being led down the wrong path. You
just need to lighten up and be a little less arrogant. A little nicer.
A human being.
And the whole thing sailed right over your arrogant head. Read this
exchange, and I rest my case right there.
I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
That is completely the wrong approach. You are misleading everyone
else by suggesting that method.
Stop it.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
I figured that it was hopeless to get you to follow the existing
documentation. So maybe if I spoon-fed it to you in pieces you might
think about it, and follow instructions.
By the way Alan, I didn't need that spoon fed to me. I'm drawing out
information for the benefit of others and frankly, just seeing if you
have anything in your repertoire that doesn't include trying to belittle
people who are asking for help. Jury is still out on that one, but
wearing a frown as they deliberate. :)
Now for the useful stuff.
Here is the telling part of the freeradius -X output that I ran earlier
this morning and printed out to use as a reference in my inquiries:
[accessperiod] expand: %{sql:SELECT
IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} -
231238
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238
rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout,
value=2360762*
++[accessperiod] returns ok
So, there's something fishy with the rlm_sqlcounter module. Looks like
the place to start.
Stay tuned, film at 11.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote:
Again Alan, read between the lines. I've been scanning these emails
from this group for about year through google searches.
What I've learned from this mailing list is that you routinely castigate
people who ask questions on here. That's rude. Your tone is arrogant.
And that's rude.
Yes, I'm being condescending but it's in order to point out your
rudeness -- hopefully in an entertaining way. You're apparently a
hopeless case where that's concerned.
What it seems to me that this thread needs is a set of discussions that
don't include a staple diet of questioner-castigation, as you've done
here to me. OF course I expected it, even counted on it, to make the
point I'm making here. No one is being led down the wrong path. You
just need to lighten up and be a little less arrogant. A little nicer.
A human being.
And the whole thing sailed right over your arrogant head. Read this
exchange, and I rest my case right there.
I'm trying to make this fun, and be worthwhile as a
thread. So caaalm down. ok? I'll post the debug output along with
what it reveals as soon as I've worked it all out thoroughly. Trust me. :)
That is completely the wrong approach. You are misleading everyone
else by suggesting that method.
Stop it.
Now *there* is a wholly useful piece of information. Bravo! Sooner or
later, we'll clear out enough of the rants to expose goodies, no? :D
I figured that it was hopeless to get you to follow the existing
documentation. So maybe if I spoon-fed it to you in pieces you might
think about it, and follow instructions.
By the way Alan, I didn't need that spoon fed to me. I'm drawing out
information for the benefit of others and frankly, just seeing if you
have anything in your repertoire that doesn't include trying to belittle
people who are asking for help. Jury is still out on that one, but
wearing a frown as they deliberate. :)
Now for the useful stuff.
Here is the telling part of the freeradius -X output that I ran earlier
this morning and printed out to use as a reference in my inquiries:
[accessperiod] expand: %{sql:SELECT
IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} -
231238
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238
rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout,
value=2360762*
++[accessperiod] returns ok
So, there's something fishy with the rlm_sqlcounter module. Looks like
the place to start.
Stay tuned, film at 11.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Bill Isaacs wrote:
Here is the telling part of the freeradius -X output that I ran earlier
this morning and printed out to use as a reference in my inquiries:
[accessperiod] expand: %{sql:SELECT
IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1} -
231238
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user cgitest, check_item=2592000, counter=231238
rlm_sqlcounter: Sent Reply-Item for user cgitest, Type=*Session-Timeout,
value=2360762*
++[accessperiod] returns ok
So, there's something fishy with the rlm_sqlcounter module.
All of this nonsense could have been prevented if you had posted this
in your first message. The debug output is clear:
1) it runs a query:
SELECT IF(COUNT(radacctid=1),(UNIX_TIMESTAMP() -
IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0) FROM radacct WHERE UserName
= 'cgitest' AND AcctSessionTime = 1 ORDER BY AcctStartTime LIMIT 1
2) the query returns 231238
You can verify this by running the query manually. That's why it's
printed out in debugging mode.
3) 2592000 - 231238 = 2360762
This is maybe grade 5 math.
4) sqlcounter returns 2370762.
FreeRADIUS is working correctly.
5) Instead of following instructions, you wasted everyones time by
ignoring the documentation, and then arguing about it
6) you still blame FreeRADIUS, *despite* the pretty clear debug output
above. It doesn't take a RADIUS expert to figure it out.
7) Despite your poor attitude, I'm *still* trying to help you
8) If you respond by blaming me or putting me down, you will be
unsubscribed and banned from this list.
If you keep your messages technical, there's no problem. If you read
the documentation, there's no problem. If you follow instructions,
there's no problem.
The entire problem is you refusing to follow instructions, and then
arguing about it. You have this weird idea that I'm being rude for
telling you to FOLLOW THE DOCUMENTATION.
The only problem here is you. Fix your attitude, or you will be
unsubscribed and banned. There are hundreds of people a month who post
questions and get answers without any problem. Choose to be one of them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout anomalies
Alan, Being a moderator does NOT give you moral license to treat people like children. You're a rude man. Please ban me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
