date:20131007

On 7 Oct 2013, at 23:23, Arran Cudbard-Bell  wrote:

> 
> On 7 Oct 2013, at 23:00, Alan DeKok  wrote:
> 
>> Brian Julin wrote:
>>> You guys are truly obsessed.  I get exhausted just reading your commit 
>>> logs.  :-)
>> 
>> It's what I do.
> 
> I'm just in it for the groupies.  Everyone knows girls dig guys who have a 
> working knowledge of OpenLDAP client library.

release_branch_3.0.0 has now been renamed v3.0.x and will be used for bugfixes 
in v3.0.x. Major new development will now
be done in master, which will be branched again before the release of v3.1.0.

git branch -m release_branch_3.0.0 v3.0.x

Should be sufficient to update your local repositories.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Version 3.0.0 has been released

On 7 Oct 2013, at 23:00, Alan DeKok  wrote:

> Brian Julin wrote:
>> You guys are truly obsessed.  I get exhausted just reading your commit logs. 
>>  :-)
> 
>  It's what I do.

I'm just in it for the groupies.  Everyone knows girls dig guys who have a 
working knowledge of OpenLDAP client library.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Version 3.0.0 has been released

Brian Julin wrote:
> You guys are truly obsessed.  I get exhausted just reading your commit logs.  
> :-)

  It's what I do.

  I spend a fair amount of time on other things, too.  But pushing
FreeRADIUS ahead is a high priority.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radwho not working

Clint Petty wrote:
> Hi Alan,
> 
> Well I discovered a way to display a list of all active users without having 
> to implement FreeRadius accounting, which BTW is not as straight forward as 
> it should be.
> 
> I was able to display all active users through my StrongSwan server, with the 
> simple following command:
> 
> # strongswan leases
> 
> FreeRadius should be so easy!

RADIUS does a LOT more than strongswan.  And yes, basic RADIUS
really is easy.

  A large part of the difficulties are due to bad client
implementations.  No one wants to blame the client, so everyone blames
FreeRADIUS.

  I've learned to deal with it, but that doesn't mean I have to like it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radwho not working


On 7 Oct 2013, at 22:39, Clint Petty  wrote:

> Hi Alan,
> 
> Well I discovered a way to display a list of all active users without having 
> to implement FreeRadius accounting, which BTW is not as straight forward as 
> it should be.
> 
> I was able to display all active users through my StrongSwan server, with the 
> simple following command:
> 
> # strongswan leases
> 
> FreeRadius should be so easy!

It is if you understand SQL, and don't insist on using arcane decade old 
modules and utilities.

-Arran

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: radwho not working

2013-10-07 Thread Clint Petty

Hi Alan,

Well I discovered a way to display a list of all active users without having to 
implement FreeRadius accounting, which BTW is not as straight forward as it 
should be.

I was able to display all active users through my StrongSwan server, with the 
simple following command:

# strongswan leases

FreeRadius should be so easy!

Thanks,

Clint

-Original Message-
From: freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org 
[mailto:freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org] 
On Behalf Of Alan DeKok
Sent: Thursday, October 03, 2013 3:10 PM
To: FreeRadius users mailing list
Subject: Re: radwho not working

Clint Petty wrote:
> I am not blaming, I am just wanting to get the radwho command to work.

  That is *entirely* the wrong attitude.  There is no "just get it to
work".  There *are* multiple pieces involved, each of which has to be
verified.  I'm trying to convince you to use a methodical approach.

  If you read "man radwho", you'll see it uses accounting packets.  That
should indicate that you'll need to enable accounting.  But you didn't
do that.  You were told to run the server in debugging mode, and you did
once... but not the next time.

  The less you do yourself, and the more difficult you make it to help
you, the less we're inclined to help.

  *THAT* is the goal of many of my responses.

>  I have now turned on accounting info to be sent from the StrongSwan server 
> to the FreeRadius server.  For I can see the accounting info in 
> /var/log/radius/radacct//detail-20131003 file.

  Which isn't the radutmp file, is it?  Again, "man radwho" says it
reads the radutmp file.

  Again, your process should be something like this:

- "man radwho" says it needs the radutmp file.
- is the radutmp module enabled?
- if enabled, is it doing anything?
- where is the file?
- is it being modified?

>  However I am still getting the same results with the radwho command, showing 
> just the titles, with no connections?

  You other message indicates that the module is being used, and is
returning "ok".

  Does the "radwho" command print anything after the "radutmp" module
returns "ok" ?

  It should.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Version 3.0.0 has been released

2013-10-07 Thread Brian Julin


Congratulations Alan,  Arran  for pushing this out of the nest,
all the while being so attentive on the mailing list, along with Phil
and "the other Alan" :-)

You guys are truly obsessed.  I get exhausted just reading your commit logs.  
:-)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Version 3.0.0 has been released

After many years of development, the FreeRADIUS team is happy to
announce Version 3 of the world's most popular server. The release was
delayed from June in order to track down and solve a number of
last-minute issues. We'd like to thank all of the beta testers for
helping with that process.

The release announcement is available on the web site:

http://freeradius.org/press/index.html#3.0.0

In short, it's simpler, easier to use, and better organized.

Upgrading instructions are available here:

https://github.com/FreeRADIUS/freeradius-server/blob/release_branch_3.0.0/raddb/README.rst

As this is a major version, you CANNOT just use your 2.x configuration
files. Sorry, but many of the new features require changes which aren't
compatible with 2.x. See the LDAP and SQL modules for new connection
pools, for example.

The debug output is colorized, with yellow WARNINGS and red ERRORS.
This should help people understand which messages are important and need
attention.

RADIUS over TLS (RadSec) is supported. This means RADIUS has actual
security, instead of the 20 year-old MD5 weirdness.

Many configuration errors are caught at startup, rather than run time.
Helpful messages are printed, including a pointer to which character
caused the error.

The raddb/ directory has been re-organized. The files should now be
easier to find, as they use a consistent layout.

DHCP and VMPS are still supported, but their code has been moved to
plug-in modules. We expect to continue this process for the 3.1
release. The goal is to move RADIUS to a plug-in module. The server
will then be capable of handling many more protocols. We have a number
of new protocols in development, and will be announcing them later this
year.

SNMP traps are now supported. You can trigger a trap when a home
server goes down, and when it comes back up again!

While supporting many new features, the code is almost 10% smaller
than version 2.2. In addition, it has daily builds on multiple
platforms, including automatic static source code analysis. This means
that the code is smaller, more secure, and easier to maintain.

We'd like to add a special thanks to the Samba project, for the talloc
library. Many of the new features we made possible by talloc. We
expect more features in the future.

Alan DeKok.
FreeRADIUS Project Leader
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What does FR 2.2.2 fix?

2013-10-07 Thread Stefan Winter

Hi,

> clarification/agreement from Stefan or others?

tried the newest GIT this morning and the proxy issues were gone.

I haven't seen your "Internal sanity check failed" just yet (and am not
looking forward to it :-/ ).

Stefan

> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66


0x8A39DC66.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What does FR 2.2.2 fix?

a.l.m.bu...@lboro.ac.uk wrote:
> now its monday AM and the load has gone back to higher levels 
> the server is freaking out and freezing witht he last message in
> the log being
> 
> 
> Mon Oct  7 07:50:28 2013 : Error: [event.c:2318] Internal sanity check failed

  At least that's clearer.

  It would be nice to be able to debug the exact state for that, but the
fix should be simple.  I'll push something to git later today.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1

On 7 Oct 2013, at 11:31, a.l.m.bu...@lboro.ac.uk wrote:

> Hi,
> 
>> Well you want the probes to go through and hit your backed authentication 
>> servers,
>> and your databases, and any external resource.
> 
> ..and get a valid user with access accept?  bad. you are better off just 
> semding a reject - 
> just like RADIUS status server probes.  it would be nice if the WISM would do 
> proper
> RADIUS status-server probe insteadbut since cisco want you to buy ACS/ISE 
> and that doesnt
> do nice things - then I guess we can live in hope

No. You want a policy in post-auth which checks what happened when the test 
user's
authentication was processed.

Everything ok:
Access-Reject

Somethings wrong:
Don't respond

And you want to make sure that you have ACLs in place to only allow access to 
the RADIUS
test user object from the RADIUS test server (obviously :) ).

In regards to upstream proxy servers, i'll echo Alan D's thoughts on this, and 
say that
it's really the responsibility of a AAA routing protocol.

Though yes, for eduroam checking next hop connectivity is probably useful. 
Maybe an xlat
method which returns the state of a realm?

-Arran 

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1

Hi,

> Well you want the probes to go through and hit your backed authentication 
> servers,
> and your databases, and any external resource.

..and get a valid user with access accept?  bad. you are better off just 
semding a reject - 
just like RADIUS status server probes.  it would be nice if the WISM would do 
proper
RADIUS status-server probe insteadbut since cisco want you to buy ACS/ISE 
and that doesnt
do nice things - then I guess we can live in hope

- after all, if you were REALLY going to validate what the WISM and RADIUS 
server
can do, you'd want your status check to go through your remote RADIUS server
proxiesas the user might be a visitor or from some 3rd party org that you 
peer
with - then we get into the whole business of the status probes being more
intelligent with multiple realms etc etc... this is WAY off topic now ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1

On 7 Oct 2013, at 10:36, a.l.m.bu...@lboro.ac.uk wrote:

> Hi,
> 
>> We're finding these nuggets of code as we dig deeper into James's
>> legacy config. If the Access-Accept response is not required, then
>> presumably I can ditch that entire code block and let the
>> wisms-testing auth attempt go through the system as any other user.
> 
> yesbut you'd be better off just sending an immediate Access-Reject
> or these probes go through your whole config and hit your backend 
> authentication
> servers for no reason.

Well you want the probes to go through and hit your backed authentication 
servers,
and your databases, and any external resource.

In the event of a failure of any of those modules you want to not respond to the
WiSM.

In 3.0.0 a really easy way to check for that sort of thing is using the presence
of Module-Failure-Message, though you should be careful to clear it if you have
redundant sections, or alternative behaviour on module failure.

Previously Module-Failure-Message had to be set explicitly by the module, so 
wasn't
implemented by all modules. In 3.0.0 when standardising the logging macros and 
added
a call to set it on all request errors (RERROR, REDEBUG, REDEBUG2, REDEBUG3, 
REDEBUG4),
which most, if not all modules use to log errors.

-Arran

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1

Hi,

> We're finding these nuggets of code as we dig deeper into James's
> legacy config. If the Access-Accept response is not required, then
> presumably I can ditch that entire code block and let the
> wisms-testing auth attempt go through the system as any other user.

yesbut you'd be better off just sending an immediate Access-Reject
or these probes go through your whole config and hit your backend authentication
servers for no reason.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1

2013-10-07 Thread Scott Armitage


On 7 Oct 2013, at 09:59, Jonathan Gazeley  
wrote:

> On 07/10/13 08:40, a.l.m.bu...@lboro.ac.uk wrote:
>> Hi,
>> 
 if (Service-Type == "NAS-Prompt-User") {
  if (NAS-IP-Address =~ /^172\.17\.107\./) {
   if (User-Name =~ /^wisms\-testing/) {
update control {
 Auth-Type := Accept
}
>> ouch do you realise how dangerous that is?  there
>> should be no need to send an access accept packet back
>> to these probes - a reject should suffice - and that would stop
>> an end user subverting your system by simply using
>> that UserName (if they are using wpa_supplicant they could
>> add that NAS-Prompt-User attribute)
>> 
>> alan
>> -
> 
> We're finding these nuggets of code as we dig deeper into James's legacy 
> config. If the Access-Accept response is not required, then presumably I can 
> ditch that entire code block and let the wisms-testing auth attempt go 
> through the system as any other user.


Yes, or immediately reject that user in the authorise section.  Rejecting 
immediately just makes things more efficient, particularly if the wism is doing 
a check because it has marked the server as dead.  

Test it, see what happens.

Regards

Scott


signature.asc
Description: Message signed with OpenPGP using GPGMail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1

2013-10-07 Thread Jonathan Gazeley


On 07/10/13 08:40, a.l.m.bu...@lboro.ac.uk wrote:

Hi,


if (Service-Type == "NAS-Prompt-User") {
  if (NAS-IP-Address =~ /^172\.17\.107\./) {
   if (User-Name =~ /^wisms\-testing/) {
update control {
 Auth-Type := Accept
}

ouch do you realise how dangerous that is?  there
should be no need to send an access accept packet back
to these probes - a reject should suffice - and that would stop
an end user subverting your system by simply using
that UserName (if they are using wpa_supplicant they could
add that NAS-Prompt-User attribute)

alan
-


We're finding these nuggets of code as we dig deeper into James's legacy 
config. If the Access-Accept response is not required, then presumably I 
can ditch that entire code block and let the wisms-testing auth attempt 
go through the system as any other user.


Thanks,
Jonathan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1

2013-10-07 Thread Phil Mayers


On 10/07/2013 08:40 AM, a.l.m.bu...@lboro.ac.uk wrote:

Hi,


if (Service-Type == "NAS-Prompt-User") {
  if (NAS-IP-Address =~ /^172\.17\.107\./) {
   if (User-Name =~ /^wisms\-testing/) {
update control {
 Auth-Type := Accept
}


ouch do you realise how dangerous that is?  there
should be no need to send an access accept packet back
to these probes - a reject should suffice - and that would stop
an end user subverting your system by simply using
that UserName (if they are using wpa_supplicant they could
add that NAS-Prompt-User attribute)


Er... wpa_supplicant speaks EAP, and Service-Type is a RADIUS attribute.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What does FR 2.2.2 fix?

Hi,

>   If everyone's in favor, I'll release 2.2.2 on Monday.

hold request


now its monday AM and the load has gone back to higher levels 
the server is freaking out and freezing witht he last message in
the log being


Mon Oct  7 07:50:28 2013 : Error: [event.c:2318] Internal sanity check failed


(thats it...no other output - the server needs a restart, it doesnt process 
anything else once it hits this error)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Cisco WLC probes in FR 2.2.1