Re: [ANN] Version 3.0.0-rc0
On 11 July 2013, at 15:24, Arran Cudbard-Bell wrote: > > On 11 Jul 2013, at 22:39, Doug Hardie wrote: > >> >> On 11 July 2013, at 06:09, Fajar A. Nugraha wrote: >> >>> On Thu, Jul 11, 2013 at 7:28 PM, Arran Cudbard-Bell >>> wrote: >>> We are now in feature freeze for 3.0. The configuration format and >>> behaviour for 3.0 will be stable between now and the final release. >>> >>> If you are planning on deploying 3.0 and have an existing 2.x.x >>> configuration you were planning to migrate when the 3.0 is released, now >>> would be a good time to try that, and to report any issues or problematic >>> behaviour changes you notice. >> >> I was not able to find a list of the changes between 2 and 3. > > https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/ChangeLog > > Or > > https://lists.freeradius.org/pipermail/freeradius-devel/2012-September/006985.html > https://lists.freeradius.org/pipermail/freeradius-users/2013-June/066846.html > >> I have possibly read somewhere that user modules which can be compiled >> separately from the base system in version 2, now must be compiled within >> version 3. I wanted to check on this. > > Bundled modules no longer have their own standalone make files if that's what > you're referring to. But you're fine building your own modules outside of > FreeRADIUS. Yes I build outside of FreeRadius so thanks for the information and the pointer to the complete list. > > If you want to use the FreeRADIUS build framework, i.e. boilermake, then > there's no support for specifying arbitrary paths to modules, so yes it'd > have to be located within src/modules/. > > -Arran > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
Lovaas,Steven wrote: > Thanks, Adam... this got me looking at the right thing. > > I had a mismatch between the type of the home_server localhost (auth), and > the attribute used in one of the realms pointing to the pool that references > that home server (pool, instead of auth_pool). Changing the type of the > localhost home_server allowed FR to complete loading. If you have a simple config that can reproduce it, I'd like to fix the problem. It's likely just adding a printed error message in the home server code. But knowing exactly where to add it would be useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius w/Apache 2.4.4 ??
laurence.schuler wrote: > I'm trying to use mod_auth_radius(-2.0) with apache 2.4.4 and it does > not appear to be working properly. It complains: > [:warn] [pid 14690] AuthRadiusActive set, but no RADIUS server IP - > missing AddRadiusAuth in this context?) > When I have AuthRadiusAuth set, and I can confirm it by changing the > hostname to garbage, the server will then fail to start. Weird... > So, it seems the module needs to be updated for apache 2.4.4. Is this > activity planned? anyone have patches? Nope. As always, patches are welcome. I got tired of updating the module years ago. It seemed that every minor release of Apache had gratuitously incompatible changes in the API. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to best configure Radius for my domain ?
Analyser Great wrote: > I am trying to setup a configuration where network admins have access to > all devices and users have only access to cisco vpn. I don't wanna use > local user database since I already have Ldap to authorize and Kerberos > to authenticate. > > How do you do this in your domain currently with version 2 ? Put the network admins into a group in LDAP. Then, check the group. Logically: if asking for admin access then if !network group reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.2.0 & dhcp: regression
Hi! We have been running FreeRADIUS 2.1.12/dhcp module with success for long time with FreeBSD 8. Our DHCP perl script opens two file descriptors (per thread): one for database connection TCP socket and one for syslog (/var/run/log unix domain socket). With pool size consisting of 1000 threads, this worked just fine with 2.1.12 Now, as we upgraded to 2.2.0, this schema stopped to work. It works if I decrease maximum pool size so that total amount of radiusd's open file descriptors does not exceed 1023, this corresponds to 501 threads in the pool. If I use 502 threads or more, it initially works until the process creates enough threads to open 1024th file descriptor, then it starts to write to its log: Fri Jul 12 17:09:13 2013 : Info: WARNING: Child is hung for request 727 in component post-auth module perl. Fri Jul 12 17:09:14 2013 : Info: WARNING: Child is hung for request 765 in component post-auth module perl. I've tried to recompile freeradius with CFLAGS including -DFD_SIZE=4096, that changed nothing. If I disable syslog usage in my perl script thus decreasing open files from 2 per thread to only one, then 2.2.0 runs with 1000 threads just fine. Again, increase of thread pool size breaks after open of 1024th file descriptor. Please help. We need at least 1000 concurrent threads to deal with the load here. Our hardware has enough raw power and we do not like to create useless queueing delays. Eugene Grosbein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote:
> Lovaas,Steven wrote:
> > Thanks, Adam... this got me looking at the right thing.
> >
> > I had a mismatch between the type of the home_server localhost (auth), and
> > the attribute used in one of the realms pointing to the pool that
> > references that home server (pool, instead of auth_pool). Changing the type
> > of the localhost home_server allowed FR to complete loading.
>
> If you have a simple config that can reproduce it, I'd like to fix the
> problem.
>
> It's likely just adding a printed error message in the home server
> code. But knowing exactly where to add it would be useful.
I've sent a pull request.
It's easy to trigger - take a standard 2.x config and apply the
following patch to the config:
diff --git a/raddb/proxy.conf b/raddb/proxy.conf
index 413fc14..6ceb5cb 100644
--- a/raddb/proxy.conf
+++ b/raddb/proxy.conf
@@ -613,6 +613,7 @@ realm example.com {
# and "acct_pool".
auth_pool = my_auth_failover
+ acct_pool = my_auth_failover
# acct_pool = acct
#
There are a distinct lack of errors printed out in realms.c when
it returns. I'm guessing there may be better error messages or
locations to print them, but the pull request will give the right
starting pointers :-)
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12/07/13 11:17, Eugene Grosbein wrote: Please help. We need at least 1000 concurrent threads to deal with the load here. 1000 threads is a crazy number. Can you explain why you think you need that many? Are you doing very slow logic/lookups or something? Anyway, the problem is almost certainly system ulimits. I don't know why it's different under 2.2 to 2.1, but I would look into ulimit. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:24:54AM +0100, Matthew Newton wrote: > On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote: > > Lovaas,Steven wrote: > > > I had a mismatch between the type of the home_server localhost (auth), > > > and the attribute used in one of the realms pointing to the pool that > > > references that home server (pool, instead of auth_pool). Changing the > > > type of the localhost home_server allowed FR to complete loading. > > It's likely just adding a printed error message in the home server > > code. But knowing exactly where to add it would be useful. > > It's easy to trigger - take a standard 2.x config and apply the > following patch to the config: To add to that, the same config error on v3 does give an error message, but although it's technically true (a home server being defined by its name *and* type), it's not entirely helpful- raddb/proxy.conf[593]: Unknown home_server "localhost". Don't know if there are any ways to improve that message - I guess there are a number of reasons that the home_server might not be found. The line number should point to the problem section, though. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12.07.2013 17:17, Eugene Grosbein wrote: > Hi! > > We have been running FreeRADIUS 2.1.12/dhcp module with success for long time > with FreeBSD 8. > > Our DHCP perl script opens two file descriptors (per thread): > one for database connection TCP socket and one for syslog > (/var/run/log unix domain socket). With pool size consisting of 1000 threads, > this worked just fine with 2.1.12 > > Now, as we upgraded to 2.2.0, this schema stopped to work. > It works if I decrease maximum pool size so that total amount of radiusd's > open file descriptors does not exceed 1023, this corresponds to > 501 threads in the pool. If I use 502 threads or more, it initially works > until the process creates enough threads to open 1024th file descriptor, > then it starts to write to its log: > > Fri Jul 12 17:09:13 2013 : Info: WARNING: Child is hung for request 727 in > component post-auth module perl. > Fri Jul 12 17:09:14 2013 : Info: WARNING: Child is hung for request 765 in > component post-auth module perl. > > I've tried to recompile freeradius with CFLAGS including -DFD_SIZE=4096, > that changed nothing. > > If I disable syslog usage in my perl script thus decreasing open files > from 2 per thread to only one, then 2.2.0 runs with 1000 threads just fine. > Again, increase of thread pool size breaks after open of 1024th file > descriptor. > > Please help. We need at least 1000 concurrent threads to deal with the load > here. > Our hardware has enough raw power and we do not like to create useless > queueing delays. Forgot to mention that operating system's open files limit for freeradius is over 11000. And file descriptors are numbered starting from zero, so descriptor 1024 is really 1025th. radiusd works fine until it has descriptors 0-1023 only and breaks with creation of descriptor 1024: it stops calling perl routing post_auth and thus, processing of DHCP requests ceases. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12.07.2013 17:38, Phil Mayers wrote: > On 12/07/13 11:17, Eugene Grosbein wrote: >> >> Please help. We need at least 1000 concurrent threads to deal with the load >> here. > > 1000 threads is a crazy number. Can you explain why you think you need > that many? Are you doing very slow logic/lookups or something? Our database is powerful enough to deal with so many requests. We may easily get that many requests and want to be able to process them in parallel without needless queueing. > Anyway, the problem is almost certainly system ulimits. I don't know why > it's different under 2.2 to 2.1, but I would look into ulimit. ulimit for files is over 11000 here. And radiusd successfully opens more than 1024 files. It just breaks afterwards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
Eugene Grosbein wrote: > Forgot to mention that operating system's open files limit for freeradius is > over 11000. > And file descriptors are numbered starting from zero, so descriptor 1024 is > really 1025th. > > radiusd works fine until it has descriptors 0-1023 only and breaks with > creation > of descriptor 1024: it stops calling perl routing post_auth and thus, > processing of DHCP requests ceases. The server has no limits on the number of sockets it can use. That is all enforced by the OS. Or, maybe there's an issue with Perl. I would also check why you need 1000 threads. That's a lot. Maybe it's that your Perl script is slow. Or, your database is slow. I'd also suggest skipping syslog in Perl. The server has a "linelog" module, which can do logging to syslog. Just put the log messages into an attribute, and let the linelog module handle it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12.07.2013 18:10, Alan DeKok wrote: > Eugene Grosbein wrote: >> Forgot to mention that operating system's open files limit for freeradius is >> over 11000. >> And file descriptors are numbered starting from zero, so descriptor 1024 is >> really 1025th. >> >> radiusd works fine until it has descriptors 0-1023 only and breaks with >> creation >> of descriptor 1024: it stops calling perl routing post_auth and thus, >> processing of DHCP requests ceases. > > The server has no limits on the number of sockets it can use. That is > all enforced by the OS. Extra sockets got opened just fine, I see that with lsof/fstat here. > Or, maybe there's an issue with Perl. 2.1.12 has not this issue with same Perl. > I would also check why you need 1000 threads. That's a lot. Maybe > it's that your Perl script is slow. Or, your database is slow. Yes, that's a lot. That reflects high load we may have. We do not want to queue requests that may be processed in parallel. > I'd also suggest skipping syslog in Perl. The server has a "linelog" > module, which can do logging to syslog. Just put the log messages into > an attribute, and let the linelog module handle it. We use syslogd's facility to send logs to remote log collectors using traditional syslog protocol (udp/514). Can "linelog" module do that? Eugene Grosbein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12/07/13 11:55, Eugene Grosbein wrote: On 12.07.2013 17:38, Phil Mayers wrote: On 12/07/13 11:17, Eugene Grosbein wrote: Please help. We need at least 1000 concurrent threads to deal with the load here. 1000 threads is a crazy number. Can you explain why you think you need that many? Are you doing very slow logic/lookups or something? Our database is powerful enough to deal with so many requests. We may easily get that many requests and want to be able to process them in parallel without needless queueing. With respect, this is a pretty basic logic. The figure of merit here is offered load in terms of request/sec, and the average/max processing time per-request. If you have 1000 request/sec and each request takes 1 millisecond to process, a single thread is sufficient. If you have 100,000 request/sec and each request takes 10 milliseconds, then you need 100 threads. If your database is "so powerful" it shouldn't be taking too long, so unless you have a truly enormous number of request/sec, you don't need 1000 threads. If you really do have that many request/sec, you probably should look at some form of load balancing, rather than having enormous thread pool. The thread pool performance will not scale linearly - various server internal data structures are locked, and you will probably run into lock contention at high thread counts. I assert that 1000 (posix, shared-memory) threads is always the wrong answer to pretty much *any* problem ;o) Anyway, the problem is almost certainly system ulimits. I don't know why it's different under 2.2 to 2.1, but I would look into ulimit. ulimit for files is over 11000 here. And radiusd successfully opens more than 1024 files. It just breaks afterwards. It could be the use of select() then. If rlm_perl opens FDs 5-1023, then the radius server needs to open some sockets, it will get FD #1024, which might cause select to complain. Try running the server under "strace" and see if you can see where it goes wrong, and what it calls just before it does. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
Eugene Grosbein wrote: > Extra sockets got opened just fine, I see that with lsof/fstat here. OK. But I'm not aware of any change in any code which will limit the number of sockets. > 2.1.12 has not this issue with same Perl. OK. The rlm_perl module changed. It added some locks to avoid issues with Perl Clone and threads. Maybe you're running into lock contention. i.e. it worked in 2.1.12 by magic, because thread-specific structures were not locked properly. Adding locks makes it *correct*, but at the price of performance. > Yes, that's a lot. That reflects high load we may have. > We do not want to queue requests that may be processed in parallel. Queuing requests for a short time shouldn't hurt anything. DHCP clients will wait ~8 seconds for a response. Is your load really that high? i.e. how many packets/s does the server receive? How long does it take to process one packet? > We use syslogd's facility to send logs to remote log collectors > using traditional syslog protocol (udp/514). Can "linelog" module do that? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12.07.2013 19:07, Alan DeKok wrote: > Eugene Grosbein wrote: >> Extra sockets got opened just fine, I see that with lsof/fstat here. > > OK. But I'm not aware of any change in any code which will limit the > number of sockets. > >> 2.1.12 has not this issue with same Perl. > > OK. The rlm_perl module changed. It added some locks to avoid issues > with Perl Clone and threads. Maybe you're running into lock contention. The problem is always reproducible and have obvious "hard limit" correlating or consisting with number of open files. > i.e. it worked in 2.1.12 by magic, because thread-specific structures > were not locked properly. Adding locks makes it *correct*, but at the > price of performance. I understand. With one exception - we have not performance problem, we have full lockup of all threads and after that not one request is served. >> Yes, that's a lot. That reflects high load we may have. >> We do not want to queue requests that may be processed in parallel. > > Queuing requests for a short time shouldn't hurt anything. DHCP > clients will wait ~8 seconds for a response. > > Is your load really that high? i.e. how many packets/s does the > server receive? How long does it take to process one packet? That's another topic. I'd like not to turn to deep discussion of our load. In short, there may be bursts of thousands of DHCP requests per second lasting several minutes and we have enough horsepower to process them in parallel if we have at least one thousand of threads in the pool. >> We use syslogd's facility to send logs to remote log collectors >> using traditional syslog protocol (udp/514). Can "linelog" module do that? > > Yes. Thanks, I'll take a look. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12.07.2013 18:39, Phil Mayers wrote: >> Our database is powerful enough to deal with so many requests. >> We may easily get that many requests and want to be able to process >> them in parallel without needless queueing. > > With respect, this is a pretty basic logic. > > The figure of merit here is offered load in terms of request/sec, and > the average/max processing time per-request. > > If you have 1000 request/sec and each request takes 1 millisecond to > process, a single thread is sufficient. > > If you have 100,000 request/sec and each request takes 10 milliseconds, > then you need 100 threads. > > If your database is "so powerful" it shouldn't be taking too long, so > unless you have a truly enormous number of request/sec, you don't need > 1000 threads. Yes, we may have large number of request/sec and need to be able to process them instantly. > If you really do have that many request/sec, you probably should look at > some form of load balancing, rather than having enormous thread pool. > The thread pool performance will not scale linearly - various server > internal data structures are locked, and you will probably run into lock > contention at high thread counts. We performed extensive testing and found no noticeable contention while using 2.1.12. With lesser pool size we have unneeded queueing delays. Anyway, that's another topic. The regression in 2.2.0 is what I wanted to discuss here. >>> Anyway, the problem is almost certainly system ulimits. I don't know why >>> it's different under 2.2 to 2.1, but I would look into ulimit. >> >> ulimit for files is over 11000 here. And radiusd successfully opens more >> than 1024 files. It just breaks afterwards. > > It could be the use of select() then. If rlm_perl opens FDs 5-1023, then > the radius server needs to open some sockets, it will get FD #1024, > which might cause select to complain. I rebuilt freeradius-2.2.0 with CFLAGS containing -DFD_SETSIZE=4096, that changed nothing. > Try running the server under "strace" and see if you can see where it > goes wrong, and what it calls just before it does. I'll try, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic vlan assignment with ldap groups
Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the "users" file as fallows , DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=ldap,dc=example,dc=com" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "100", Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "200", Reply-Message = "You are Accepted" DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts "users" file is enough Please advice Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
On 12 Jul 2013, at 13:57, val john wrote: > Hi guys , > > i have a freeradius setup that works with ldap group authentication ,i also > need to configure the dynamic VLAN assignment , so i configured the "users" > file as fallows , > > DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=ldap,dc=example,dc=com" > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = "100", >Reply-Message = "You are Accepted" > > DEFAULT Ldap-Group == "cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com" > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = "200", > Reply-Message = "You are Accepted" > > DEFAULT Auth-Type := Reject > > > ,Do i need any other configuration file to be edited to get VALN assignment > to work ..? or juts "users" file is enough Just users file is fine. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.0 & dhcp: regression
On 12.07.2013 19:57, Alan DeKok wrote: > Eugene Grosbein wrote: >> The problem is always reproducible and have obvious "hard limit" >> correlating or consisting with number of open files. > > I'm not sure what changes from 2.1.12 to 2.2.0 would cause that. > >> I understand. With one exception - we have not performance problem, >> we have full lockup of all threads and after that not one request is served. > > All I can suggest is to see doc/bugs. Use gdb to find out where the > Perl threads are locking. Thanks, I'll try next week. >> That's another topic. I'd like not to turn to deep discussion of our load. >> In short, there may be bursts of thousands of DHCP requests per second >> lasting several minutes and we have enough horsepower to process them in >> parallel >> if we have at least one thousand of threads in the pool. > > Even 1000's of packets/s shouldn't require 1000's of threads. > FreeRADIUS can do ~60K packet/s single threaded. The main thing is to > ensure that the per-packet latency is low. > > You may want to convert the Perl logic into a stored procedure in the > database. That is usually MUCH faster. I've done that for some > deployments, and managed to get 1000's of DHCP packets/s with only a > small number of threads. That have already been done. My perl code uses persistent connections to MS SQL database and runs stored procedure there. Eugene Grosbein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell wrote: > > On 12 Jul 2013, at 13:57, val john wrote: > > > Hi guys , > > > > i have a freeradius setup that works with ldap group authentication ,i > also need to configure the dynamic VLAN assignment , so i configured the > "users" file as fallows , > > > > DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=ldap,dc=example,dc=com" > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = "100", > >Reply-Message = "You are Accepted" > > > > DEFAULT Ldap-Group == "cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com" > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = "200", > > Reply-Message = "You are Accepted" > > > > DEFAULT Auth-Type := Reject > > > > > > ,Do i need any other configuration file to be edited to get VALN > assignment to work ..? or juts "users" file is enough > > Just users file is fine. > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3.0 regex realm syntax
It seems to be last call for refactoring some of the user-visible
config items that are easier to change when bumping a major
rev number. The syntax for regexp-based realms has always
struck me as a bit hinky:
realm "~regexp\\.edu" {
}
Would it require too much tokenization witchdoctoring to make:
realm /regexp\.edu/ {
}
...work?
Also I find a note in my config file comments about some regexp
availability in the "hints" file being in-transition and so not
to use it, but cannot remember what that was about, it has been
so long, and there seems to be no example in the stock configs.
I'm looking forward to finally bumping to 3.0 on our non-RadSec
servers as soon as things look to test out right and we can tell
the boss that the package is supported on our distro. We'll
be getting rid of a LOT of cruft in config files during the
process due to the many new ease-of-use features. Things
are sure looking up :-)
--
Brian S. Julin
Network Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Loading fails without reporting an error
Certainly!
Here's the complete proxy.conf, configured with the mismatch (line 6: type =
auth, and line 60: pool = csu-auth) such that FR exits before completely
loading in debug mode. Changing either of these to match (or just omitting that
pool definition and letting that realm be local) allows FR to load completely.
Thanks for all you do to keep FreeRADIUS working,
Steve
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = thisisnotmyrealsecret
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server tlrs1-eduroam-us {
type= auth+acct
ipaddr = 64.57.22.74
port= 1812
secret = thisisnotmyrealsecreteither
require_message_authenticator = yes
response_window = 20
zombie_period = 40
check_interval = 30
num_answers_to_alive= 3
}
home_server tlrs2-eduroam-us {
type= auth+acct
ipaddr = 64.57.22.78
port= 1812
secret = noristhisonemyrealsecret
require_message_authenticator = yes
response_window = 20
zombie_period = 40
check_interval = 30
num_answers_to_alive= 3
}
home_server_pool csu-auth {
type= fail-over
home_server = localhost
}
home_server_pool EDUROAM {
type= fail-over
home_server = tlrs1-eduroam-us
home_server = tlrs2-eduroam-us
}
realm NULL {
}
realm "~(.*\\.)*(colostate|COLOSTATE)\\.(edu|EDU)$" {
pool = csu-auth
}
realm "~.+$" {
pool= EDUROAM
nostrip
}
realm LOCAL {
}
realm DEFAULT {
}
-Original Message-
From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org
[mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Friday, July 12, 2013 3:19 AM
To: FreeRadius users mailing list
Subject: Re: Loading fails without reporting an error
Lovaas,Steven wrote:
> Thanks, Adam... this got me looking at the right thing.
>
> I had a mismatch between the type of the home_server localhost (auth), and
> the attribute used in one of the realms pointing to the pool that references
> that home server (pool, instead of auth_pool). Changing the type of the
> localhost home_server allowed FR to complete loading.
If you have a simple config that can reproduce it, I'd like to fix the
problem.
It's likely just adding a printed error message in the home server code. But
knowing exactly where to add it would be useful.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0 regex realm syntax
Brian Julin wrote:
> Would it require too much tokenization witchdoctoring to make:
>
> realm /regexp\.edu/ {
> }
>
> ...work?
No. We'll wait for 3.0.1, though.
> Also I find a note in my config file comments about some regexp
> availability in the "hints" file being in-transition and so not
> to use it, but cannot remember what that was about, it has been
> so long, and there seems to be no example in the stock configs.
I don't recall.
> I'm looking forward to finally bumping to 3.0 on our non-RadSec
> servers as soon as things look to test out right and we can tell
> the boss that the package is supported on our distro. We'll
> be getting rid of a LOT of cruft in config files during the
> process due to the many new ease-of-use features. Things
> are sure looking up :-)
Yup. And there's a LOT more to come.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authentication filter based on source SSID
Hello! I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission. We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP). That's why i'm asking for help in case you people have some alternatives or ideas to solve it. The setup is based on Cisco Wireless Controller 5508. Thanks in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote: > I need some help with RADIUS regarding Wireless authentication with > RADIUS + LDAP. Hello. which version of freeradius are you running ? > I need to check if the user has permission to connect to a specific > SSID, so we check a LDAP attribute for that. Pretty easy > By that, we need to know from which SSID the authentication is being > requested so we use a specific LDAP Filter to search the base and grant > or deny the permission. > > We tried to use two instances of RADIUS, one per SSID, but the Wireless > Controller doesn't seem to support it (supports only one AAA per AP). oh what ? > That's why i'm asking for help in case you people have some alternatives > or ideas to solve it. > > The setup is based on Cisco Wireless Controller 5508. I'm also setting up WLC-5508 right now on my side. First, the AAA servers are defined per SSID. So you can specify different radius servers (or simply ports) for each SSID Secondly, you can now customize the NAS-Identifier on a per SSID basis (at least in release 7.4) Finally, the Called-Station-Id will contain the SSID name. If you use the policy rewrite_called_station_id it will populate the attribute Called-Station-SSID with the SSID Name. So all the tools to do it easily are in your hands. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
I forgot to say that we use H-REAP so we do not authenticate it in the WLC Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:14, Olivier Beytrison escreveu: On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote: I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. Hello. which version of freeradius are you running ? I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. Pretty easy By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission. We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP). oh what ? That's why i'm asking for help in case you people have some alternatives or ideas to solve it. The setup is based on Cisco Wireless Controller 5508. I'm also setting up WLC-5508 right now on my side. First, the AAA servers are defined per SSID. So you can specify different radius servers (or simply ports) for each SSID Secondly, you can now customize the NAS-Identifier on a per SSID basis (at least in release 7.4) Finally, the Called-Station-Id will contain the SSID name. If you use the policy rewrite_called_station_id it will populate the attribute Called-Station-SSID with the SSID Name. So all the tools to do it easily are in your hands. Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
Olivier, You don't need to set "radius-server vsa send" in the AP so it sends the SSID in the authentication request? Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:18, Gustavo Vieira Oliveira escreveu: I forgot to say that we use H-REAP so we do not authenticate it in the WLC Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:14, Olivier Beytrison escreveu: On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote: I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. Hello. which version of freeradius are you running ? I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. Pretty easy By that, we need to know from which SSID the authentication is being requested so we use a specific LDAP Filter to search the base and grant or deny the permission. We tried to use two instances of RADIUS, one per SSID, but the Wireless Controller doesn't seem to support it (supports only one AAA per AP). oh what ? That's why i'm asking for help in case you people have some alternatives or ideas to solve it. The setup is based on Cisco Wireless Controller 5508. I'm also setting up WLC-5508 right now on my side. First, the AAA servers are defined per SSID. So you can specify different radius servers (or simply ports) for each SSID Secondly, you can now customize the NAS-Identifier on a per SSID basis (at least in release 7.4) Finally, the Called-Station-Id will contain the SSID name. If you use the policy rewrite_called_station_id it will populate the attribute Called-Station-SSID with the SSID Name. So all the tools to do it easily are in your hands. Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
Look at the requests coming from your AP in debug mode. You should see information there that can be used eg called station id with SSID appended or a VSA with the SSID name or number in it. Use that with your policy alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
GitHub flow available entirely within browser
If you were put off from contributing by learning git, this might work well for you. https://github.com/blog/1557-github-flow-in-the-browser Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
We got it working, the AP is sending the SSID with the calling station ID but only setting "radius-server vsa send" in the Access-point. The problem is that we have to do it manually (the Controller doesn't support it) in the AP, so when it reboots for some reason it cannot authenticate cause the RADIUS doesn't receive the SSID. So, we need an alternative for that. Any suggestion?! Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:31, Alan Buxey escreveu: Look at the requests coming from your AP in debug mode. You should see information there that can be used eg called station id with SSID appended or a VSA with the SSID name or number in it. Use that with your policy alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
On Fri, Jul 12, 2013 at 12:48:48PM -0300, Gustavo Vieira Oliveira wrote: > The problem is that we have to do it manually (the Controller > doesn't support it) in the AP, so when it reboots for some reason it > cannot authenticate cause the RADIUS doesn't receive the SSID. So, > we need an alternative for that. > > Any suggestion?! This came up the other day; I don't think there was a resolution. It's not a FreeRADIUS issue - you're probably best off talking to Cisco TAC. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius accept-accept with no AVP attributes
hi, the radius servers on my network are receiving spikes of ACCESS-ACCEPT traffic, I have been analysing traffic using tshark and noticed that some of the ACCESS-ACCEPT sent from the server back to the client does not have the AVP attributes set below is an example Frame 167 (62 bytes on wire, 62 bytes captured) Arrival Time: Jul 12, 2013 21:52:57.089629000 [Time delta from previous captured frame: 0.008112000 seconds] [Time delta from previous displayed frame: 0.571386000 seconds] [Time since reference or first frame: 3.798843000 seconds] Frame Number: 167 Frame Length: 62 bytes Capture Length: 62 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:radius] Ethernet II, Src: Vmware_b7:5f:ec (00:50:56:b7:5f:ec), Dst: Vmware_b7:60:10 (00:50:56:b7:60:10) Destination: Vmware_b7:60:10 (00:50:56:b7:60:10) Address: Vmware_b7:60:10 (00:50:56:b7:60:10) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) Address: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 10.66.xx.13 (10.66.xx.13), Dst: 10.66.xx.19 (10.66.xx.19) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 48 Identification: 0x98fe (39166) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x631b [correct] [Good: True] [Bad : False] Source: 10.xx.xx.xx (10.66.xx.13) Destination: 10.xx.xx.19 (10.66.xx.19) User Datagram Protocol, Src Port: radius (1812), Dst Port: 38346 (38346) Source port: radius (1812) Destination port: 38346 (38346) Length: 28 Checksum: 0x83e8 [correct] [Good Checksum: True] [Bad Checksum: False] Radius Protocol Code: Access-Accept (2) Packet identifier: 0xa (10) Length: 20 Authenticator: B08F0EA3338728A7D2F7BC9F2D18861C [This is a response to a request in frame 166] [Time from request: 0.008112000 seconds] traffic was very low when i did this trace so i dont think it is a radius retransmit? the below is another ACCESS-ACCEPT packet but has the radius AVP attributes set, any idea why there is a difference between the first and the second below? Frame 1056 (121 bytes on wire, 121 bytes captured) Arrival Time: Jul 12, 2013 21:56:28.66529 [Time delta from previous captured frame: 0.000353000 seconds] [Time delta from previous displayed frame: 0.000353000 seconds] [Time since reference or first frame: 20.611588000 seconds] Frame Number: 1056 Frame Length: 121 bytes Capture Length: 121 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:radius] Ethernet II, Src: Vmware_b7:5f:ec (00:50:56:b7:5f:ec), Dst: Vmware_b7:2d:6f (00:50:56:b7:2d:6f) Destination: Vmware_b7:2d:6f (00:50:56:b7:2d:6f) Address: Vmware_b7:2d:6f (00:50:56:b7:2d:6f) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) Address: Vmware_b7:5f:ec (00:50:56:b7:5f:ec) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 10.66.xx.13 (10.66.53.13), Dst: 10.66.xx.36 (10.66.xx.36) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 107 Identification: 0xeebe (61118) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x0d0f [correct] [Good: True] [Bad : False] Source: 10.66.xx.13 (10.66.xx.13) Destination: 10.66.xx.36 (10.66.xx.36) User Datagram Protocol, Src Port: radius (1812), Dst Port: 50336 (50336) Source port: radius (1812) Destination port: 50336 (50336) Length: 87 Checksum: 0x47a5 [correct] [Good Checksum: True] [Bad Checksum: False] R
Logging Cisco config changes with FreeRadius
Freradius Users,I have installed FreeRadius on CentOS 6.4 in VMWare environment and I am pretty new to using something like FreeRadius. However I have it on my virtual machine and it is running I am able to authenticate against my Cisco 3550 Switch that is on my desk and connected to the network. Anyways the reason I have this is what I want this to do is once someone is logged into a switch with the FreeRadius credentials I want the session to be logged as to what they are changing. I know Cisco has a built in logging system but it is pretty vague I was just curious if there is away to actually show what the person is changing. And if I need another product to go a long with FreeRadius if you guys could point me in the right direction. Any help would be greatly appreciated. Thanks, Kyle W. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Cisco config changes with FreeRadius
On 12 Jul 2013, at 23:31, kyle woock wrote: > Freradius Users, > > I have installed FreeRadius on CentOS 6.4 in VMWare environment and I am > pretty new to using something like FreeRadius. However I have it on my > virtual machine and it is running I am able to authenticate against my Cisco > 3550 Switch that is on my desk and connected to the network. Anyways the > reason I have this is what I want this to do is once someone is logged into a > switch with the FreeRadius credentials I want the session to be logged as to > what they are changing. I know Cisco has a built in logging system but it is > pretty vague I was just curious if there is away to actually show what the > person is changing. ProCurve kit sends the commands issue in HP-Command-String (a VSA), I believe the HP commands closely mirror the Cisco ones for AAA. http://wiki.freeradius.org/vendor/HP#Accounting-command-logging > And if I need another product to go a long with FreeRadius if you guys could > point me in the right direction. Nope, FreeRADIUS can log to systlog/flat file/SQL/REDIS or via Python and Perl. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Substring using Unlang?
On Wed, Jul 10, 2013 at 6:34 PM, Olivier Beytrison
wrote:
> On 10.07.2013 07:48, Olivier Beytrison wrote:
>> if ( ADSL-Agent-Remote-Id =~ /(.{0,31})$/ ) {
>
> if ( ADSL-Agent-Remote-Id =~ /(.{1,32})$/ ) {
>
> that's even better as it won't match an empty attribute (you never know ...)
Thank you so much for that, my regex fu was failing me and I should
have known better :).
Works a treat and has sorted out my problem.
Now to writing a simple shell script to pick up on this as I am also
logging the full request they send to a separate "why are you sending
us this" detail log file and then going to send an automated email to
our upstream provider whenever they send us something unexpected :)
Again many thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Substring using Unlang?
On 13 Jul 2013, at 00:14, Peter Lambrechtsen wrote:
> On Wed, Jul 10, 2013 at 6:34 PM, Olivier Beytrison
> wrote:
>> On 10.07.2013 07:48, Olivier Beytrison wrote:
>>> if ( ADSL-Agent-Remote-Id =~ /(.{0,31})$/ ) {
>>
>> if ( ADSL-Agent-Remote-Id =~ /(.{1,32})$/ ) {
>>
Though you know you're not specifying offset and length, so you didn't need to
increment the second number ;)
Arran Cudbard-Bell
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Substring using Unlang?
On Sat, Jul 13, 2013 at 11:36 AM, Arran Cudbard-Bell
wrote:
>
> On 13 Jul 2013, at 00:14, Peter Lambrechtsen wrote:
>
>> On Wed, Jul 10, 2013 at 6:34 PM, Olivier Beytrison
>> wrote:
>>> On 10.07.2013 07:48, Olivier Beytrison wrote:
if ( ADSL-Agent-Remote-Id =~ /(.{0,31})$/ ) {
>>>
>>> if ( ADSL-Agent-Remote-Id =~ /(.{1,32})$/ ) {
>>>
>
> Though you know you're not specifying offset and length, so you didn't need
> to increment the second number ;)
Yep... Once my brain kicked back into thinking regex it all came back
so 1,31 is the right one for us :)
IMHO those sorts of use cases really should be logged in the unlang
wiki or have a generic "regex examples" wiki page as those sorts of
problems come up all the time and it would be nice to direct people to
one place that has a lot of good re-usable examples.
Might go create a page when I have some downtime in the next few weeks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
