Re: How to store session info in external database?
Thanks, it works. 2013/8/6 Arran Cudbard-Bell a.cudba...@freeradius.org On 6 Aug 2013, at 14:29, Maciej Lew mac...@lanserver.pl wrote: The problem is we have databases in slave mode, only reading is allowed. We want pass these informations to another database... Modules can have multiple instances. sql.conf sql sql_write { sql config } accounting { sql_write } -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam Maciej Lew tel. 883-376-062 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assignment to HP Switch with 802.1x client
On 08.08.2013 19:16, Shaw, Colin M. wrote: [peap] Using saved attributes from the original Access-Accept User-Name = testx [peap] Saving response in the cache Your inner-tunnel virtual server returns only User-Name attribute in Access-Accept. Configure your inner-tunnel virtual server to return VLAN assignment attributes in Access-Accept. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple policy files
On 9 Aug 2013, at 10:40, Jonathan Gazeley jonathan.gaze...@bristol.ac.uk wrote: For a while I've been using FreeRADIUS with a set of includes.d-style directories that I can drop modules, virtual sites, etc into. This works well - until today. So far I've only had one included policy file in use, and the stock policy.conf is commented out. Today I tried to add another new virtual site which also has a policy file. Whilst making up features is a fun pastime it's not very productive. There is one global policy section at the top level. Virtual servers do not have different policy name spaces. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple policy files
On 09/08/13 10:52, Arran Cudbard-Bell wrote: Whilst making up features is a fun pastime it's not very productive. There is one global policy section at the top level. Virtual servers do not have different policy name spaces. Hi Arran, Thanks for this. So you're saying that there can only be one policy {} section in the whole server, and if I wish to load two sets of policies I will have to merge the two files? Thanks, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple policy files
On Fri, Aug 09, 2013 at 11:05:47AM +0100, Jonathan Gazeley wrote: On 09/08/13 10:52, Arran Cudbard-Bell wrote: Whilst making up features is a fun pastime it's not very productive. There is one global policy section at the top level. Virtual servers do not have different policy name spaces. Thanks for this. So you're saying that there can only be one policy {} section in the whole server, and if I wish to load two sets of policies I will have to merge the two files? You should be able to do policy { $INCLUDE /path/to/policy/dir } in radiusd.conf, then just put policies in that directory (without the policy { } wrapper of course). That's how it is now done by default in version 3. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple policy files
Hi, Thanks for this. So you're saying that there can only be one policy {} section in the whole server, and if I wish to load two sets of policies I will have to merge the two files? each policy has its own name/tag - in FR 3, there is a policy.d directory in which policy files get put...each containing names/actions. (all in unlang) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple policy files
On 09/08/13 11:18, Matthew Newton wrote: On Fri, Aug 09, 2013 at 11:05:47AM +0100, Jonathan Gazeley wrote: On 09/08/13 10:52, Arran Cudbard-Bell wrote: Whilst making up features is a fun pastime it's not very productive. There is one global policy section at the top level. Virtual servers do not have different policy name spaces. Thanks for this. So you're saying that there can only be one policy {} section in the whole server, and if I wish to load two sets of policies I will have to merge the two files? You should be able to do policy { $INCLUDE /path/to/policy/dir } in radiusd.conf, then just put policies in that directory (without the policy { } wrapper of course). That's how it is now done by default in version 3. Matthew Thanks for this. I've implemented this solution using our config management system (Puppet) which is handling all the includes stuff. Happy weekend everyone, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring the DHCP module to forward request to another Radius server.
Hi. Your approach (use an external script) finally worked It's definitely a hack, as I discovered that Linuxes don't do any DHCP-Release (and I expected to send a radius acct stop at this point). Nevertheless, it will help me to emulate a mobile operator network behaviour, when a machine connects trhough a modem, with the same machine just connected locally on it's ethernet interface, and that's all I needed - Thanks a lot for the tip (not to mention the freeradius software itself) A word on documentation however : It's quite an understatement to say that it can be improved. Regards- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring the DHCP module to forward request to another Radius server.
On 9 Aug 2013, at 15:35, Fabrice-externe SEGURA fabrice-externe.seg...@erdfdistribution.fr wrote: Hi. Your approach (use an external script) finally worked It's definitely a hack, as I discovered that Linuxes don't do any DHCP-Release (and I expected to send a radius acct stop at this point). Nevertheless, it will help me to emulate a mobile operator network behaviour, when a machine connects trhough a modem, with the same machine just connected locally on it's ethernet interface, and that's all I needed - Thanks a lot for the tip (not to mention the freeradius software itself) A word on documentation however : It's quite an understatement to say that it can be improved. Feel free to contribute. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring the DHCP module to forward request to another Radius server.
Fabrice-externe SEGURA wrote: A word on documentation however : It's quite an understatement to say that it can be improved. We've had ~15 years of people complaining about this. So far, contributions have been sporadic. Doing documentation takes a concerted effort, and commitment. It's easy to complain. It's hard to do work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)
Alan DeKok wrote: Well... I tried it, and I didn't see any errors. Can you check that you're really running a *stock* binary, and a *stock* configuration? Attached is a recipe for how I replicated it (and another doublefree) on a clean system. 1) started on a fresh system that had never seen freeradius before. 2) apt-get build-dep freeradius 3) apt-get install libtalloc-dev 4) git clone git://git.freeradius.org/freeradius-server 5) git branch --track release_branch_3.0.0 6) git checkout release_branch_3.0.0 7) configure --prefix=/usr/local; make; make install 8) download wpa source and build eapol_test 9) configure an eapol_peap.conf: network={ ssid=example key_mgmt=WPA-EAP eap=PEAP identity=f...@domain.site anonymous_identity=a...@domain.site password=foo phase1=peaplabel=0 phase2=auth=MSCHAPv2 } 10) Try an auth against stock config, no memory errors as expected 11) copy proxy-inner-tunnel from sites-available to sites-enabled 12) change mods-enabled/eap peap{} to virtual_server = proxy-inner-tunnel 13) Run the test. Get a GCC doublefree that ends as follows: (7) # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default (7) group post-proxy { (7) - entering group post-proxy {...} (7) eap : Doing post-proxy callback (7) eap : Passing reply from proxy back into the tunnel (7) eap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010800160410ea08d4982a033fac8f7f1f0bc63b952f Message-Authenticator = 0xbe82b369c495e2bceed47fd6f1b710d5 State = 0xc10fbed8c107ba1915db9798d8125486 Proxy-State = 0x37 (7) eap : Got tunneled Access-Challenge (7) eap : Reply was handled *** glibc detected *** /usr/local/sbin/radiusd: double free or corruption (out): 0x08cb34d8 *** 15) Note that proxy-inner-tunnel.post-proxy is not being entered, scratch head 14) Note this is a different error that the talloc-detected double-use I originally reported. To see that one proceed as follows: 16) comment out virtual-server option in mods-enabled/eap peap{} 17) add this clause to top of sites-enabled/default.authorize: if (Freeradius-Proxied-To == 127.0.0.1) { update control { Proxy-To-Realm = example.com } } 18) Run the test. Get the talloc error originally reported: (7) [suffix] = noop (7) eap : Request is supposed to be proxied to Realm example.com. Not doing EAP. (7) [eap] = noop (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop } # server default (7) eap_peap : Got tunneled reply code 0 PEAP: Tunneled authentication will be proxied to example.com talloc: access after free error - first free may be at src/main/util.c:230 Bad talloc magic value - access after free Aborted 18) Note that the error happens on the first unwrapped proxy before it is sent, so decide not to worry about anything past authorize {} in the default server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)
On 9 Aug 2013, at 16:14, Brian Julin bju...@clarku.edu wrote: Alan DeKok wrote: Well... I tried it, and I didn't see any errors. Can you check that you're really running a *stock* binary, and a *stock* configuration? Attached is a recipe for how I replicated it (and another doublefree) on a clean system. With which version of the server? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)
On 9 Aug 2013, at 16:27, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Aug 2013, at 16:14, Brian Julin bju...@clarku.edu wrote: Alan DeKok wrote: Well... I tried it, and I didn't see any errors. Can you check that you're really running a *stock* binary, and a *stock* configuration? Attached is a recipe for how I replicated it (and another doublefree) on a clean system. With which version of the server? Never mind, release_branch_3_0_0 Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VLAN assignment to HP Switch with 802.1x client
You could move files above eap but IMO it's better (cleaner, more obvious) to run this in post-auth like so: authorize { ... eap { ok = return } ... } post-auth { ... files ... } Note that you'll need to set the postauth_usersfile on your files Thank you very much Phil. You are a star. This has indeed solved my problem and the wired clients are now picking up the correct vlan. Thanks again, Colin The University of Aberdeen is a charity registered in Scotland, No SC013683. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html