Re: User Account Configuration
Think about the login time ... If you create an account for the future then if it has a start validity date. .. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3.0/Policy.D
Thanks alan, i alreaady on it right now, anything from the RFC that you aware of can challenge the back the changes of NAS ip is wrong? Thanks On Fri, Aug 16, 2013 at 10:41 AM, Alan DeKok al...@deployingradius.comwrote: ultaman khoo wrote: btw the nas ip changes is due to NAS system supplying the radius acct has failover to the backup unit, radius acct is then supply from there. so it get change It's still garbage. The FreeRADIUS SQL queries assume that one NAS sends all of the accounting traffic for sessions it controls. If the NAS changes mid-session, then it's wrong. Change the queries to use something more stable. It's a system you administer, so you should be familiar with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python
Hello all, I'm currently attempting to use rlm_python to query LDAP (with python-ldap) and then return an XML string in a VSA (SAML-AAA-Assertion). However, when I try to load it, I get the dreaded undefined symbol: PyExc_SystemError error. This is on Ubuntu 12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was built on the local machine for the newest version (although the existing version in the Ubuntu repository has the same problem). Freeradius_samlldap exists in the correct path for Python eggs, and this is the PYTHONPATH (when I print it with Python): /usr/local/lib/python2.7/dist-packages/pysaml2-0.4.2-py2.7.egg,/usr/local/lib/python2.7/dist-packages/repoze.who-1.0.18-py2.7.egg,/usr/local/lib/python2.7/dist-packages/zope.interface-4.0.5-py2.7-linux-x86_64.egg,/usr/local/lib/python2.7/dist-packages/Paste-1.7.5.1-py2.7.egg,/usr/local/lib/python2.7/dist-packages/httplib2-0.8-py2.7.egg,/usr/local/lib/python2.7/dist-packages/decorator-3.4.0-py2.7.egg,/usr/local/lib/python2.7/dist-packages/freeradius_samlldap-0.0.1-py2.7.egg,/usr/local/lib/python2.7/dist-packages/python_ldap-2.4.13-py2.7-linux-x86_64.egg,/etc/freeradius/modules,/usr/local/lib/python2.7/dist-packages,/usr/lib/python2.7,/usr/lib/python2.7/plat-linux2,/usr/lib/python2.7/lib-tk,/usr/lib/python2.7/lib-old,/usr/lib/python2.7/lib-dynload,/usr/lib/python2.7/dist-packages,/usr/lib/pymodules/python2.7 From what I understand, using ldd -r will list several unresolved imports, but that is supposedly correct? Or is that horribly wrong? The usual debug log is below: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/saml including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/umbrella_ldap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/pam including configuration file
Re: FR3.0/Policy.D
ultaman khoo wrote: Thanks alan, i alreaady on it right now, anything from the RFC that you aware of can challenge the back the changes of NAS ip is wrong? Thanks All of the RADIUS RFCs assume that a client has one IP, and only one IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python
stefan.pae...@diamond.ac.uk wrote: Hello all, I'm currently attempting to use rlm_python to query LDAP (with python-ldap) and then return an XML string in a VSA (SAML-AAA-Assertion). However, when I try to load it, I get the dreaded undefined symbol: PyExc_SystemError error. This is on Ubuntu 12 with, I know, I know, FreeRADIUS 2.1.10. Upgrade. Recent versions of FreeRADIUS have many fixes. Try the v2.x.x branch from github. It has even more python fixes. There's just no reason for us to debug a problem in 2.1.10. It's years out of date, and we *know* that newer versions have fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NEW NAS Password Doesn't Authenticate
From the logs I interpret, the error is incorrect password for the user. Is
this correct interpretation?
I believe we have added in the NAS correctly to the clients file.
Also the username and password, we are testing, authenticates both locally
and from another NAS, without issue.
Here is an excerpt of our radius -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31
2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
client 192.168.1.239 {
require_message_authenticator = no
secret = FreeRADIUS
shortname = New_NAS
}
rad_recv: Access-Request packet from host 192.168.1.239 port 1645, id=30,
length=140
Framed-Protocol = PPP
User-Name = usern...@domain.com
User-Password = password
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = 0/0/1/2890
Cisco-AVPair = client-mac-address=a820.6654.6a6f
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.239
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm domain.com for User-Name = usern...@domain.com
[suffix] Found realm domain.com
[suffix] Adding Stripped-User-Name = username
[suffix] Adding Realm = domain.com
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++? if (control:Auth-Type == Reject)
(Attribute control:Auth-Type was not found)
++- entering else else {...}
[sql] expand: %{Stripped-User-Name} - username
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - username
[sql] sql_set_user escaped user -- 'username'
rlm_sql (sql): Reserving sql socket id: 23
[sql] expand: SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute, checkNASIPPassword(
'%{NAS-IP-Address}','%{SQL-User-Name}') as value, ':=' as op FROM
radiusUsers WHERE userId = '%{SQL-User-Name}' ORDER BY
id - SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute, checkNASIPPassword( '192.168.1.239','username') as
value, ':=' as op FROM radiusUsers WHERE userId =
'username' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT '1' as id, userId as username, 'Framed-IP-Address' as
attribute,
assignIPAddress('%{NAS-IP-Address}','%{SQL-User-Name}') as value, '==' as
op FROM radiusUsers WHERE userId = '%{SQL-User-Name}'
ORDER BY id - SELECT '1' as id, userId as username,
'Framed-IP-Address' as attribute,
assignIPAddress('192.168.1.239','username') as value, '==' as op
FROM radiusUsers WHERE userId = 'username' ORDER BY id
[sql] expand: SELECT userID as groupname FROM radiusUsers
WHERE userId = '**-Not-Using-Groups-**' - SELECT userID as groupname
FROM radiusUsers WHERE userId = '**-Not-Using-Groups-**'
rlm_sql (sql): Released sql socket id: 23
+++[sql] returns ok
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password password
[pap] Using clear text password **-User-Not-Allowed-To-Use-This-NAS-**
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [
usern...@domain.com/password] (from client SHL-BRAS-01_239 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - usern...@domain.com
attr_filter: Matched entry DEFAULT attrt line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 30 to 192.168.1.239 port 1645
Finished request 70.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NEW NAS Password Doesn't Authenticate
mr. s wrote: From the logs I interpret, the error is incorrect password for the user. Is this correct interpretation? No. [pap] Using clear text password **-User-Not-Allowed-To-Use-This-NAS-** This is not in the default configuration. You're supposed to understand the configuration you created. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NEW NAS Password Doesn't Authenticate
Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated. Thanks- On Tue, Aug 20, 2013 at 8:30 PM, Alan DeKok al...@deployingradius.comwrote: mr. s wrote: From the logs I interpret, the error is incorrect password for the user. Is this correct interpretation? No. [pap] Using clear text password **-User-Not-Allowed-To-Use-This-NAS-** This is not in the default configuration. You're supposed to understand the configuration you created. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NEW NAS Password Doesn't Authenticate
mr. s wrote: Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated. Ask the people who created this configuration. We didn't create it, and we don't have access to your system to debug it. The data is in SQL. Look at it. The password **-User-Not-Allowed-To-Use-This-NAS-** should explain itself. Does it suggest anything to you? Perhaps you should look at your SQL queries and your SQL database to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NEW NAS Password Doesn't Authenticate
And thats the rub, thanks very very much. It is a stored query in our sql. Easy once you know where its at. On Tue, Aug 20, 2013 at 9:54 PM, Alan DeKok al...@deployingradius.comwrote: mr. s wrote: Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated. Ask the people who created this configuration. We didn't create it, and we don't have access to your system to debug it. The data is in SQL. Look at it. The password **-User-Not-Allowed-To-Use-This-NAS-** should explain itself. Does it suggest anything to you? Perhaps you should look at your SQL queries and your SQL database to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth not respected
It seems that I have ntlm_auth configured to talk to Samba correctly. As it
positively works when run from the CLI and FR even shows a positive login, but
that positive login never seems to be sent to the authentication stage.
More food for thought once I tackle this, is that when I try to link all this
together with a Netgear WAP, plain-text users in the users file works perfectly
fine.
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = wyse1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=wyse1
[ntlm_auth] expand: --password=%{User-Password} - --password=K503D
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [wyse1/K503D] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - wyse1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 114 to 127.0.0.1 port 35826
Waking up in 4.9 seconds.
Cleaning up request 7 ID 114 with timestamp +843
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
