RADIUS-Proxy before MAC Auth
Is there a way to proxy requests based on realms before checking the
MAC
address?
Yes. You can check if the User-Name contains an @ character. If
so, proxy. For example:
if (User-Name =~ /@/) {
suffix
if (updated) {
handled
}
mac-checks...
That should stop processing the request as soon as it's marked to
be
proxied.
Thank you for this quick reply.
We are using EAP-TLS computer-only authentication and additional MAC
Auth.
Both Common Name of certificates contain @ characters, like
machine-name@realm-local
machine-name@realm-to-proxy
Is it possible to use the realm instead and should this be placed
within the users file?
e.g.
if (realm =~ /realm-to-proxy/) {
suffix
if (updated) {
handled
}
mac-checks...
Thank you very much for your support.
Oliver
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius 2.1.1 showing clear text password at the debug mode
Hello,
I'm new to Radius. So basically i tried to setup 2 Radius server, one runs
on our SLES 10 PROD (Radius and Novell LDAP sit on the same server) - this
is works fine using eap_mschapv2 authentication. Radius version is 1.X. We
use Radius to authenticate our wireless and get LDAP authentication. So no
issue with this.
Second server - SLES 11 ; i get the installer directly from Novell and its
use version 2.1.1. So it seems the config way is different but i did try
match with the Radius 1.X config (just a dffierent module i guess).
Everything works fine, except 1 things.
In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user
password (which is good). but in Radius 2.1.1 i can see it clearly ... how
can i eliminate this cleartext password being showed there? I'm new to this
authentication method or eap_mschap protocol, so please bear with me :)
*[peap] Got tunnled request
EAP-Message = 0x020a00061a03
server (null) {
PEAP: Setting User-Name to sdholakia2
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = sdholakia2
State = 0xf32f92c4f22588e5c2ccbfc052ff2f65
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[control] returns noop
++[mschap] returns noop
++[unix] returns notfound
++[control] returns notfound
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for sdholakia2
[ldap] expand: (uid=%u) - (uid=sdholakia2)
[ldap] expand: ou=Active,ou=Users,o=FSID - ou=Active,ou=Users,o=FSID
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter
(uid=sdhoakia2)
[ldap] Added the eDirectory password Test in check items as
Cleartext-Passwrd
[ldap] looking for check items in directory...*
While at radiusd -X of the radius 1.X i can only see
*Added the eDirectory password *
*[ldap] looking for check items in directory...
*
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi, I'm new to Radius. So basically i tried to setup 2 Radius server, one runs on our SLES 10 PROD (Radius and Novell LDAP sit on the same server) - this is works fine using eap_mschapv2 authentication. Radius version is 1.X. We use Radius to authenticate our wireless and get LDAP authentication. So no issue with this. debugging is all about debugging - finding out the problems - hence things are shown. the password is shown because there could be a mismatch. back in the 1.x day some things were still opaqueongoing debates of 'users password is wrong' : 'oh no it isnt' : 'oh yes it is' : 'oh no it.oh wait, yes, their password was wrong'. pointless. Second server - SLES 11 ; i get the installer directly from Novell and its use version 2.1.1. So it seems the config way is different but i did try match with the Radius 1.X config (just a dffierent module i guess). ummm, hope you didnt just copy/paste the configs. you need to ensure that the 2.x config has the right options pset...but not configured in the same way. there is a reason why its FreeRADIUS 2.x rather than 1.x - you need to adapt your config for the new version. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
thank you for your reply. Yes i didn't just copy and paste, i did follow the instruction on Novell support page too and from community. So what i want to confirm here, are you saying that means in debug mode its normal for me admin to see the user password? I mean it's normal behaviour of radius 2.1.1? Thanks -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
On 21.02.2013 10:15, Danny Kurniawan wrote:
In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user
password (which is good). but in Radius 2.1.1 i can see it clearly ...
how can i eliminate this cleartext password being showed there? I'm new
to this authentication method or eap_mschap protocol, so please bear
with me :)
/[peap] Got tunnled request
EAP-Message = 0x020a00061a03
server (null) {
PEAP: Setting User-Name to sdholakia2
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = sdholakia2
State = 0xf32f92c4f22588e5c2ccbfc052ff2f65
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[control] returns noop
++[mschap] returns noop
++[unix] returns notfound
++[control] returns notfound
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for sdholakia2
[ldap] expand: (uid=%u) - (uid=sdholakia2)
[ldap] expand: ou=Active,ou=Users,o=FSID - ou=Active,ou=Users,o=FSID
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter
(uid=sdhoakia2)
[ldap] Added the eDirectory password Test in check items as
Cleartext-Passwrd
[ldap] looking for check items in directory.../
That's how it has been hard-coded in FR2.X and FR3. It is indeed
arguable. For debugging eDirectory integration, it's quite nice. But you
really have to restrict access to the freeradius server, so no one can
start it with -X or run radmin debug.
We could by default not output the password, and if you really need to
see it, just echo control:Cleartext-Password after ldap.authorize
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strange DHCP behavior
Server: up2date Centos 6.3 x64 Software: freeradius 2.2.0 configured by ./configure, generated by GNU Autoconf 2.61, with options \'--prefix=/usr/local/freeradius' '--with-dhcp' '--with-rlm_mysql=no' '--with-rlm_perl=no' --enable-ltdl-install\ radiusd -X starts OK, and then, after first DHCP discover is received: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/freeradius/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on dhcp interface eth1 address * port 67 as server dhcp Listening on proxy address * port 1814 Ready to process requests. Received DHCP-Discover of id 08f11b15 from 10.21.192.1:67 to 0.0.0.0:67 Parse error Parse error or name in attributein attributein ode Dropping packet without response. Going to the next request Waking up in 0.9 seconds. -- It is happening with default dhcp config. Only what is changed is: port = 67 ipaddr = * (ommited) interface = eth0 This is entirely new server, installed only for dhcp testing. Mysql and perl will be added later. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi Oliver, Thanks a lot. So could you please let me know how can i disabled the output (which conf file and what need to be added). Also by saying echo it do i need to put something into a config file or just echo command while i'm at radiusd - X debug mode? Thanks Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi, So what i want to confirm here, are you saying that means in debug mode its normal for me admin to see the user password? I mean it's normal behaviour of radius 2.1.1? yes. its normal behaviour - debug mode is for trouble-shooting/problem-solving not a mode you would run in a day to day basis. the server KNOWS the password..its stored in variables and arrays so if a 'bad guy' has access to the server they could get that password anywayin more trivial ways (such as logging it when a request came through). some sites do such things for enabling migration from one service to another...eg grab and put into another store etc... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
On Thu, Feb 21, 2013 at 05:58:14PM +0800, Danny Kurniawan wrote: Thanks a lot. So could you please let me know how can i disabled the output (which conf file and what need to be added). Also by saying echo it do i need to put something into a config file or just echo command while i'm at radiusd - X debug mode? You can't - FreeRADIUS dumps the entire incoming packet out in clear text when in debug mode. If you don't want to debug things, don't run it in debug mode. With PAP the password is sent in (effectively) clear text. If you don't want to ever see the password then you need to use something different that can handle auth without plaintext passwords. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
Hi, Thanks a lot. So could you please let me know how can i disabled the output (which conf file and what need to be added). Also by saying echo it do i need to put something into a config file or just echo command while i'm at radiusd - X debug mode? you'll need to edit the source code but as already said, you can simply add config to echo it to screen/file anywayso if someone has access to the server they can get the details anyway. are you planning on running the server in debug mode all the time? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange DHCP behavior
On 02/21/2013 10:23 AM, Igor Smitran wrote: Received DHCP-Discover of id 08f11b15 from 10.21.192.1:67 to 0.0.0.0:67 Parse error Parse error or name in attributein attributein ode Dropping packet without response. Going to the next request Waking up in 0.9 seconds. My bad, sorry everyone, i forgot to include dictionary.dhcp :( Igor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS-Proxy before MAC Auth
Oliver Warda wrote: Is it possible to use the realm instead and should this be placed within the users file? Use the example I gave you, and search for @realm instead of @. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP howto
1. In sqlippool.conf is stated: # # WARNING: MySQL has certain limitations that means it can # hand out the same IP address to 2 different users. # # We suggest using an SQL DB with proper transaction # support, such as PostgreSQL, or using MySQL # with InnoDB. # Does this mean that only thing needed is to create innodb tables? Module will use transactions automaticaly? 2. Is freeradius ready to work as dhcp server for IPv6? Would it be enough to insert some new words into dictionary and change configuration appropriately? Igor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
steff...@gmx.de wrote: These are versions 2.1.9 and 2.2.0. It may happen from time to time that a zombie child appears. But they will get cleaned up when the server receives more packets. If you get *many* zombies, it's a problem. But one for 2-3 seconds isn't an issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
Original-Nachricht Datum: Thu, 21 Feb 2013 09:39:30 -0500 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: echo module creating zombies steff...@gmx.de wrote: These are versions 2.1.9 and 2.2.0. It may happen from time to time that a zombie child appears. But they will get cleaned up when the server receives more packets. If you get *many* zombies, it's a problem. But one for 2-3 seconds isn't an issue. Ok... I'm somewhere in between many and short time zombies with version 2.2.0 - there is one zombie that stays until the next request and gets then replaced by the next zombie. Regards Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT realm proxy fail over
Hello All, I would like to get help with the following. There is a freeradius server that is proxying every mschapv2 request to a homeserver using the DEFAULT realm. The same server is also handling EAP requests and then proxying the inner request through the DEFAULT realm. Is is possible to set up fail-over using two home servers in this scenario? Thank you and best regards, Bertalan Voros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-proxy with Rlm_cache
Hi Phil,
I have now a working config.
authorize section :
...
# auth_log
# Caching module will allow to log twice with the same OTP.
# Cached entry will be removed after second login or at
# the end of TTL (value set in modules/cache)
cache
if (ok) {
# entry found in cache; set Auth-Type to Accept.
# force TTL to 0 for removing this entry
update control {
Auth-Type := Accept
Cache-TTL = 0
}
cache # remove entry
noop = return
}
...
Thanks for your help.
Dominique
On 02/20/13 03:05 PM, Phil Mayers wrote:
On 20/02/13 13:31, Dominique Frise wrote:
Hi Phil,
Here below a debug output :
==
rad_recv: Access-Request packet from host 127.0.0.1 port 11148, id=74,
length=94
User-Name = dfrise
User-Password = 276988
Ok, so the PIN is appended to the password. In which case your key is
just User-Name and User-Password.
Anyway - the recipe in my other email should cover what you need. What
you're doing now - single calls to cache - probably won't cover it.
You will need more logic, as per my example.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HuntGroup check in radgroupcheck
Hi. I'm trying to manage Huntgroup checking into radgroupcheck table, but doesn't seem to work. Given the following properties: radcheck: F01 MD5-Password := somemd5hash radusergroup F01 HuntGroup01 radgroupcheck F01 Huntgroup-Name =~ nas04|nas05 the user is always authenticated, even if the connection comes from a nas which is not nas04 or nas05. If I place the Huntgroup-Name property in the radcheck the user is correctly limited to the selected NASes. Output of the accounting session of freeradius -X attached here: https://dl.dropbox.com/u/706934/check01.gz The results of the ran queries: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'F001' ORDER BY id F01 Md5-Password := xxx SELECT id, username, attribute, value, op FROM radreply WHERE username = 'F001' ORDER BY id (empty) SELECT groupname FROM usergroup WHERE username = 'F001' ORDER BY id huntgroup01 SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'huntgroup01' OR groupname = 'nas04' ORDER BY id huntgroup01 Huntgroup-Name nas01|nas02 =~ The final query correctly returns the list of nases the user is allowed to login to, but apparently it's not considered. Why this? what am I missing? In addition to that, can I set a certain property (i.e. WISPr-Session-Terminate-Time) only if the user connects to a specific huntgroup? thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segfault
I had a bit of code cause a segfault in 3.0.0.
Post-Auth-Type REJECT {
attr_filter.access_reject
update reply {
EAP-Message = 0x04040004
Message-Authenticator = %{Message-Authenticator}
}
}
Is there any reason I could not add this to sites-enabled/default?
Here is the entry in syslog:
Feb 21 11:18:59 freeradius1 kernel: [6021244.475983] radiusd[8535]: segfault
at 80 ip 00410ad7 sp 7fff32516300 error 4 in
radiusd[40+57000]
David Peterson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault
David Peterson wrote:
I had a bit of code cause a segfault in 3.0.0.
See doc/bugs.
Message-Authenticator = %{Message-Authenticator}
Don't do that. Message-Authebnticator is calculated automatically.
Just do:
Message-Authenticator = 0x00
Is there any reason I could not add this to sites-enabled/default?
Well, the server should work.
Here is the entry in syslog:
Feb 21 11:18:59 freeradius1 kernel: [6021244.475983] radiusd[8535]:
segfault at 80 ip 00410ad7 sp 7fff32516300 error 4 in
radiusd[40+57000]
That gives really no useful information. See doc/bugs
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
steff...@gmx.de wrote: Ok... I'm somewhere in between many and short time zombies with version 2.2.0 - there is one zombie that stays until the next request and gets then replaced by the next zombie. Well, that's what I said they will get cleaned up when the server receives more packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault
OK sounds good. Unfortunately this is a production system so I can't
implement the full debug. I will try to recreate this in the lab.
David
-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: Thursday, February 21, 2013 12:12 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: segfault
David Peterson wrote:
I had a bit of code cause a segfault in 3.0.0.
See doc/bugs.
Message-Authenticator = %{Message-Authenticator}
Don't do that. Message-Authebnticator is calculated automatically.
Just do:
Message-Authenticator = 0x00
Is there any reason I could not add this to sites-enabled/default?
Well, the server should work.
Here is the entry in syslog:
Feb 21 11:18:59 freeradius1 kernel: [6021244.475983] radiusd[8535]:
segfault at 80 ip 00410ad7 sp 7fff32516300 error 4 in
radiusd[40+57000]
That gives really no useful information. See doc/bugs
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
Original-Nachricht Datum: Thu, 21 Feb 2013 12:12:59 -0500 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: echo module creating zombies steff...@gmx.de wrote: Ok... I'm somewhere in between many and short time zombies with version 2.2.0 - there is one zombie that stays until the next request and gets then replaced by the next zombie. Well, that's what I said they will get cleaned up when the server receives more packets. Ah, ok, I interpreted the 2-3 seconds statement as 'they should disappear after 2-3 seconds on their own regardless of other packets coming in'. But this clears it up and I know what's going on, thanks ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HuntGroup check in radgroupcheck
Post the debug output, as suggested in the FAQ, man page, web pages, and daily on this list. I posted the freeradius -X output into the linked file... Aren't you referring to that? Given the following properties: radcheck: F01 MD5-Password := somemd5hash radusergroup F01 HuntGroup01 radgroupcheck F01 Huntgroup-Name =~ nas04|nas05 the user is always authenticated, even if the connection comes from a nas which is not nas04 or nas05. I think you're confused about huntgroups. NASes are placed into huntgroups via the huntgroups file. Not SQL. When you check group membership, you check for the huntgroup name, not the NAS name. According to [1] huntgroups can be checked via SQL as well... From the debug output i posted here [2] you can see the huntgroup is correctly identified from SQL... [1] http://wiki.freeradius.org/guide/SQL_Huntgroup_HOWTO [2] https://dl.dropbox.com/u/706934/check01.gz You're using Huntgroup-Name to check the *nas* name. It won't work. I omitted to say that in my radhuntgroup table I defined HG with the same names as nases in the nas table. Can this be a problem? thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HuntGroup check in radgroupcheck
Lorenzo Milesi wrote: I'm trying to manage Huntgroup checking into radgroupcheck table, but doesn't seem to work. Post the debug output, as suggested in the FAQ, man page, web pages, and daily on this list. Given the following properties: radcheck: F01 MD5-Password := somemd5hash radusergroup F01 HuntGroup01 radgroupcheck F01 Huntgroup-Name =~ nas04|nas05 the user is always authenticated, even if the connection comes from a nas which is not nas04 or nas05. I think you're confused about huntgroups. NASes are placed into huntgroups via the huntgroups file. Not SQL. When you check group membership, you check for the huntgroup name, not the NAS name. You're using Huntgroup-Name to check the *nas* name. It won't work. In addition to that, can I set a certain property (i.e. WISPr-Session-Terminate-Time) only if the user connects to a specific huntgroup? Yes. Do a huntgroup check (correctly), and set the reply attribute if it matches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault
David Peterson wrote: Does this help at all or am I going about this wrong: It helps. Exiting normally. ==10285== Invalid read of size 8 ==10285==at 0x40DA08: cf_section_parse_free (conffile.c:344) ==10285==by 0x7889C50: eaptype_free (mem.c:253) Do a git pull. The master branch has had a lot of changes over the past week. You've probably got a version which didn't have all of the fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault
David Peterson wrote: I just put this together yesterday but just in case: From git://git.freeradius.org/freeradius-server f822263..99fedbc master - origin/master * [new branch] talloc3- origin/talloc3 Already up-to-date. Well, there's no call to cf_section_parse_free() *anywhere* the code. It's been completely deleted. Re-build and re-install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault
Does this help at all or am I going about this wrong: Exiting normally. ==10285== Invalid read of size 8 ==10285==at 0x40DA08: cf_section_parse_free (conffile.c:344) ==10285==by 0x7889C50: eaptype_free (mem.c:253) ==10285==by 0x788759E: eap_detach (rlm_eap.c:69) ==10285==by 0x41AF60: module_instance_free (modules.c:385) ==10285==by 0x4E4511C: FreeWalker (rbtree.c:63) ==10285==by 0x4E4510D: FreeWalker (rbtree.c:61) ==10285==by 0x4E450FC: FreeWalker (rbtree.c:60) ==10285==by 0x4E4549D: rbtree_free (rbtree.c:74) ==10285==by 0x41BF2F: detach_modules (modules.c:433) ==10285==by 0x40946A: main (radiusd.c:466) ==10285== Address 0x65dfe70 is 8 bytes after a block of size 24 alloc'd ==10285==at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10285==by 0x82ABC40: eaptls_attach (rlm_eap_tls.c:1294) ==10285==by 0x78881BF: eaptype_load (eap.c:128) ==10285==by 0x78876BB: eap_instantiate (rlm_eap.c:207) ==10285==by 0x41C1FB: find_module_instance (modules.c:612) ==10285==by 0x41E953: do_compile_modsingle (modcall.c:1924) ==10285==by 0x41B50F: load_component_section (modules.c:900) ==10285==by 0x41BA4F: load_byserver (modules.c:1101) ==10285==by 0x41C934: virtual_servers_load (modules.c:1236) ==10285==by 0x41CED7: setup_modules (modules.c:1560) ==10285==by 0x41A55E: read_mainconfig (mainconfig.c:971) ==10285==by 0x4092E9: main (radiusd.c:274) ==10285== ==10285== Invalid write of size 8 ==10285==at 0x40DA10: cf_section_parse_free (conffile.c:345) ==10285==by 0x7889C50: eaptype_free (mem.c:253) ==10285==by 0x788759E: eap_detach (rlm_eap.c:69) ==10285==by 0x41AF60: module_instance_free (modules.c:385) ==10285==by 0x4E4511C: FreeWalker (rbtree.c:63) ==10285==by 0x4E4510D: FreeWalker (rbtree.c:61) ==10285==by 0x4E450FC: FreeWalker (rbtree.c:60) ==10285==by 0x4E4549D: rbtree_free (rbtree.c:74) ==10285==by 0x41BF2F: detach_modules (modules.c:433) ==10285==by 0x40946A: main (radiusd.c:466) ==10285== Address 0x65dfe70 is 8 bytes after a block of size 24 alloc'd ==10285==at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10285==by 0x82ABC40: eaptls_attach (rlm_eap_tls.c:1294) ==10285==by 0x78881BF: eaptype_load (eap.c:128) ==10285==by 0x78876BB: eap_instantiate (rlm_eap.c:207) ==10285==by 0x41C1FB: find_module_instance (modules.c:612) ==10285==by 0x41E953: do_compile_modsingle (modcall.c:1924) ==10285==by 0x41B50F: load_component_section (modules.c:900) ==10285==by 0x41BA4F: load_byserver (modules.c:1101) ==10285==by 0x41C934: virtual_servers_load (modules.c:1236) ==10285==by 0x41CED7: setup_modules (modules.c:1560) ==10285==by 0x41A55E: read_mainconfig (mainconfig.c:971) ==10285==by 0x4092E9: main (radiusd.c:274) ==10285== ==10285== Invalid free() / delete / delete[] / realloc() ==10285==at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10285==by 0x40DA0F: cf_section_parse_free (conffile.c:344) ==10285==by 0x7889C50: eaptype_free (mem.c:253) ==10285==by 0x788759E: eap_detach (rlm_eap.c:69) ==10285==by 0x41AF60: module_instance_free (modules.c:385) ==10285==by 0x4E4511C: FreeWalker (rbtree.c:63) ==10285==by 0x4E4510D: FreeWalker (rbtree.c:61) ==10285==by 0x4E450FC: FreeWalker (rbtree.c:60) ==10285==by 0x4E4549D: rbtree_free (rbtree.c:74) ==10285==by 0x41BF2F: detach_modules (modules.c:433) ==10285==by 0x40946A: main (radiusd.c:466) ==10285== Address 0x140 is not stack'd, malloc'd or (recently) free'd ==10285== ==10285== Invalid read of size 8 ==10285==at 0x40DA08: cf_section_parse_free (conffile.c:344) ==10285==by 0x40DA54: cf_section_parse_free (conffile.c:316) ==10285==by 0x7889C50: eaptype_free (mem.c:253) ==10285==by 0x788759E: eap_detach (rlm_eap.c:69) ==10285==by 0x41AF60: module_instance_free (modules.c:385) ==10285==by 0x4E4511C: FreeWalker (rbtree.c:63) ==10285==by 0x4E4510D: FreeWalker (rbtree.c:61) ==10285==by 0x4E450FC: FreeWalker (rbtree.c:60) ==10285==by 0x4E4549D: rbtree_free (rbtree.c:74) ==10285==by 0x41BF2F: detach_modules (modules.c:433) ==10285==by 0x40946A: main (radiusd.c:466) ==10285== Address 0x65dfee8 is 56 bytes inside a block of size 256 free'd ==10285==at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10285==by 0x40DA0F: cf_section_parse_free (conffile.c:344) ==10285==by 0x7889C50: eaptype_free (mem.c:253) ==10285==by 0x788759E: eap_detach (rlm_eap.c:69) ==10285==by 0x41AF60: module_instance_free (modules.c:385) ==10285==by 0x4E4511C: FreeWalker (rbtree.c:63) ==10285==by 0x4E4510D: FreeWalker (rbtree.c:61) ==10285==by 0x4E450FC: FreeWalker (rbtree.c:60) ==10285==by 0x4E4549D: rbtree_free (rbtree.c:74) ==10285==by 0x41BF2F: detach_modules (modules.c:433) ==10285==by 0x40946A: main
Re: DHCP howto
Igor Smitran wrote: Does this mean that only thing needed is to create innodb tables? Module will use transactions automaticaly? Yes. 2. Is freeradius ready to work as dhcp server for IPv6? Would it be enough to insert some new words into dictionary and change configuration appropriately? It doesn't do DHCPv6. It's possible, but a lot of work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DEFAULT realm proxy fail over
Bertalan Voros wrote: There is a freeradius server that is proxying every mschapv2 request to a homeserver using the DEFAULT realm. The same server is also handling EAP requests and then proxying the inner request through the DEFAULT realm. Is is possible to set up fail-over using two home servers in this scenario? Yes. You configure fail-over as documented in proxy.conf. Do you have a *specific* question about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault
OK it still shows the cf_section_parse_free() Should I do something other than: make clean ./configure make make install David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Thursday, February 21, 2013 1:45 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: segfault David Peterson wrote: I just put this together yesterday but just in case: From git://git.freeradius.org/freeradius-server f822263..99fedbc master - origin/master * [new branch] talloc3- origin/talloc3 Already up-to-date. Well, there's no call to cf_section_parse_free() *anywhere* the code. It's been completely deleted. Re-build and re-install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segfault
I just put this together yesterday but just in case: From git://git.freeradius.org/freeradius-server f822263..99fedbc master - origin/master * [new branch] talloc3- origin/talloc3 Already up-to-date. -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Thursday, February 21, 2013 1:23 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: segfault David Peterson wrote: Does this help at all or am I going about this wrong: It helps. Exiting normally. ==10285== Invalid read of size 8 ==10285==at 0x40DA08: cf_section_parse_free (conffile.c:344) ==10285==by 0x7889C50: eaptype_free (mem.c:253) Do a git pull. The master branch has had a lot of changes over the past week. You've probably got a version which didn't have all of the fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HuntGroup check in radgroupcheck
Lorenzo Milesi wrote: Post the debug output, as suggested in the FAQ, man page, web pages, and daily on this list. I posted the freeradius -X output into the linked file... Aren't you referring to that? The debug output should be posted here. There's no reason put a zipped version on a separate web site. According to [1] huntgroups can be checked via SQL as well... From the debug output i posted here [2] you can see the huntgroup is correctly identified from SQL... [1] http://wiki.freeradius.org/guide/SQL_Huntgroup_HOWTO That works, too. [2] https://dl.dropbox.com/u/706934/check01.gz Please post the relevant bits here. If you make it hard for me to help you, I'll just ignore your messages. I omitted to say that in my radhuntgroup table I defined HG with the same names as nases in the nas table. Can this be a problem? No. It helps to state *accurately* what you're doing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HuntGroup check in radgroupcheck
The debug output should be posted here. There's no reason put a
zipped version on a separate web site.
I just wanted to write a more clean email. Here it is...
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 50056, id=46, length=66
User-Name = F001
User-Password = 002784226600
NAS-IP-Address = 109.70.200.xxx
NAS-Port = 0
Framed-Protocol = PPP
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} - F001
sql_set_user escaped user -- 'F001'
expand: SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}' - SELECT groupname FROM radhuntgroup WHERE
nasipaddress='109.70.200.xxx'
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'} - nas04
++[request] returns ok
++? if (Huntgroup-Name == '')
? Evaluating (Huntgroup-Name == '') - FALSE
++? if (Huntgroup-Name == '') - FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = F001, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} - F001
[sql] sql_set_user escaped user -- 'F001'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'F001' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'F001' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'F001' ORDER
BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' OR
groupname = '%{Huntgroup-Name}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'huntgroup01' OR groupname = 'nas04' ORDER BY
id
[sql] expand: %{Huntgroup-Name} - nas04
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
++[pap] returns updated
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password 002784226600
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} - F001
[sql] sql_set_user escaped user -- 'F001'
[sql] expand: %{User-Password} - 002784226600
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'F001', '002784226600',
'Access-Accept', '2013-02-21 17:14:56')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'F001', '002784226600',
'Access-Accept', '2013-02-21 17:14:56')
rlm_sql (sql): Reserving sql socket
rlm_perl RAD_REQUEST
EHLO list!
We're running into a strange issue here and would like the input of the
FreeRADIUS community.
Using rlm_perl with our own perl module for post_auth, everything is
running smoothly until, for an unknown reason, it looks like the
RAD_REQUEST hash is becoming empty.
Here's a snippet of the module (the important part for this particular
issue).
our (%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK);
sub post_auth {
my $mac = clean_mac($RAD_REQUEST{'Calling-Station-Id'});
if (length($mac) != 17) {
radiusd::radlog(L_INFO, MAC address is empty or invalid in
this request.
. It could be normal on certain radius calls);
radiusd::radlog(L_INFO, Our values.
RAD_REQUEST-CallingStationId: . $RAD_REQUEST{'Calling-Station-Id'} .
| MAC after clean_mac: . $mac);
return RLM_MODULE_OK;
}
...
}
Here's the output when the issue occurs.
Info: rlm_perl: MAC address is empty or invalid in this request. It
could be normal on certain radius calls
Info: rlm_perl: Our values. RAD_REQUEST-CallingStationId: | MAC after
clean_mac:0
(The clean_mac thing is a method in our libraries that sanitize the MAC
address itself... shouldn't have any incidence here)
Any insight ? Somewhere to look ?
Thanks!
Derek
--
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault
Hi, OK it still shows the cf_section_parse_free() IIRC there was a small issue with GIT commmits yesterdayso either force the pull (talloc wasnt the last stuff...theres been quite a few things since then) or just blow away the current freeradius-server source directory and do a fresh clone alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WARNING! for check item
hi, quick query with some outout I see when radiusd starts uo (this is 3.x HEAD). I see the following message when attr_filter modules are being loaded up: reading pairlist file /etc/raddb/attrs [/etc/raddb/attrs]:134 WARNING! Check item Local-Priv-Level found in filter list for realm DEFAULT. sure, there is an item in DEFAULT section of attrs: Called-Station-Id =* ANY, Operator-Name =* ANY, Port-Limit = 2, Local-Priv-Level =* ANY, Session-Timeout = 28800 and the entry in dictionary is: ATTRIBUTE Local-Priv-Level3069string what exactly is wrong here that is triggering this WARNING ? many thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap over lan simulation
Hi freeradiusers, In purpose to implementing eap-sim supplicant i created the following virtual infrastructure : supplicant -- NAS (Access Point) - freeradius server 10.0.0.1 Ethernet 10.0.0.2 UDP 195.12.16.17 supplicant :: is my real computer NAS:: is a vmplayer virtual machien and freeradius server: is lxc container (virtual machine too) i have to test communications between supplicant - NAS and then between NAS - server thanks to eapol_test i can know test udp communications between NAS and server (thank you matthew your answer was very apreciated) and know i have to test (simulate, understand )802.1x eap communication between supplicant and nas, i can't find a way to simulate a NAS (Point ACCESS) with 802.1x supplicant thant can controle ethernet and not wireless access from supplicant, because i use linux bridge to connect my virtuel machines to each others (so no wireless or can we simulate wireless connexion too ?) clarification on this point will be very appreciated ! Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
