Re: Issue with radius accounting
I am not interested in any argument, i wanted to check what may be the problem with my radius server as accounting is successful with free radius on other server. On May 26, 2013 6:51 AM, wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. Re: Issue with radius accounting (Alan DeKok) >2. user from particular NAS-IP-Address (Pete Ashdown) >3. Re: user from particular NAS-IP-Address (Alan DeKok) >4. Error: rlm_sql_unixodbc: SQL down 08S01 > [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server > is unavailable or does notexist (Bill Grant) >5. Re: Error: rlm_sql_unixodbc: SQL down 08S01 > [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server > is unavailable or doesnot exist (Alan DeKok) >6. RE: Error: rlm_sql_unixodbc: SQL down 08S01 > [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server > is unavailable or doesnot exist (Bill Grant) >7. Re: Auth-Type = Reject not being obeyed (Matthew Melbourne) > > > -- > > Message: 1 > Date: Sat, 25 May 2013 13:30:57 -0400 > From: Alan DeKok > To: FreeRadius users mailing list > > Cc: "freeradius-users@lists.freeradius.org" > > Subject: Re: Issue with radius accounting > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > On 2013-05-25, at 12:39 PM, Arvind Bahuguni wrote: > > > Hi Alan, > > I am suspecting some radius setting on my server because free radius on > other server is responding and authentication and accounting is successful > > > For one, you need to edit your posts. It's ridiculous to reply to a > digest message, and include hundreds of lines of irrelevant text. > > And if you know so much more than me about RADIUS, you shouldn't be > asking questions on this list. > > If you're going to ask questions and then argue with the answers, you > will be unsubscribed from the list and banned permanently. > > Alan DeKok. > -- next part -- > An HTML attachment was scrubbed... > URL: < > http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130525/dc49bb28/attachment-0001.html > > > > -- > > Message: 2 > Date: Sat, 25 May 2013 14:31:12 -0600 > From: Pete Ashdown > To: freeradius-users@lists.freeradius.org > Subject: user from particular NAS-IP-Address > Message-ID: <20130525203112.ga20...@xmission.com> > Content-Type: text/plain; charset=us-ascii > > I'm trying to restrict a guest user from a single NAS-IP-Address via > "users" > and I can't get it to work. > > Doesn't work: > > testNAS-IP-Address == "127.0.0.1" > Auth-Type := Accept > > testNAS-IP-Address == "127.0.1.1" > Auth-Type := Accept > > Works, but it isn't restricted by NAS: > > test Auth-Type := Accept > > I've also tried "Calling-Station-ID == 127.0.1.1" to no avail. > > > Also, how would I do this for a group of NAS IP addresses? Is it possible > to > assign them to a group in "clients.conf" that can be later checked against > in > "users"? Where is the documentation of what can be tested against in the > "users" file? > > > -- > > Message: 3 > Date: Sat, 25 May 2013 18:23:44 -0400 > From: Alan DeKok > To: FreeRadius users mailing list > > Subject: Re: user from particular NAS-IP-Address > Message-ID: <51a139f0.9070...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Pete Ashdown wrote: > > I'm trying to restrict a guest user from a single NAS-IP-Address via > "users" > > and I can't get it to work. > > > > Doesn't work: > > > > test NAS-IP-Address == "127.0.0.1" > > Auth-Type := Accept > > That's wrong. Why? See the debug output.
Re: user from particular NAS-IP-Address
On Sat, May 25, 2013 at 06:23:44PM -0400, Alan DeKok wrote: > You *did* run the server in debugging mode, as suggested in the FAQ, > README, "man" page, and daily on this list? Yes I did, over a period of about 3 hours of trial and error before banging my head against: [...] [files] users: Matched entry test at line 86 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. [...] I also searched via Google site:lists.freeradius.org because Mailman's archive sucketh and found similar recriminations to RTFM and run "radiusd -X". I didn't see a freeradius-newbs list, so I assumed freeradius-users was welcoming like other users mailing lists. I'll unsubscribe now and go back to the trial and error. Sorry to have wasted your time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
I was able to fix it by doing the following. I installed setroubleshoot "yum install setroubleshoot" Then I ran the following command "sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt" mylogfile.txt showed: found 3 alerts in /var/log/audit/audit.log SELinux is preventing /usr/sbin/radiusd from create access on the semaphore . * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed create access on the sem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp SELinux is preventing /usr/sbin/radiusd from search access on the directory /home. * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed search access on the home directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp SELinux is preventing /usr/sbin/radiusd from name_connect access on the tcp_socket . * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp I ran the commands listed above: "grep radiusd /var/log/audit/audit.log | audit2allow -M mypol" "semodule -i mypol.pp" That fixed the problem, thanks again. From: Bill Grant [wgr...@ebpl.org] Sent: Saturday, May 25, 2013 8:29 PM To: FreeRadius users mailing list Subject: RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist You are right I temporarily disabled SE Linux with "echo 0 >/selinux/enforce" and it worked. Now I just need to figure out exactly what it is blocking. Thanks for the help! From: Alan DeKok [al...@deployingradius.com] Sent: Saturday, May 25, 2013 7:44 PM To: FreeRadius users mailing list Subject: Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist Bill Grant wrote: > I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but > it does not connect to my database; however, if run it manually from the > command the it works fine. I think there is permission issue somewhere. See > the log below: > > when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = Reject not being obeyed
I think Phil's diagnosis is correct; 'Auth-Type := Reject' requires the ':='
operator to reject a CHAP authentication.
Unfortunately, it's not always easy to place a live production system in
debug mode, hence the initial "is this something stupid" question :)
(And apologies for the lack of a subject line in the original post).
Cheers,
Matt
-Original Message-
Date: Fri, 24 May 2013 17:31:29 +0100
From: Phil Mayers
To: freeradius-users@lists.freeradius.org
Subject: Re: Auth-Type = Reject not being obeyed
Message-ID: <519f95e1.6010...@imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 24/05/13 17:19, Alan Buxey wrote:
> The only difference I can see is that the first example uses a
> plain-text password, and the RADIUS on the LNS is using CHAP?
>
> The backend database has "=" in the 'op' field (and not ":="), so the
> returned attribute is "Auth-Type = Reject" and not "Auth-Type :=
> Reject", but it is correctly rejected using radtest/radclient, and I
> believe the "=" operand to be correct.
You might have this:
authorize {
...
chap
sql
...
}
..and Auth-Type is already set by chap, hence "=" doesn't overwrite it.
Anyway, you're not correct that "=" is the right operator; ":=" means
"force" i.e. set this attribute to this value, always, and that's what you
want to do here, right? "=" means "set if unset"
As has also been pointed out - show "radiusd -X" for a problem auth (and set
a subject line...)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
You are right I temporarily disabled SE Linux with "echo 0 >/selinux/enforce" and it worked. Now I just need to figure out exactly what it is blocking. Thanks for the help! From: Alan DeKok [al...@deployingradius.com] Sent: Saturday, May 25, 2013 7:44 PM To: FreeRadius users mailing list Subject: Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist Bill Grant wrote: > I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but > it does not connect to my database; however, if run it manually from the > command the it works fine. I think there is permission issue somewhere. See > the log below: > > when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
Bill Grant wrote: > I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but > it does not connect to my database; however, if run it manually from the > command the it works fine. I think there is permission issue somewhere. See > the log below: > > when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works # radiusd Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect to radius@EBHorizon:5000/Horizon Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Connected new DB handle, #0 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #1 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Connected new DB handle, #1 Sat May 25 10:26:20 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #2 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Connected new DB handle, #2 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #3 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Connected new DB handle, #3 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #4 Sat May 25 10:26:21 2013 : Info: rlm_sql (sql): Connected new DB handle, #4 Sat May 25 10:26:21 2013 : Info: Loaded virtual server Sat May 25 10:26:21 2013 : Info: Loaded virtual server inner-tunnel Sat May 25 10:26:21 2013 : Info: ... adding new socket proxy address * port 35688 Sat May 25 10:26:21 2013 : Info: Ready to process requests. When I run the command below it does not connect. #service radiusd start Sat May 25 10:29:05 2013 : Info: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked Sat May 25 10:29:05 2013 : Info: rlm_sql (sql): Attempting to connect to radius@EBHorizon:5000/Horizon Sat May 25 10:29:05 2013 : Info: rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 Sat May 25 10:29:05 2013 : Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist Sat May 25 10:29:05 2013 : Error: rlm_sql_unixodbc: Connection failed Sat May 25 10:29:05 2013 : Error: rlm_sql (sql): Failed to connect DB handle #0 Sat May 25 10:29:05 2013 : Info: Loaded virtual server Sat May 25 10:29:05 2013 : Info: Loaded virtual server inner-tunnel Sat May 25 10:29:05 2013 : Info: ... adding new socket proxy address * port 59524 Sat May 25 10:29:05 2013 : Info: Ready to process requests. Any help would be greatly appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
Pete Ashdown wrote: > I'm trying to restrict a guest user from a single NAS-IP-Address via "users" > and I can't get it to work. > > Doesn't work: > > test NAS-IP-Address == "127.0.0.1" > Auth-Type := Accept That's wrong. Why? See the debug output. It *tells* you what's wrong, and how to fix it. See "man users". It *documents* the format of the "users" file. See the sample "raddb/users" file. Look for "Auth-Type". There are *examples* of how to do this. > Also, how would I do this for a group of NAS IP addresses? Is it possible to > assign them to a group in "clients.conf" that can be later checked against in > "users"? See raddb/huntgroups. You can group NASes, and check the group membership later. > Where is the documentation of what can be tested against in the > "users" file? What does that mean? "man users" describes how the "users" file works. After that, if you get something wrong, the debug output will tell you. You *did* run the server in debugging mode, as suggested in the FAQ, README, "man" page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user from particular NAS-IP-Address
I'm trying to restrict a guest user from a single NAS-IP-Address via "users" and I can't get it to work. Doesn't work: testNAS-IP-Address == "127.0.0.1" Auth-Type := Accept testNAS-IP-Address == "127.0.1.1" Auth-Type := Accept Works, but it isn't restricted by NAS: test Auth-Type := Accept I've also tried "Calling-Station-ID == 127.0.1.1" to no avail. Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in "clients.conf" that can be later checked against in "users"? Where is the documentation of what can be tested against in the "users" file? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with radius accounting
On 2013-05-25, at 12:39 PM, Arvind Bahuguni wrote: > Hi Alan, > I am suspecting some radius setting on my server because free radius on other > server is responding and authentication and accounting is successful > For one, you need to edit your posts. It's ridiculous to reply to a digest message, and include hundreds of lines of irrelevant text. And if you know so much more than me about RADIUS, you shouldn't be asking questions on this list. If you're going to ask questions and then argue with the answers, you will be unsubscribed from the list and banned permanently. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with radius accounting
Hi Alan, I am suspecting some radius setting on my server because free radius on other server is responding and authentication and accounting is successful. On May 24, 2013 7:56 PM, wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. AES-GCM (Pieter Hulshoff) >2. Re: AES-GCM (Phil Mayers) >3. Re: AES-GCM (Pieter Hulshoff) >4. Re: AES-GCM (Phil Mayers) >5. Re: AES-GCM (Pieter Hulshoff) >6. Re: issue with radius accounting (Alan DeKok) >7. Re: Failure authenticate using IPv6 (Alan DeKok) >8. Re: Retrieving eDirectory VLAN attributes (Alan DeKok) > > > -- > > Message: 1 > Date: Fri, 24 May 2013 12:44:02 +0200 > From: Pieter Hulshoff > To: freeradius-users@lists.freeradius.org > Subject: AES-GCM > Message-ID: <2687107.xyZuJZ1fbJ@spaceballsml> > Content-Type: text/plain; charset="us-ascii" > > Hello all, > > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the > documentation, the wiki or the mailinglist archives, but perhaps I'm > looking > in the wrong place? > > Kind regards, > > Pieter Hulshoff > > > > -- > > Message: 2 > Date: Fri, 24 May 2013 12:21:47 +0100 > From: Phil Mayers > To: freeradius-users@lists.freeradius.org > Subject: Re: AES-GCM > Message-ID: <519f4d4b.4080...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 24/05/13 11:44, Pieter Hulshoff wrote: > > Hello all, > > > > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in > the > > documentation, the wiki or the mailinglist archives, but perhaps I'm > looking > > in the wrong place? > > Typically this is down the TLS libraries; it's not usually the case that > the application needs to do anything. > > That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS > 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve > itself in this level of detail - that's an aspect of the TLS library > (OpenSSL) we use, and whatever the EAP-TLS client is using. > > Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP > or TTLS) never actually sends any data over the TLS session; > essentially, it consists solely of the handshake. In TLS terms, EAP-TLS > never sends any TLS records of type=23 (application data). So, the > negotiated cipher is not used for very much. > > PEAP and TTLS have "inner" EAP exchanges, that are protected with the > TLS session, and sent as TLS type=23 records. > > Slightly OT, there seems to be some degree of uncertainty about GCM in > general, and whether it's a sensible cipher mode - for example, see > http://www.imperialviolet.org/2013/01/13/rwc03.html > > > -- > > Message: 3 > Date: Fri, 24 May 2013 13:47:36 +0200 > From: Pieter Hulshoff > To: FreeRadius users mailing list > > Subject: Re: AES-GCM > Message-ID: <2024766.p6x3QSbeB1@spaceballsml> > Content-Type: text/plain; charset="us-ascii" > > On Friday, May 24, 2013 12:21:47 PM Phil Mayers wrote: > > On 24/05/13 11:44, Pieter Hulshoff wrote: > > > Hello all, > > > > > > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in > > > the > > > documentation, the wiki or the mailinglist archives, but perhaps I'm > > > looking in the wrong place? > > > > Typically this is down the TLS libraries; it's not usually the case that > > the application needs to do anything. > > It seems I have a lot to learn yet about what is and is not a part of > FreeRADIUS. My apologies for pushing (slightly) OT subjects onto the > mailinglist. > > > That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS > > 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve > > itself in this level of detail - that's an aspect of the TLS library > > (OpenSSL) we use, and whatever the EAP-TLS client is using. > > I guess that if we want to use AEAD cyphers we'll need to find another TLS > library or adapt/contribute to OpenSSL? > > > Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP > > or TTLS) never actually sends any data over the TLS session; > > essentially, it consists solely of the handshake. In TLS terms, EAP-TLS > > never sends any TLS records of type=23 (application data). So, the > > negotiated cipher is not used for very much. > > The EAP-TLS Finished (type=20) are secured/signed with this
