Child is hung for request … message
Hi, I've just downloaded,compiled and installed the latest version of 2.2 (2.2.1?) from git.freeradius.org. Installed it on an internal server and things seemed to work o.k. I then upgraded another server that deals with our external ( eduroam) connectivity and within a few mins am seeing Thu Mar 7 10:25:58 2013 : Error: WARNING: Unresponsive child for request 16, in component core module thread Thu Mar 7 10:25:59 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:00 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:03 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:06 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:11 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:16 2013 : Auth: Login OK: [lw0...@leeds.ac.uk] (from client nasaaa2 port 0 cli 40-A6-D9-B9-A8-A6) Thu Mar 7 10:26:19 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:26 2013 : Auth: Login OK: [zszz5...@kclad.ds.kcl.ac.uk] (from client nasaaa2 port 0 cli 58-1F-AA-53-87-B4) Thu Mar 7 10:26:30 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:47 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:27:13 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:27:29 2013 : Auth: Login OK: [nag...@york.ac.uk] (from client systems0 port 0) Thu Mar 7 10:27:51 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:28:18 2013 : Error: Discarding duplicate request from client nasaaa2 port 1814 - ID: 255 due to unfinished request 88 Thu Mar 7 10:28:24 2013 : Error: Discarding duplicate request from client nasaaa2 port 1814 - ID: 255 due to unfinished request 88 Thu Mar 7 10:29:04 2013 : Error: WARNING: Unresponsive child for request 88, in component core module thread Thu Mar 7 10:29:05 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:06 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:08 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:12 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:17 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:25 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:36 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? Rgds A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
On 07.03.2013 11:32, Alex Sharaz wrote: Hi, I've just downloaded,compiled and installed the latest version of 2.2 (2.2.1?) from git.freeradius.org. Installed it on an internal server and things seemed to work o.k. I then upgraded another server that deals with our external ( eduroam) connectivity and within a few mins am seeing The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? Without a debug output it's hard to tell. Please send freeradius -X output. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
Though you might say that. Running FR in debug mode now A On 7 Mar 2013, at 11:18, Olivier Beytrison oliv...@heliosnet.org wrote: On 07.03.2013 11:32, Alex Sharaz wrote: Hi, I've just downloaded,compiled and installed the latest version of 2.2 (2.2.1?) from git.freeradius.org. Installed it on an internal server and things seemed to work o.k. I then upgraded another server that deals with our external ( eduroam) connectivity and within a few mins am seeing The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? Without a debug output it's hard to tell. Please send freeradius -X output. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On 07.03.2013 07:57, Iftakhul Anwar wrote: HI All, I just installed free radius server using apt-get on my ubuntu machine. Now i want to configure jradius on my freeradius server. I follow step by step from http://coova.org/JRadius/FreeRADIUS. Are you sure ? By default rlm_jradius is not compiled because it is considered experimental. So you have either to add --with-experimental-modules=yes or as explained on the link above to add rlm_jradius to src/modules/stable Now if the module failed to compile (check the compilation process) then it won't be installed in your system. You should have a rlm_jradius.so file where your freeradius libraries are installed. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
Hi, The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? what is your retry time set to on the NAS kit? If your kit is expecting a reply in eg 3 seconds...well, a remply from a remote site may take longer. are you using status-server ? I would advise status-server usage in the first instance to ensure that your RADIUS server knows the remote RADIUS is okay and not the issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
On 7 Mar 2013, at 11:36, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
The server is basically proxying off auth requests to remote RADIUS servers.
Is the above just telling me that the other end is taking a while to reply
or is there some underlying issue?
what is your retry time set to on the NAS kit? If your kit is expecting
a reply in eg 3 seconds...well, a remply from a remote site may take longer.
are you using status-server ? I would advise status-server usage
in the first instance to ensure that your RADIUS server knows the
remote RADIUS is okay and not the issue.
Yup I'm using status server.
in local-config/nrps.conf I've now got
server_pool eduroam {
home_server = eduroam1
home_server = eduroam2
home_server = eduroam0
type = client-port-balance
}
and
home_server eduroam0 {
ipaddr = ${eduroam_config.server0}
#ipv6addr = ${eduroam_config.server0}
secret = ${eduroam_config.secret0}
port = 1812
type = auth+acct
require_message_authenticator = yes
nostrip
response_window = 5
zombie_period = 40
revive_interval = 60
status_check= status-server
check_interval = 30
num_answers_to_alive= 3
……...
}
Rgds
Alex
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
Hi, response_window = 5 thats a little low. the default provided with FreeRADIUS is 20 IIRC - and you need to ensure that theres correlation with the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
On 7 Mar 2013, at 12:15, a.l.m.bu...@lboro.ac.uk wrote: Hi, response_window = 5 thats a little low. the default provided with FreeRADIUS is 20 IIRC - and you need to ensure that theres correlation with the NAS o.k can't remember where I got that value, suspect it was from a google of an email Thanks A alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
On 7 Mar 2013, at 06:21, Alex Sharaz alex.sha...@york.ac.uk wrote: Though you might say that. Running FR in debug mode now A If you can't reproduce it with -X, try with the -fxxl stdout incantation, -X will also force the server into single threaded mode, and this might be a locking issue. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.2.0 memory leak issue.
kao quadrantx wrote: i rebuild freeradius with the latest updated today (i noticed the userparse() in valuepair.c has updated) and the memory leak still the same. (same memory growth in VmRSS and same valgrind log.) OK. FR_TOKEN userparse(const char *buffer, VALUE_PAIR **list) Why? Just... why? There is NO need to post code here. In case you hadn't noticed, we have access to the source. I've put a fix in for library symbols valgrind. Please do git pull of v2.x.x, re-build, and re-run it under valgrind. It should show exactly where the problem is. I can then fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorization
Matthew Ceroni wrote: I am using LDAP authorization. What I am looking to accomplish is to reject/deny (so not even attempt authentication) for disabled users. I am authentication against AD (use LDAP for authorize and ntlm for authentication). If I were to search for all none disabled users using ldapsearch, the filter query for this would be: !(userAccountControl:1.2.840.113556.1.4.803:=2) You can add this to the LDAP query which finds users. That's why the query is editable in the config files. That is the part that limits the results to only enabled users. Wondering how I would do this in FreeRadius? Even on a more general level how I would reject based off certain returned attributes. That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS attributes. Then, use unlang to write your policy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Using Framed-IP-Address
On 7 Mar 2013, at 09:50, Russell Mike radius@gmail.com wrote: Dear Alan. De. List Greetings May i please ask your opinion, if it possible to accept reject users base on Framed-IP-Address. Yes if the Framed-IP-Address is available in the request. There are however, no IP specific operators, so it's more difficult to check whether an IP address is in a certain range. Also, Alan doesn't need his ego stroking any more, addressing questions to the list works just as well. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Using Framed-IP-Address
Hi Arran, Thanks for the answer to my question. Nothing wrong to say thanks but perhaps to see it from that angle. Regards / RM -- On Thu, Mar 7, 2013 at 3:12 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 7 Mar 2013, at 09:50, Russell Mike radius@gmail.com wrote: Dear Alan. De. List Greetings May i please ask your opinion, if it possible to accept reject users base on Framed-IP-Address. Yes if the Framed-IP-Address is available in the request. There are however, no IP specific operators, so it's more difficult to check whether an IP address is in a certain range. Also, Alan doesn't need his ego stroking any more, addressing questions to the list works just as well. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
Actually i install freeradius from apt-get , But i try configure jradius On Thu, Mar 7, 2013 at 6:27 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 07.03.2013 07:57, Iftakhul Anwar wrote: HI All, I just installed free radius server using apt-get on my ubuntu machine. Now i want to configure jradius on my freeradius server. I follow step by step from http://coova.org/JRadius/**FreeRADIUShttp://coova.org/JRadius/FreeRADIUS . Are you sure ? By default rlm_jradius is not compiled because it is considered experimental. So you have either to add --with-experimental-modules=**yes or as explained on the link above to add rlm_jradius to src/modules/stable Now if the module failed to compile (check the compilation process) then it won't be installed in your system. You should have a rlm_jradius.so file where your freeradius libraries are installed. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
Actually i install freeradius from apt-get , But i try configure jradius following tutorial from http://coova.org/JRadius/FreeRADIUS How i can add this module to radius server if i using apt-get ? On Thu, Mar 7, 2013 at 10:55 PM, Iftakhul Anwar an...@meruvian.org wrote: Actually i install freeradius from apt-get , But i try configure jradius On Thu, Mar 7, 2013 at 6:27 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 07.03.2013 07:57, Iftakhul Anwar wrote: HI All, I just installed free radius server using apt-get on my ubuntu machine. Now i want to configure jradius on my freeradius server. I follow step by step from http://coova.org/JRadius/**FreeRADIUShttp://coova.org/JRadius/FreeRADIUS . Are you sure ? By default rlm_jradius is not compiled because it is considered experimental. So you have either to add --with-experimental-modules=**yes or as explained on the link above to add rlm_jradius to src/modules/stable Now if the module failed to compile (check the compilation process) then it won't be installed in your system. You should have a rlm_jradius.so file where your freeradius libraries are installed. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS testing, occasional errors
Hello All, I have configured a server to test EAP-TLS. Created the CA, a server and one client certificate. The same client certificate was then installed on three different devices; OSX, Windows 7 and an Android 4.2. All is well, all the devices can authenticate successfully, however, every now and again I can see similar entries in the log like the one below. A failure. Thu Mar 7 14:30:57 2013 : Error: TLS Alert write:fatal:handshake failure Thu Mar 7 14:30:57 2013 : Error: TLS_accept: error in SSLv3 read client certificate B Thu Mar 7 14:30:57 2013 : Error: rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Thu Mar 7 14:30:57 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Thu Mar 7 14:30:57 2013 : Auth: Login incorrect (TLS Alert write:fatal:handshake failure): [wifiuser] (from client CiscoAP port 289 cli 10-68-3F-48-41-46) Then a success soon after from the same device (this is the Android one) Thu Mar 7 14:32:10 2013 : Auth: Login OK: [wifiuser] (from client CiscoAP port 291 cli 10-68-3F-48-41-46) Very occasionally the Android device would give up and not attempt to reauthenticate. The AP is set to reauthenticate clients every 10 minutes. (a rickety old Cisco Aironet 1200). Has anyone seen this before? Thanks in advance, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On 7 Mar 2013, at 10:55, Iftakhul Anwar an...@meruvian.org wrote: Actually i install freeradius from apt-get , Right, so jradius won't have been built. jradius support is going away, it will *NOT* be in Version 3 unless someone contributes a new version of the module which works with the updated jradius protocol. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On 07.03.2013 16:56, Iftakhul Anwar wrote: Actually i install freeradius from apt-get , But i try configure jradius following tutorial from http://coova.org/JRadius/FreeRADIUS How i can add this module to radius server if i using apt-get ? You can't. You have to compile it. experimental modules are usually not available in binary distribution. Either compile it by hand and install it, or build your own debian packages. follow http://wiki.freeradius.org/building/Build and remember to add either --with-experimental-modules=yes or add rlm_jradius to src/modules/stable Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS testing, occasional errors
On 07/03/13 16:01, Bertalan Voros wrote: Has anyone seen this before? I see all kinds of weirdness from clients. Fundamentally, the problem is at the client - it didn't send a certificate - so you need to troubleshoot it there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PHP MD5 with appended salt
xlat are placeholders in strings, usually used for substituting attribute
values, for example:
update reply {
Reply-Message := Hello %{User-Name}
}
The %{User-Name} is an xlat expansion.
The xlat expansion %{md5:text} expands to an md5 hash of text. So you
have something like:
if (%{md5:%{User-Password}:%{Salt}} == %{database password}) {
update control {
Auth-Type := 'Access-Accept'
}
}
There's also an %{sql:text} xlat, which executes the text portion as a
query and expands to the first column of the first row in the result set.
In the above condition you could use the sql xlat in place of %{Salt} and
%{database password} to retrieve the bits of info you need to authenticate
the user, though it's a little inefficient as you have to query twice.
There are ways to work around the limitations of sql xlat, for example you
can CONCAT the values of two columns and then break them apart with a regex
and capture groups. See man unlang.
-Arran
Nice :)
I have added the follwing to my autorize section and it works:
if (%{md5:%{User-Password}:SALT} == %{sql:SELECT radcheck.value
FROM `radcheck` WHERE radcheck.username ='%{User-Name}'}) {
update control {
Auth-Type := 'Accept'
}
}
else{
sql #to make sure that the sql module is loaded.
}
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
Thanks for your help
- Rene
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
René Klomp wrote:
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
Add it to the instantiate section of radiusd.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
On 07.03.2013 17:15, René Klomp wrote:
xlat are placeholders in strings, usually used for substituting attribute
values, for example:
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
in radiusd.conf, there's an instantiate {} section where you can put sql
Olivier B.
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Release of Version 2.2.1
It's been a while since Version 2.2 was released, so it's time for the next release. I'd like to fix the reported memory leak issue, and then release it later next week. The changes are minor, and mostly cleanups and bug fixes. Please let me know if there are any issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorization
That is what I tried. So I set base_filter = ((objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows [ldap] user XX authorized to use remote access So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)? On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok al...@deployingradius.comwrote: Matthew Ceroni wrote: I am using LDAP authorization. What I am looking to accomplish is to reject/deny (so not even attempt authentication) for disabled users. I am authentication against AD (use LDAP for authorize and ntlm for authentication). If I were to search for all none disabled users using ldapsearch, the filter query for this would be: !(userAccountControl:1.2.840.113556.1.4.803:=2) You can add this to the LDAP query which finds users. That's why the query is editable in the config files. That is the part that limits the results to only enabled users. Wondering how I would do this in FreeRadius? Even on a more general level how I would reject based off certain returned attributes. That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS attributes. Then, use unlang to write your policy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorization
Matthew Ceroni wrote: That is what I tried. So I set base_filter = ((objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows Does that filter work when you use it with the command-line ldap search tool? [ldap] user XX authorized to use remote access So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)? Use ldap.attrmap, as I said in my previous message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorization
Alan: Yes, that works when run through ldapsearch. I was able to get the attribute checking working (added to dictionary, then ldap.attrmap) so I can now reject based on the value of an attribute. Thanks for the input on that. However, if the user isn't found in LDAP (Active Directory), how do I get it to outright reject the user? I can't do attribute checking (tried that and checking for an empty value, but got attribute was not found). Right now if the user isn't found in LDAP it happily goes to authentication (which for testing purposes right now is just using the users file). On Thu, Mar 7, 2013 at 10:22 AM, Alan DeKok al...@deployingradius.comwrote: Matthew Ceroni wrote: That is what I tried. So I set base_filter = ((objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows Does that filter work when you use it with the command-line ldap search tool? [ldap] user XX authorized to use remote access So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)? Use ldap.attrmap, as I said in my previous message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authorization
On 07.03.2013 22:06, Matthew Ceroni wrote:
Alan:
Yes, that works when run through ldapsearch.
I was able to get the attribute checking working (added to dictionary,
then ldap.attrmap) so I can now reject based on the value of an
attribute. Thanks for the input on that.
However, if the user isn't found in LDAP (Active Directory), how do I
get it to outright reject the user? I can't do attribute checking (tried
that and checking for an empty value, but got attribute was not found).
Right now if the user isn't found in LDAP it happily goes to
authentication (which for testing purposes right now is just using the
users file).
authorize {
ldap
if (notfound) {
reject
}
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 95, Issue 30
The most recent (which hasn't changed in some time now) can be found: http://dev.coova.org/svn/cjradius/trunk/freeradius/rlm_jradius/rlm_jradius.c Cheers, David Date: Thu, 7 Mar 2013 11:02:17 -0500 From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Failed to load module jradius freeradius server Message-ID: c9eb7ae3-492a-4d59-be04-1645044dc...@freeradius.org Content-Type: text/plain; charset=iso-8859-1 On 7 Mar 2013, at 10:55, Iftakhul Anwar an...@meruvian.org wrote: Actually i install freeradius from apt-get , Right, so jradius won't have been built. jradius support is going away, it will *NOT* be in Version 3 unless someone contributes a new version of the module which works with the updated jradius protocol. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
I try to configure with command : ./configure --with-experimental-modules=yes but i got error like bellow : if [ xrlm_cram != x ]; then \ /home/iam/Downloads/freeradius-server-2.2.0/libtool --mode=install /home/iam/Downloads/freeradius-server-2.2.0/install-sh -c -c \ rlm_cram.la /usr/local/lib/rlm_cram.la || exit $?; \ rm -f /usr/local/lib/rlm_cram-2.2.0.la; \ ln -s rlm_cram.la /usr/local/lib/rlm_cram-2.2.0.la || exit $?; \ fi libtool: install: `rlm_cram.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. make[6]: *** [install] Error 1 make[6]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src/modules/rlm_cram' make[5]: *** [rlm_cram] Error 2 make[5]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src/modules' make[4]: *** [install] Error 2 make[4]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src/modules' make[3]: *** [modules] Error 2 make[3]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src' make[1]: *** [src] Error 2 make[1]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0' How about copy rlm_jradius to src/modules/stable manually ? Where i can download rlm_jradius for freerdaius ? Thanks On Thu, Mar 7, 2013 at 11:06 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 07.03.2013 16:56, Iftakhul Anwar wrote: Actually i install freeradius from apt-get , But i try configure jradius following tutorial from http://coova.org/JRadius/FreeRADIUS How i can add this module to radius server if i using apt-get ? You can't. You have to compile it. experimental modules are usually not available in binary distribution. Either compile it by hand and install it, or build your own debian packages. follow http://wiki.freeradius.org/building/Build and remember to add either --with-experimental-modules=yes or add rlm_jradius to src/modules/stable Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On Fri, Mar 8, 2013 at 3:02 AM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 7 Mar 2013, at 10:55, Iftakhul Anwar an...@meruvian.org wrote: Actually i install freeradius from apt-get , Right, so jradius won't have been built. Actually, it should be available. That is, if you use Ubuntu Quantal, or Debian Testing. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599067 http://changelogs.ubuntu.com/changelogs/pool/main/f/freeradius/freeradius_2.1.12+dfsg-1.1/changelog If you use older version of the distro (e.g. Ubuntu precise) then you either need to rebuild the source package, or learn how to install packages from other distro/versions. Both are outside the scope of this list, but should be easy to do with the help of Google search. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
i've found rlm_jradius on src/modules. But after i ./configure and make and make install i can't found jradius modules on my radiusd installation. Then I try to configure with command : ./configure --with-experimental-modules=yes but i got error like bellow : if [ xrlm_cram != x ]; then \ /home/iam/Downloads/freeradius-server-2.2.0/libtool --mode=install /home/iam/Downloads/freeradius-server-2.2.0/install-sh -c -c \ rlm_cram.la /usr/local/lib/rlm_cram.la || exit $?; \ rm -f /usr/local/lib/rlm_cram-2.2.0.la; \ ln -s rlm_cram.la /usr/local/lib/rlm_cram-2.2.0.la || exit $?; \ fi libtool: install: `rlm_cram.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. make[6]: *** [install] Error 1 make[6]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src/modules/rlm_cram' make[5]: *** [rlm_cram] Error 2 make[5]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src/modules' make[4]: *** [install] Error 2 make[4]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src/modules' make[3]: *** [modules] Error 2 make[3]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0/src' make[1]: *** [src] Error 2 make[1]: Leaving directory `/home/iam/Downloads/freeradius-server-2.2.0' i'm running on ubuntu 12.04 is there bug of freeradius 2.2.0 for this ubuntu version On Fri, Mar 8, 2013 at 7:17 AM, Fajar A. Nugraha l...@fajar.net wrote: On Fri, Mar 8, 2013 at 3:02 AM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 7 Mar 2013, at 10:55, Iftakhul Anwar an...@meruvian.org wrote: Actually i install freeradius from apt-get , Right, so jradius won't have been built. Actually, it should be available. That is, if you use Ubuntu Quantal, or Debian Testing. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599067 http://changelogs.ubuntu.com/changelogs/pool/main/f/freeradius/freeradius_2.1.12+dfsg-1.1/changelog If you use older version of the distro (e.g. Ubuntu precise) then you either need to rebuild the source package, or learn how to install packages from other distro/versions. Both are outside the scope of this list, but should be easy to do with the help of Google search. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
I try to downgrade to freeradius-server-2.1.1 as following from
http://coova.org/JRadius/FreeRADIUS
But when i try to running radiusd on foregound i got error message like
bellow :
radiusd -X
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Mar
8 2013 at 08:13:26
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
Requirements for rlm_jradius in 3.0
On 7 Mar 2013, at 17:54, David Bird w...@mac.com wrote: The most recent (which hasn't changed in some time now) can be found: http://dev.coova.org/svn/cjradius/trunk/freeradius/rlm_jradius/rlm_jradius.c Ok. The main issues with that code are: * It won't compile against current master branch. * It doesn't use the connection pool API which is an absolute requirement for all modules in 3.0. * If the protocol encoding has changed, then protocol version mismatches should be detected and the user should be informed of what's happened unless the protocol encodings are interoperable. * The protocol will need to be extended to pack nested TLVs, and possibly to deal with extended TLVs. Though this work is dependent on the final stage of the talloc changes. If you're willing to work with us to make those changes, then we'd be happy to include rlm_jradius in version 3.0. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On Fri, Mar 8, 2013 at 12:30 PM, Iftakhul Anwar an...@meruvian.org wrote: I try to downgrade to freeradius-server-2.1.1 as following from http://coova.org/JRadius/FreeRADIUS But when i try to running radiusd on foregound i got error message like bellow : I'm running on ubuntu 12.04 machine. Any suggestion what should i do in order to jradius running on my radius server ? How about actually doing what was suggested? Really, rebuilding a source package is easy enough. Even installing a package from Quantal on Precise is known to work in most cases. Google is your friend. Unless, of course, you decide to completely ignore the suggestions and do your own thing. That's fine too, but don't go complaining if something goes wrong. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
Hi Fajar, What do you mean rebuilding source package ? i've recompile freeradius-server-2.1.1 from source code. But when i try to run, jradius still not found i try with some parameter in configure command = ./configure --with-experimental-modules=yes and i got error like above when i try to run my radius server On Fri, Mar 8, 2013 at 8:39 AM, Fajar A. Nugraha l...@fajar.net wrote: On Fri, Mar 8, 2013 at 12:30 PM, Iftakhul Anwar an...@meruvian.org wrote: I try to downgrade to freeradius-server-2.1.1 as following from http://coova.org/JRadius/FreeRADIUS But when i try to running radiusd on foregound i got error message like bellow : I'm running on ubuntu 12.04 machine. Any suggestion what should i do in order to jradius running on my radius server ? How about actually doing what was suggested? Really, rebuilding a source package is easy enough. Even installing a package from Quantal on Precise is known to work in most cases. Google is your friend. Unless, of course, you decide to completely ignore the suggestions and do your own thing. That's fine too, but don't go complaining if something goes wrong. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
What is the right syntax for compile using experimental module ?
I've try to ./configure --with-experimental-modules=yes then make and make
install.
But on i can't find jradius module in {installation folder}/modules
i've also try ./configure --with-experimental-modules=rlm_jradius, but
still same.I can't find jradius module after installation
Help me to solve this,please
Thanks
On Fri, Mar 8, 2013 at 9:00 AM, Iftakhul Anwar an...@meruvian.org wrote:
Hi Fajar,
What do you mean rebuilding source package ?
i've recompile freeradius-server-2.1.1 from source code.
But when i try to run, jradius still not found
i try with some parameter in configure command = ./configure
--with-experimental-modules=yes
and i got error like above when i try to run my radius server
On Fri, Mar 8, 2013 at 8:39 AM, Fajar A. Nugraha l...@fajar.net wrote:
On Fri, Mar 8, 2013 at 12:30 PM, Iftakhul Anwar an...@meruvian.org
wrote:
I try to downgrade to freeradius-server-2.1.1 as following from
http://coova.org/JRadius/FreeRADIUS
But when i try to running radiusd on foregound i got error message like
bellow :
I'm running on ubuntu 12.04 machine.
Any suggestion what should i do in order to jradius running on my
radius
server ?
How about actually doing what was suggested?
Really, rebuilding a source package is easy enough. Even installing a
package from Quantal on Precise is known to work in most cases. Google
is your friend.
Unless, of course, you decide to completely ignore the suggestions and
do your own thing. That's fine too, but don't go complaining if
something goes wrong.
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
On Fri, Mar 8, 2013 at 2:16 PM, Iftakhul Anwar an...@meruvian.org wrote:
What is the right syntax for compile using experimental module ?
--with-experimental-modules
I've try to ./configure --with-experimental-modules=yes then make and make
install.
But on i can't find jradius module in {installation folder}/modules
probably because you're missing some dependency, so it skips building
the module. The output of ./configure would have told you about that.
Help me to solve this,please
I would, but you seem REALLY determined on ignoring advices and doing
things your own way.
The easiest way for you would be to just install ubuntu quantal.
The alternative is to actually look at the output of ./configure,
figure out what dependencies are missing, install it, and repeat the
build process again.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL changes
Hi All,
A few changes to the SQL drivers.
* Biggest change is there are now no longer any socket close/free functions in
the driver API these are now all handled by talloc destructors. If you suspect
sockets aren't being closed properly, run with the extra -x and it'll print out
a message when the destructor is called.
* All the drivers now (optionally) can provide an instantiate method to do
their own config parsing. This method gets passed in the config sub section (if
it exists) matching the driver name.
So for sqlite it'd be
sql {
sqlite {
this section
}
}
This will let us do driver specific configuration. If there are any client side
options for MySQL / PostgreSQL that are useful for tuning/debugging feel free
to submit patches.
* Sqlite code has been pretty much rewritten so it works for everything (not
just clients), and a new set of schemas created for sqlite. Yes the S is for
simple not standardised *sigh*.
* The 'filename' config item in the main sql config (which specified where the
sqlite db was) has been moved into the sqlite {} section (where it should have
always been).
* There's a new bootstrap config item for sqlite. If bootstrap is set, and the
specified sqlite database doesn't exist, it'll be created, then the sql file
specified by bootstrap will be split on ;\n and each statement executed in turn
to create the schema for the boostrapped database.
The idea is to ship with a working configuration for sqlipool, so the DHCP just
works after you've configured the ranges.
If you're writing example configurations/modules that depend on SQL for
persistent storage, it'd probably be a good idea to use the sqlite driver and
bootstrap the database/schema that's required, then the examples work out of
the box, so long as you have sqlite available.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with either LDAP or Mysql Error lib not found
Hi All I just try to config freeradius using either Mysql or LDAP. But i get same error like bellow : [errror Mysq] Fri Mar 8 13:44:46 2013 : Error: Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory Fri Mar 8 13:44:46 2013 : Error: Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Fri Mar 8 13:44:46 2013 : Error: /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql Fri Mar 8 13:44:46 2013 : Error: /usr/local/etc/raddb/sites-enabled/default[177]: Failed to find sql in the modules section. Fri Mar 8 13:44:46 2013 : Error: /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. i've read in some article that it's solved by installed mysql-devel package. In this case i've installed libmysqlclient-dev on my ubuntu 12.04 But still get same error. It's also happen on my freeradius ldap? [error LDAP] /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/default[305]: Failed to find ldap in the modules section. /usr/local/etc/raddb/sites-enabled/default[305]: Failed to parse ldap How i can solve this issue ? Thanks -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
