Re: well almost got FR 3.0 to compile on OS X :-)
o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Thanks for that A On 9 Oct 2013, at 11:54, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 10 Oct 2013, at 12:02, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 10 Oct 2013, at 10:44, Alex Sharaz alex.sha...@york.ac.uk wrote: o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Hmm wonder what rudix was doing to mess up talloc installation. Anyway, we have our own set of AC_CHECK_LIB and AC_CHECK_HEADERS functions which are smarter than the stadard ones, and search in places like /usr/local/lib. They also add -L and -I for libs/headers in non-standard locations, so the majority of the time 3.0.0 configure/make should just work. Were you installing your own version of SSL to get around the OpenSSL header/library mismatch? Apple messed up and bumped the library version for OpenSSL without bumping the header versions. Yup. Had that problem with FR 2 as well. You can just edit the system headers to match, though that's a bit icky. Hopefully apple will just drop OpenSSL in Mavericks and we can do a clean install without all the stupid deprecated pragmas from another package management system. Probably a good idea. Anyway, can now look at radsec /IPv4 - radsec/Pv6 using FR now. A Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well almost got FR 3.0 to compile on OS X :-)
Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
load balancing radius with F5 devices
Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 9 Oct 2013, at 10:16, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Have you asked F5? At the very least, common load balancers (e.g. keepalived on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. You had a nose round the f5 site and subscribed to some of the communities. Shall we say that the response wasn't that great! A -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
you don't know how hard it was to wait till the official release :-) A On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Many thanks for this Olivier, much appreciated Rgds A On 9 Oct 2013, at 11:07, Olivier Beytrison oliv...@heliosnet.org wrote: On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) Ah! that explains it. When I 1st compiled FR 2.x.x on my Lion box I do remember being impressed with the fact that it just talked to the back end open directory without doing anything . Looking forward to setting up radsec in FR3 A alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
o.k. different method of getting talloc onto machine :-) I used curl -s https://raw.github.com/rudix-mac/package-manager/master/rudix.py | sudo python - install rudix then rudix install talloc :-)) On 9 Oct 2013, at 11:54, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does FR 2.2.2 fix?
Hi, Yesterday caught an email about the release of FR 2.2.2 on Monday to fix a proxy problem. As I've just migrated 2 of my servers from 2.2.0 to 2.2.1 the sudden release of 2.2.2 sounds important. What does 2.2.2 fix? Rgds Ale x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 4 Oct 2013, at 10:37, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 4 Oct 2013, at 10:19, Alex Sharaz alex.sha...@york.ac.uk wrote: Hi, Yesterday caught an email about the release of FR 2.2.2 on Monday to fix a proxy problem. As I've just migrated 2 of my servers from 2.2.0 to 2.2.1 the sudden release of 2.2.2 sounds important. What does 2.2.2 fix? Issue with workers not marking requests are being done correctly. Workers appear to get hung, leading to issues. I would upgrade to latest 2.x.x HEAD to avoid disruption if the proxying functionality is heavily used. Eek! that's what I'm seeing on our outward facing eduroam servers that do nothing but proxy stuff. Time to fix it methinks There were also quite a few issues with the policy language. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hmm like these then? Fri Oct 4 11:24:12 2013 : Info: WARNING: Child is hung for request 17630 in com ponent core module thread. Fri Oct 4 11:24:13 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:14 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:17 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Fri Oct 4 11:24:44 2013 : Info: WARNING: Child is hung for request 17633 in com ponent core module thread. Fri Oct 4 11:24:52 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:53 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:55 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Reverted back to 2.2.0 as I never saw these errors with it Rgs A On 4 Oct 2013, at 11:53, a.l.m.bu...@lboro.ac.uk wrote: Hi, a couple of logic issues that meant case/switch and if() worked different to 2.x - thats been fixed. ..and an issue if your server does a lot of proxying work - in which worker threads arent dealt with properly - your log file will be full of core and module messages if you are being hit. this *MIGHT* be fixed in HEAD. we are testing at the moment (looking good). if you arent doing the former and not hit by the latter you dont need to worry. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Woah! that's getting g to be lots of beer. I'll run it on one of my outward facing servers. Point me at something I can build and run A On 4 Oct 2013, at 14:33, a.l.m.bu...@lboro.ac.uk wrote: Hi, If I asked particularly nicely, and promised you a beer at the next networkshop we were both in attendance at, would you be willing to try git head? I'll take the beer - am running HEAD since last night on one server :-) (as I said to Alan, i'll report at end of day) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
Works here just fine. Once you've created the correctly formatted value for the radius attribute FR displays it as an integer but whatever happens in the background the HP switch just does its stuff Rgds A Sent from my iPhone On 6 Aug 2013, at 00:39, Andy a...@brandwatch.com wrote: Hello, This is my first post here so please excuse any missed etiquette. I have read through the wiki's and googled a lot and not found anything. I have been trying configure our switch ports (HP 2910al) with Tagged VLANs via Egress-VLANID and Egress-VLAN-Name. The Radius backend is OpenLDAP, and I have tried setting the data type in OpenLDAP to binary, UTF-8 and IA5, but no matter what I do, the value returned by RADIUS is the decimal equivalent of the HEX bit string I enter :( For example I'm trying to store and send 0x3112 to indicate a tagged VLAN (0x31) on VLAN 12. But looking at freeradius -X output I can see it sending the decimal number, when the switch wants the bit string as it was stored, and hence throws an error! Is this a FreeRADIUS thing or an OpenLDAP data type thing? Any help and advice would be greatly appreciated as I'm stuck. Thanks in advance, Andy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeTDS + UnixODBC to MSSQL Problems
Version: FreeRADIUS Version 2.2.0, for host x86_64-pc-linux-gnu, built on Jul 31 2013 at 15:36:48 OS: Ubuntu 12.04.2 LTS Hi all- Having some difficulties with Freeradius connecting to a SQL Server 2008 backend using the unixodbc module. I've recompiled the source using the --with-rlm_sql_unixodbc flag and the module appears to be loading fine. However, Freeradius does not seem to be able to establish a connection with the server. I've configured my freetds.conf, odbc.ini, and odbcinst.ini files properly because tsql and isql can both connect to and query the server, but the debug output from Freeradius gives me the following: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked rlm_sql (sql): Attempting to connect to admin@10.10.100.24:49355/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 rlm_sql_unixodbc: SQL down 08001 [unixODBC][FreeTDS][SQL Server]Unable to connect to data source rlm_sql_unixodbc: Connection failed rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. I'm using the mssql.conf template found at https://github.com/FreeRADIUS/www.freeradius.org/blob/master/radiusd/raddb/mssql.conf with the only changes being the connect info (server, login, port, password), radius_db, and sqltrace, and radiusd.conf has an include for mssql.conf. I've tried running Wireshark on the SQL server and both tsql and isql generate traffic to the server. Upon loading Freeradius, I see absolutely no traffic coming from the radius server's IP. Any ideas where my problem could lie? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeTDS + UnixODBC to MSSQL Problems
After confirming there was a src/modules/rlm_sql/drivers/rlm_sql_sybase directory, I edited debian/rules to add a --with-rlm_sql_sybase flag and recompiled. Now I'm receiving this: Could not link driver rlm_sql_sybase: file not found Make sure it (and all its dependent libraries!) are in the search path of your system's ld. root@FREERAD:/home/administrator# ldconfig -p | grep syb libsybdb.so.5 (libc6,x86-64) = /usr/lib/x86_64-linux-gnu/libsybdb.so.5 libsybdb.so (libc6,x86-64) = /usr/lib/x86_64-linux-gnu/libsybdb.so What other libraries are this module dependent on? On Fri, Aug 2, 2013 at 12:47 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I've tried running Wireshark on the SQL server and both tsql and isql generate traffic to the server. Upon loading Freeradius, I see absolutely no traffic coming from the radius server's IP. Any ideas where my problem could lie? Nope. But you can use the sybase driver as an alternative method of connecting to mssql. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeTDS + UnixODBC to MSSQL Problems
Mm, inventing fictitious SQL drivers is one of my favourite pastimes. Please forgive my unfamiliarity with the operating system / software.. why would that be a fictitious driver? The wiki page (http://wiki.freeradius.org/modules/Rlm_sql) lists sybase as a supported database via the rlm_sql_sybase driver within the 2.2.0 source, in addition to the appropriate client libraries. Have you checked that the module was actually installed in the FreeRADIUS lib dir? Looks like it hasn't been. UnixODBC is in there, but no sybase. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using unlang to call a stored procedure
Hi, I've written a mysql stored procedure that accepts 2 arguments, the nas-ip address of one of our (HP) switches and the calling station Id of a network client ( it's a MAC auth so the User-Name=Calling-Station-Id below). The procedure then queries various back end database tables to figure out which vlan to drop the client into based upon where it is on the network and the type of client it is. Once I've got the vlan back I can decide whether to use RFC 3580 or RFC 4675 when creating the attributes to pass back in the access-accept packet. Only problem is figuring out how to format the unlang statement. Elsewhere in my sites-enable/default file I've got if ( %{sql:SELECT count(*) from banned_macs where mac_address=UPPER(TRIM('%{Calling-Station-Id}'))} 0 ) { update control { Auth-Type := Reject } update reply { Reply-Message := quarantined, contact ITSO } } which works just fine and I can block specific mac addresses from connecting to our wired network. In this case I've got Tmp-String-0 := %{sql:call get_vlan_id('%{NAS-IP-Address}','%{User-Name}')} get_vlan_id accepts two varchar arguments. Which, when I run radiusd -X -d /etc/freeradius gives me /etc/freeradius/sites-enabled/default[248]: Unknown action '%{sql:CALL get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}'. I found a message on the list that says ………. call a stored procedure by using %{call the stored proc in here} Well, from a mysql cli I'd type call get_vlan_id(…….) to run the stored procedure. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using unlang to call a stored procedure
On 20 May 2013, at 17:16, Phil Mayers wrote: On 20/05/13 16:55, Alex Sharaz wrote: In this case I've got Tmp-String-0 := %{sql:call get_vlan_id('%{NAS-IP-Address}','%{User-Name}')} get_vlan_id accepts two varchar arguments. Which, when I run radiusd -X -d /etc/freeradius gives me /etc/freeradius/sites-enabled/default[248]: Unknown action '%{sql:CALL get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}'. Which version of FreeRADIUS is this? 2.2.0 source From the source, the error Unknown action suggests you've got a syntax error. Remember you need to wrap this in an update block, like so: authorize { ... update control { Tmp-String-0 := %{sql:} } if (control:Tmp-String-0 =~ /.../) { } ... } - Ah! o.k. fair enough Rgds Alex List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using unlang to call a stored procedure
Many thanks Phil, all sorted. Wrapping the sql: statement with an update control fixed the Unknown Action error. Haven't checked that I'm returning the correct stuff yet, but I'm past this particular problem Rgds Alex On 20 May 2013, at 17:16, Phil Mayers wrote: On 20/05/13 16:55, Alex Sharaz wrote: In this case I've got Tmp-String-0 := %{sql:call get_vlan_id('%{NAS-IP-Address}','%{User-Name}')} get_vlan_id accepts two varchar arguments. Which, when I run radiusd -X -d /etc/freeradius gives me /etc/freeradius/sites-enabled/default[248]: Unknown action '%{sql:CALL get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}'. Which version of FreeRADIUS is this? From the source, the error Unknown action suggests you've got a syntax error. Remember you need to wrap this in an update block, like so: authorize { ... update control { Tmp-String-0 := %{sql:} } if (control:Tmp-String-0 =~ /.../) { } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner tunnel post auth question
Andy, What version of FreeRadius are you using? I *think* that unless you are using the git source for 2.2.1, post-auth reject is broken. There was some stuff I was doing a few months ago that got fixed in 2.2.1 … but I'm getting old and can't remember all the details :-( On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer andy.fra...@sath.nhs.uk wrote: Hi, This may have come up before but I can’t find any solutions : I’m using a NAS which always performs EAP/MSCHAP2 authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel – fine. When the radius returns an access-accept, it runs the stuff in the inner-tunnel post_auth section ok, and I can record the attributes I want to a mysql db, including a custom ldap attribute inserted into a control variable. However it seems that following a reject, the post_auth reject section of inner-tunnel isn’t actually used, so it doesn’t record any info about the attributes in the sql database if I use an sql call. Ok .. so do it in the default post_auth reject bit – ok but I can’t figure how to pass back control variables to the outer tunnel. I’d imagine it should be similar to the description in the post auth reject section of the inner tunnel : update outer.reply { User-Name = %{request:User-Name} } have u got use_tunneled_reply = yes set up in eap.conf? Rgds Alex But the section never gets called, so I tried putting it after the ldap authorization bit, as I can’t do it in the authentication part, or so I gather (no unlang support in there?). In the below update, ldap-UserDescription is my custom attribute, which I can see from the logs is being populated : [ldap] description - Ldap-UserDescription == test ip phone Authorize { .. .. ldap update outer.control { Ldap-UserDescription := %{control:Ldap-UserDescription} } } But again it doesn’t make it through (or am I doing it wrong?) +- entering group REJECT {...} expand: %{control:Ldap-UserDescription} - : ++[reply] returns noop Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel. Thanks for any help in advance! Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST
Be nice to hear true solution to this as the same thing happens to me for the nas-ip-address attribute A On 26 Apr 2013, at 15:41, Wang, Yu ywan...@fsu.edu wrote: Hi, Alan, Thanks for the suggestion. I added log_request_attributes; in authorize function and it already has sub log_request_attributes in the perl script. When run FR in debug mode, the Aruba-Location-ID does present but when I call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty. Any more suggestions? Thanks again. Yu Wang -Original Message- From: freeradius-users-bounces+ywang10=fsu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Thursday, April 25, 2013 5:44 PM To: FreeRadius users mailing list Subject: Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST hi, tired eyes so might have missed something obvious...but can you add the following into your authorise subroutine at the top log_request_attributes; and ensure you have the following at the bottom sub log_request_attributes { for (keys %RAD_REQUEST) { radiusd::radlog(L_DBG, RAD_REQUEST: $_ = $RAD_REQUEST{$_}); } } ..then run FR is debug mode again and see what comes out. cheers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Normalising the User-Name AVP in an Access-Accept
What 'I'm doing at the moment. For our outward facing radius servers, with any inbound auth requests from york users elsewhere, I normalise the username in the Access-Accept packet to have the york.ac.uk realm appended if its not there A On 18 Apr 2013, at 16:43, Nick Lowe nick.l...@gmail.com wrote: I would default the behaviour to not send the User-Name attribute in the Access-Accept but give the ability to have it trivially enabled with a toggle. And where it is enabled, by default, send it in the normalised user@realm format unless configured otherwise. (That would be the general case as far as I can see.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Normalising the User-Name AVP in an Access-Accept
So which id are you talking about? if its the outer and the user has configured the machine correctly, all you're going to see is @realm - not much use other than it's that institution if its the inner then o.k. you've got a realm from the outer user-name and a userid from the inner but any accounting will be dumped locally. if its the inner and you've got a realm then you've got your userid to hand over and all the accounting should go back to the home institution … or have I got that wrong? Rgds A On 18 Apr 2013, at 16:47, Brian Julin bju...@clarku.edu wrote: Nick Lowe wrote: I would have thought that it is perfectly reasonable to return the identity back in the case you have roaming federations as long as it was an agreed requirement beforehand. I am of the opinion that this -should- be mandated as part of Eduroam, for example. I'd have to disagree. We don't want to know anything about eduroam guest users other than an ID which to hand authorities which they can use to investigate with the home institution. The less we know, the less work we have to do when we get a subpoena. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
perl examples
Hi, There don't seem to be many examples relating to using perl to access remote databases…. in fact there don't seem to be many perl examples at all. Got example.pl configured a wee bit and running on test server but could do with a better db related example. Unfortunately my perl skills aren't ts good as they could be. In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply Anyone got some form of template I could use for the above? Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
On 8 Apr 2013, at 13:32, a.l.m.bu...@lboro.ac.uk wrote: Hi, There don't seem to be many examples relating to using perl to access remote databases…. in fact there don't seem to be many perl examples at all. thats because its a PERL issue not a FreeRADIUS one :-) :-)) but its perl being used within Freeradius (he says batting the ball over then) In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply you need to use DBI PERL to open the connection and then create the query. for the query you can use values straight from the FreeRADIUS PERL hook - or assign them to variables and use those variables, then run the query and look at the results. of course, you will need to verify that the connection was okay, that the query was okay and that the results are okay. o.k. can do much of that. \ Anyone got some form of template I could use for the above? each case requires new codebut a quick Google will show you how to do the DB query stuff...I can provide you some templte for assigning variables That would be great if you could Rgds Alex alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
Magic! many thanks, got all the bits I needed One question though, Why auth and not post-auth? I'm working on the basis that the stuff I do doesn't have anything to do with the actual auth process, in post-auth I'm doing things like setting session-timeouts. vlan assignments etc. based upon whether it's an access-request or an access-reject. Is there something wrong with that logic? Rgds alex On 8 Apr 2013, at 14:10, Alex Sharaz alex.sha...@york.ac.uk wrote: On 8 Apr 2013, at 13:32, a.l.m.bu...@lboro.ac.uk wrote: Hi, There don't seem to be many examples relating to using perl to access remote databases…. in fact there don't seem to be many perl examples at all. thats because its a PERL issue not a FreeRADIUS one :-) :-)) but its perl being used within Freeradius (he says batting the ball over the net ) In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply you need to use DBI PERL to open the connection and then create the query. for the query you can use values straight from the FreeRADIUS PERL hook - or assign them to variables and use those variables, then run the query and look at the results. of course, you will need to verify that the connection was okay, that the query was okay and that the results are okay. o.k. can do much of that. \ Anyone got some form of template I could use for the above? each case requires new codebut a quick Google will show you how to do the DB query stuff...I can provide you some templte for assigning variables That would be great if you could Rgds Alex alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
On 8 Apr 2013, at 14:24, a.l.m.bu...@lboro.ac.uk wrote: Hi, In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply one more comment...for somethign so 'trivial' I would seriously consider using unlang to do this anyway eg update reply { Tunnel-Private-Group-ID =%{sql:SELECT vlan from authtable where NAS='%{NAS-IP-Address}' and csi='%{Calling-Station-Id}'} Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN } ..or such… looks neat, but getting the vlan associated with the switch and the calling station id isn't that simple. but I'll have a look anyway Rgds Alex alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
ok. This looks easier Thx A On 8 Apr 2013, at 15:18, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/04/13 14:47, Alex Sharaz wrote: On 8 Apr 2013, at 14:24, a.l.m.bu...@lboro.ac.uk wrote: Hi, In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply one more comment...for somethign so 'trivial' I would seriously consider using unlang to do this anyway eg update reply { Tunnel-Private-Group-ID =%{sql:SELECT vlan from authtable where NAS='%{NAS-IP-Address}' and csi='%{Calling-Station-Id}'} Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN } ..or such… looks neat, but getting the vlan associated with the switch and the calling station id isn't that simple. but I'll have a look anyway FWIW we use unlang and a simple stored procedure that returns a little blob: vlan,something,somemore ...which we split using a regexp in the next unlang statemenr. This is also a handy place to check for an empty xlat result (which indicates failure of the SQL lookup) and do logging, and possibly set Do-Not-Respond to allow the other RADIUS server a chance to succeed the auth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
That's fine then, that's where I'm doing this A On 8 Apr 2013, at 15:49, a.l.m.bu...@lboro.ac.uk wrote: Hi, Why auth and not post-auth? I'm working on the basis that the stuff I do doesn't have anything to do with the actual auth process, in post-auth I'm doing things like setting session-timeouts. vlan assignments etc. based upon whether it's an access-request or an access-reject. Is there something wrong with that logic? no. post-auth in the inner-tunnel is where we do it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
autostarting fr on osx
Hi, I'm running FR2.2 on my osX server at home. At the moment I'm just invoking it from the command line. Given that osx comes with FR 2.1.10 preinstalled ( supplied version disabled), what's the best way of auto starting the git built 2.2 version on os x? Replace /usr/sbin/radiusd with a symbolic link to /usr/local/sbin/radiusd or build a different launch daemon config for the new release. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
definitive info on authenticating to AD via NTLMv2
Hi., I've been running ntlm_auth to authenticate our 802.1x users against AD for a number of months without problems…… until this morning when our Systems group tightened up auth requirements to only use NTLMv2. and my ntlm_auth module started failing I'm running FR van 2.2 and samba Vsn 3.6.3 All the web stuff I've found doesn;t seem to mention v2 at all. Back in the dim and distant past I got round the ntlm v2 issue when using OSC Radiator by proxying off auths to Radiator running on a windows machine bound to AD and using their AuthBy LSA authentication mechanism. So, anything special I need to do to auth using ntlmv2? Can it be done? only reference I found was to have client ntlmve auth = yes in smb.conf Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitive info on authenticating to AD via NTLMv2
Phew! o.k. many thanks for this phil. I'll probably have a bash at this but, as I've done it before, just setting up radiator as something that just says yes/no sounds a lot easier :-)) Rgds Alex On 26 Mar 2013, at 15:27, Phil Mayers p.may...@imperial.ac.uk wrote: On 26/03/2013 15:09, Phil Mayers wrote: On 26/03/2013 15:00, Phil Mayers wrote: You should ask on the Samba lists - if a windows domain member can do it, there must be a newer API/RPC which Samba could implement. In fact, a couple of minutes with google gives me this thread: https://lists.samba.org/archive/samba/2012-March/166440.html There is a magic flag that Samba needs to set on the RPC. It's unclear from the thread if that was ever patched into Samba, but if it was, it was after March 2012, so you'd need at least version after that. I will see if I can find if it was implemented and when. It doesn't look like this ever went in - there's no sign of the MSV1_0_ALLOW_MSVCHAPV2 flag in the latest Samba3 or Samba4 sources except in header def. files and flag/debug output. As Andrew Bartlett pointed out, if you allow any MSCHAPv2 (NTLMv1) login you're effectively not enforcing NTLMv2, but I suppose you could argue the TLS surrounding PEAP make it ok. If you want this working you'll need to download the Samba source and make the patch described in the thread - in ./source3/utils/ntlm_auth.c find the contact_winbind_auth_crap function, and add: MSV1_0_ALLOW_MSVCHAPV2 ...to the request.data.auth_crap.logon_parameters flags. You might want to re-(re)-raise this on the Samba lists. It seems like it would be pretty easy to have a --allow-mschapv2 argument to ntlm_auth which sets this flag conditionally, and avoids the we shouldn't set it all the time issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitive info on authenticating to AD via NTLMv2
On 26 Mar 2013, at 15:00, Phil Mayers p.may...@imperial.ac.uk wrote: On 26/03/2013 14:21, Alex Sharaz wrote: Hi., I've been running ntlm_auth to authenticate our 802.1x users against AD for a number of months without problems…… until this morning when our Systems group tightened up auth requirements to only use NTLMv2. and my ntlm_auth module started failing As Alan says - you're hosed. They will need to rollback the change if you want Samba/ntlm_auth to continue working. All the web stuff I've found doesn;t seem to mention v2 at all. Back in the dim and distant past I got round the ntlm v2 issue when using OSC Radiator by proxying off auths to Radiator running on a windows machine bound to AD and using their AuthBy LSA authentication mechanism. When you say windows machine, do you mean ordinary domain member as opposed to domain controller? Yup. From the Radiator manual This module provides authentication against user passwords in any Windows Active Directory or NT Domain Controller, by using the Windows LSA (Local Security Authority). Since it accesses LSA directly, it can authenticate dialup or wireless pass- words with PAP, CHAP, MSCHAP, MSCHAPV2, LEAP and PEAP. AuthBy LSA is only available on Windows 2000, 2003, 2008 and XP. (Windows XP Home edition is not supported). It requires the Win32-Lsa perl module from Open Sys- tem Consultants. Install the Win32-Lsa perl module using PPM and ActivePerl 5.6, 5.8, 5,10 or 5.12 like this: ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd To use AuthBy LSA, Radiator must be run on Windows as a user that has the ‘Act as part of the operating system’ security policy (SE_TCB_PRIVILEGE) enabled. This is not possible with Windows XP Home edition. Hint: Users can only be authenticated with AuthBy LSA if they have the ’Access this computer from the network’ security policy enabled (this is the normal configuration for Windows Domains). AuthBy LSA honours the Logon Hours, Workstation Restrictions and ‘Account is Disabled’ flags in user accounts. Hint: CHAP passwords can only be authenticated if the user has the ‘Store password using reversible encryption’ option enabled in their Windows Account. Hint: See goodies/lsa.cfg and goodies/lsa_eap_peap.cfg for examples on how to config- ure Radiator to authenticate PAP, CHAP, MSCHAP, MSCHAPV2, LEAP and PEAP against Windows user passwords. Hint: If you are running Radiator on unix or Linux, and wish to authenticate to Win- dows Active Directory or to a Windows Domain Controller, see “AuthBy NTLM” on page 223. I ran a 2 tier radius service. Tier1 ran radiator on linux with a back end mysql databases. All 802.1x and macauth stuff ran against mysql. Visiting eduroam users got proxied off to a part of eduroam front ends that proxied them off to remote home sites and processed inbound local user auths. When I started rolling out dot1x for our staff/student images I just added another proxy server with radiator that ran on a windows box and passed back an Access-Accept/Access-Reject response to the tier 1 radius servers. If so, this is interesting. It suggests that MSCHAP can still be checked with NTLMv2 enforced, just not via whatever API Samba/ntlm_auth uses. You should ask on the Samba lists - if a windows domain member can do it, there must be a newer API/RPC which Samba could implement. It is possible, though unlikely IMO, that one of the other ntlm_auth modes, such as --helper-protocol=ntlm-server-1 ...use different RPCs, and may work. If you can, try and get a valid challenge/response pair, and then drive ntlm_auth using the ntlm-server-1 protocol (see man ntlm_auth). If that works, it would be possible in theory to use a wrapper script. But IIRC, it's the same code path, so Samba fixes will be needed. The other option (yuck) is to run NPS (or Radiator) on a Windows server, and proxy your MSCHAP to that. But if other RADIUS servers have the ability to work with NTLMv2 enforced, it would be nice to get it with FR too. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitive info on authenticating to AD via NTLMv2
On 26 Mar 2013, at 15:47, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: o.k. many thanks for this phil. I'll probably have a bash at this but, as I've done it before, just setting up radiator as something that just says yes/no sounds a lot easier :-)) I doubt it. Actually I found the way Radiator worked simpler than getting to grips with FreeRadius, but then again that's probably because it was the 1st one I tried :-)) . Running Radiator just to auth users against AD and send back an access-accept/access-reject packet was fairly simple once you set up ActivePerl. The problem is with AD, not with any RADIUS server. And that the ntlmv2 protocol is *completely* different than the ntlmv1 protocol. o.k. fair enough. Don't blame the messenger. FreeRADIUS is the victim of the changed AD policies, and the limitations of ntlmv2. Switching to another RADIUS server won't help. Unless it's NPS, which uses the AD replication protocols to bypass ntlm entirely. Well, I was running Radiator for a couple of years authenticating users against AD. ( sent out a snippet from the Radiator manual in another message) so I guess it wasn't using ntlm. but, from the point of view of getting the job done, it did work. Rgds Alex Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
I the past I've tail'd a log file ( this was for squid and not freeradius) and piped that into a perl script that would then write things into a database but it's a lot easier using syslog talking to an rsyslog back end database that writes things into a database for you. Rgds alex On 25 Mar 2013, at 10:45, AemNet sysadmin-aem...@aemnet.it wrote: On 25/03/2013 11:05, Olivier Beytrison wrote: This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
string up CUI for visiting eduroam users
Hi, i'm in the process of setting up cui for visitors hear and for york user visiting other institutions. In the case of visiting eduroam users to our site, on an internal RADIUS server I've got pre-proxy { if (Packet-Type == Access-Request) { cui_authorize # update request { # Chargeable-User-Identity:='\\000' # } } pre_proxy_log } working on the basis that we'll be proxying off the auth request to another site. I'm then assuming that in the response from the home server somewhere else on the planet there'll be a non null CUI attribute which I can get at in the post proxy clause. I also want to put the info into the chi table that i've created in my back end mysql database. I thought I'd be able to do post-proxy { # # Visiting eduroam users using our wireless. # # If we've got a CUI coming back in the Access-Accept packet, do something with it # # cui_updatedb # However, If I do a radius -X -d /etc/freeradius to check it, I get /etc/freeradius/policy.conf[185]: SQL modules aren't allowed in 'post-proxy' sections -- they have no such method. /etc/freeradius/policy.conf[185]: Failed to parse cui entry. /etc/freeradius/policy.conf[184]: Failed to parse if subsection. /etc/freeradius/sites-enabled/default[492]: Errors parsing post-proxy section. At which point can I get hold of the returning CUI data and put it into a database. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: string up CUI for visiting eduroam users
Sigh! Should have thought of that. Thanks, moved cui config to post-auth and it's up and running now Rgds Alex On 19 Mar 2013, at 10:24, Scott Armitage s.p.armit...@lboro.ac.uk wrote: On 19 Mar 2013, at 10:11, Alex Sharaz alex.sha...@york.ac.uk wrote: Hi, working on the basis that we'll be proxying off the auth request to another site. I'm then assuming that in the response from the home server somewhere else on the planet there'll be a non null CUI attribute which I can get at in the post proxy clause. I also want to put the info into the chi table that i've created in my back end mysql database. I thought I'd be able to do post-proxy { # # Visiting eduroam users using our wireless. # # If we've got a CUI coming back in the Access-Accept packet, do something with it # # cui_updatedb # However, If I do a radius -X -d /etc/freeradius to check it, I get /etc/freeradius/policy.conf[185]: SQL modules aren't allowed in 'post-proxy' sections -- they have no such method. /etc/freeradius/policy.conf[185]: Failed to parse cui entry. /etc/freeradius/policy.conf[184]: Failed to parse if subsection. /etc/freeradius/sites-enabled/default[492]: Errors parsing post-proxy section. At which point can I get hold of the returning CUI data and put it into a database. Why not record the CUI in the post-auth section? Regards Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth not being entered in inner-tunnel
so is that done as in post-auth in the inner-tunnel now works? Rgds Alex On 13 Mar 2013, at 20:14, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 13 Mar 2013, at 13:19, Matthew Newton m...@leicester.ac.uk wrote: On Wed, Mar 13, 2013 at 12:58:15PM -0400, Arran Cudbard-Bell wrote: 00cadac7 Defines the function rad_virtual_server, but doesn't call it from anywhere. Where should that be called? Was there another commit? Grr, fatfinger paste bug :) I'd suggest that either a00c4432 needs backing out, or 00cadac7 and need backporting as well. should have read: I'd suggest that either a00c4432 needs backing out, or 00cadac7 and c625bf173 need backporting as well. There are three commits in series that all go together. Ok done. Most of it just came over cleanly. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth not being entered in inner-tunnel
Yup works just fine thanks Rgds Alex On 14 Mar 2013, at 14:22, Matthew Newton m...@leicester.ac.uk wrote: On Thu, Mar 14, 2013 at 10:10:28AM +, Phil Mayers wrote: On 03/14/2013 09:36 AM, Alex Sharaz wrote: so is that done as in post-auth in the inner-tunnel now works? Should be. Please git pull and recompile and confirm. It should fully work now. Previously, inner-tunnel post-auth reject was skipped, so inner post-auth was only called for success. Some confirmation would be useful - I haven't got time to check right now. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anyone implementing CUI on eduroam?
Any UK eduroam free radius sites out there implementing CUI that I could talk to/test out my configs with? Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone implementing CUI on eduroam?
Just like to talk through what I've got here and, if possible use a test account at your site to check that a). I'm sending out the right stuff b). saving your generated cui in the right place. Rgds Alex On 14 Mar 2013, at 17:14, Scott Armitage s.p.armit...@lboro.ac.uk wrote: On 14 Mar 2013, at 17:01, Alex Sharaz alex.sha...@york.ac.uk wrote: Any UK eduroam free radius sites out there implementing CUI that I could talk to/test out my configs with? I have at Loughborough. What would you like to know? Regards Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
post-auth not being entered in inner-tunnel
Hi, I've got a number of FR 2.2.0 servers that invoke sql_log in the inner-tunnel post-auth in order to write user-name some other attributes into a back end mysql database server and it all works. If I've got non-eap requests coming in , the default site deals with it. If I've got eap-based requests coming in the inner-tunnel deals with them. About a week ago I downloaded the latest 2.2 code from git.freeradius, built that and upgraded one of my FR2.2 servers. Since then I can't see an invocation of post-auth within the inner-tunnel. I can see it for the default site but not the inner-tunnel. Everything else seems to work but not that. Same hardware platform, same config files just different FR code. I've generated two radius -X dumps, vsn220.log and vsn221.log on my test server. The only raw client accessing this server is the switch my mac is sitting on configured to do macauth and 802.1x on my ethernet port. By simply disconnecting and reconnecting my mac I've generated a macauth followed by an 802.1x auth. In both files you can see post-auth being invoked for the default site. but only the vsn220.log file has a corresponding post-auth for the inner-tunnel. It may be that there's something else I've configured wrong that is only showing up in van 2.2.1 (ish). Should I be sending these traces to the free radius list or is there another address I can email them to Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Child is hung for request … message
Hi, I've just downloaded,compiled and installed the latest version of 2.2 (2.2.1?) from git.freeradius.org. Installed it on an internal server and things seemed to work o.k. I then upgraded another server that deals with our external ( eduroam) connectivity and within a few mins am seeing Thu Mar 7 10:25:58 2013 : Error: WARNING: Unresponsive child for request 16, in component core module thread Thu Mar 7 10:25:59 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:00 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:03 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:06 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:11 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:16 2013 : Auth: Login OK: [lw0...@leeds.ac.uk] (from client nasaaa2 port 0 cli 40-A6-D9-B9-A8-A6) Thu Mar 7 10:26:19 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:26 2013 : Auth: Login OK: [zszz5...@kclad.ds.kcl.ac.uk] (from client nasaaa2 port 0 cli 58-1F-AA-53-87-B4) Thu Mar 7 10:26:30 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:26:47 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:27:13 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:27:29 2013 : Auth: Login OK: [nag...@york.ac.uk] (from client systems0 port 0) Thu Mar 7 10:27:51 2013 : Info: WARNING: Child is hung for request 16 in component core module thread. Thu Mar 7 10:28:18 2013 : Error: Discarding duplicate request from client nasaaa2 port 1814 - ID: 255 due to unfinished request 88 Thu Mar 7 10:28:24 2013 : Error: Discarding duplicate request from client nasaaa2 port 1814 - ID: 255 due to unfinished request 88 Thu Mar 7 10:29:04 2013 : Error: WARNING: Unresponsive child for request 88, in component core module thread Thu Mar 7 10:29:05 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:06 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:08 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:12 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:17 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:25 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. Thu Mar 7 10:29:36 2013 : Info: WARNING: Child is hung for request 88 in component core module thread. The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? Rgds A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
Though you might say that. Running FR in debug mode now A On 7 Mar 2013, at 11:18, Olivier Beytrison oliv...@heliosnet.org wrote: On 07.03.2013 11:32, Alex Sharaz wrote: Hi, I've just downloaded,compiled and installed the latest version of 2.2 (2.2.1?) from git.freeradius.org. Installed it on an internal server and things seemed to work o.k. I then upgraded another server that deals with our external ( eduroam) connectivity and within a few mins am seeing The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? Without a debug output it's hard to tell. Please send freeradius -X output. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
On 7 Mar 2013, at 11:36, a.l.m.bu...@lboro.ac.uk wrote: Hi, The server is basically proxying off auth requests to remote RADIUS servers. Is the above just telling me that the other end is taking a while to reply or is there some underlying issue? what is your retry time set to on the NAS kit? If your kit is expecting a reply in eg 3 seconds...well, a remply from a remote site may take longer. are you using status-server ? I would advise status-server usage in the first instance to ensure that your RADIUS server knows the remote RADIUS is okay and not the issue. Yup I'm using status server. in local-config/nrps.conf I've now got server_pool eduroam { home_server = eduroam1 home_server = eduroam2 home_server = eduroam0 type = client-port-balance } and home_server eduroam0 { ipaddr = ${eduroam_config.server0} #ipv6addr = ${eduroam_config.server0} secret = ${eduroam_config.secret0} port = 1812 type = auth+acct require_message_authenticator = yes nostrip response_window = 5 zombie_period = 40 revive_interval = 60 status_check= status-server check_interval = 30 num_answers_to_alive= 3 ……... } Rgds Alex alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Child is hung for request … message
On 7 Mar 2013, at 12:15, a.l.m.bu...@lboro.ac.uk wrote: Hi, response_window = 5 thats a little low. the default provided with FreeRADIUS is 20 IIRC - and you need to ensure that theres correlation with the NAS o.k can't remember where I got that value, suspect it was from a google of an email Thanks A alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Thanks for this one Alan, fixes one of my outstanding issues Rgds Alex Sent from my iPhone On 8 Feb 2013, at 17:59, a.l.m.bu...@lboro.ac.uk wrote: Hi, * there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. stick something like this into your 'inner-tunnel authorize section: # Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply attributes # If we use both methods we get duplicate User-Name attributes. # if((%{outer.request:EAP-Type} == 'EAP-TTLS') (%{control:Auth-Type} == 'MSCHAP')) { update reply { User-Name := %{User-Name} } } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues with Freeradius crashing after a sighup
Hi all, I've inherited a pair of Freeradius servers running Vsn 2.10 and have build a new server around the 2.2 source code. All of these servers exhibit the same problem in that after a SIGHUP to reload their configuration files the sometimes crash. Firstly the 2.1 servers We have 2 of them configured to support our wired and wireless auth user base. Each server has a primary auth function ( wired or wireless) and acts as a backup for the other server) These are running on an old Debian OS and make use of the Freeradius versions available through the apt-get package manager. Configuration wise everything uses password files and all logs are written to a local hard disk. We don't use SQL or AD or any other systems in the authentication or accounting process. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. At least once a day the freeradius daemon will crash just after the reload command. The normal logfiles (see below) just show the following with no indication of why the process crashed. Cfashes happen randomly on both servers, although the server handling the wireless network crashes more frequently than the one handling the wired network. Fri Feb 8 00:05:03 2013 : Info: HUP - loading modules Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.post-proxy Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.pre-proxy Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.access_reject Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module attr_filter.accounting_response Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module pap Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module files Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module accounting_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module auth_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module reply_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module pre_proxy_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module post_proxy_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module york_passwd Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module landb_device_info Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module switch_vlan_info Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module sql_log Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module suffix Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module mschap Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module mschap_default Fri Feb 8 00:05:03 2013 : Info: Module: Reloaded module detail Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server default Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server inner-tunnel Fri Feb 8 00:05:03 2013 : Info: Loaded virtual server eduroam Freeradius version 2.2 - wireless server The 2.2 server was compiled from source on an Ubuntu 12.04 LTS VmWare server and has a slightly different configuration. Configuration files are used for MAC based authentication and for some standard users such as the university of york eduroam health check test account. For 802.1x authentication I use a back end AD system and authenticate all our real users against AD. Configuration files for MAC based authentication RADIUS clients and test users are generated once a day and the system is reloaded at midnight every day. The configuration used on this server is based upon the template one provided by UKERNA for their UK eduroam user base. This server can run for a couple of weeks before it crashes. I know I should run the daemon with the -X option and dump the output to a file, but given the random nature of these crashes, I'm not sure I'll have enough disk space to just run in debug mode and collect all the logs. Anyone else seen serve crashes on a reload? Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any interoperability issues with Aruba and Freeradius
Hi All, I'm sure the answer to this is nope, but ... At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a No against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of tweaking for Aruba? I really can't imaging that it would be the case, but just thought I'd check. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 94, Issue 19
1st response On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok) 2. RE: [EAP/TLS] Authenfication through a certificate (vazoumana fofana) 3. Re: Session-Timeout anomalies (Bill Isaacs) 4. Re: Session-Timeout anomalies (Alan DeKok) 5. Any interoperability issues with Aruba and Freeradius (Alex Sharaz) 6. Re: MAc-Auth with EAP (Tunde Ogedengbe) -- Message: 1 Date: Fri, 08 Feb 2013 10:10:05 -0500 From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Issues with Freeradius crashing after a sighup Message-ID: 5115154d.5070...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Alex Sharaz wrote: Firstly the 2.1 servers shrug Upgrade. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. See the changelog for 2.2.0. The passwd module had issues with older versions of the server. You can also reload individual modules. That will be less likely to have issues. i.e. $ radmin -e hup passwd Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. Alan DeKok. -- Message: 2 Date: Fri, 8 Feb 2013 15:24:53 + From: vazoumana fofana zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: RE: [EAP/TLS] Authenfication through a certificate Message-ID: snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in users file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) { if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed users file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers Date: Mon, 4 Feb 2013 10:32:22 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html -- Message: 3 Date: Fri, 08 Feb 2013 09:35:59 -0600 From: Bill Isaacs bill.isa...@island-wifi.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Session-Timeout anomalies Message-ID: 51151b5f.6060...@island-wifi.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed Ok so the question then is: where the hell is radclient getting the notion that the account has 2366393 seconds left? That is *entirely* the wrong question. It's why you haven't solved the problem yet. Look at the *radius server* debug output. It's the one sending the Session-Timeout. You should be able to figure out where the session-timeout is coming from. Where is Session-Timeout getting this information? Why is it only doing it on some accounts and not others? Look at the debug output. Honestly. We say this DAILY on this list
regarding radius crashing on sigHUP
Alex Sharaz wrote: Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. |One workaround is to just do a restart instead of a reload. It's |not likely to make much of a difference. :-) that's what I ended up doing Rgds A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. Rgds Alex On 8 Feb 2013, at 16:46, freeradius-users-requ...@lists.freeradius.org wrote: Re: Any interoperability issues with Aruba and Freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
| See the changelog for 2.2.0. The passwd module had issues with |older versions of the server. | |You can also reload individual modules. That will be less likely to |have issues. i.e. | |$ radmin -e hup passwd | And from the control-socket code # # Control socket interface. # # HIGHLY experimental! It should NOT be used in production # environments. # The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues A On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok) 2. RE: [EAP/TLS] Authenfication through a certificate (vazoumana fofana) 3. Re: Session-Timeout anomalies (Bill Isaacs) 4. Re: Session-Timeout anomalies (Alan DeKok) 5. Any interoperability issues with Aruba and Freeradius (Alex Sharaz) 6. Re: MAc-Auth with EAP (Tunde Ogedengbe) -- Message: 1 Date: Fri, 08 Feb 2013 10:10:05 -0500 From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Issues with Freeradius crashing after a sighup Message-ID: 5115154d.5070...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Alex Sharaz wrote: Firstly the 2.1 servers shrug Upgrade. password files are updated every 15 mins and are followed by a service freeradius reload command to bring them on line. See the changelog for 2.2.0. The passwd module had issues with older versions of the server. You can also reload individual modules. That will be less likely to have issues. i.e. $ radmin -e hup passwd Anyone else seen serve crashes on a reload? Unfortunately I've seen this before. I haven't seen enough information to track it down and fix it, though. Alan DeKok. -- Message: 2 Date: Fri, 8 Feb 2013 15:24:53 + From: vazoumana fofana zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: RE: [EAP/TLS] Authenfication through a certificate Message-ID: snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in users file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) { if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed users file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers Date: Mon, 4 Feb 2013 10:32:22 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html -- Message: 3 Date: Fri, 08 Feb 2013 09:35:59 -0600 From: Bill Isaacs bill.isa...@island-wifi.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Session-Timeout anomalies Message-ID: 51151b5f.6060...@island-wifi.com Content-Type: text/plain; charset=ISO-8859-1; format
Re: Any interoperability issues with Aruba and Freeradius
I have to say that in their defence, the eap offloading is switched off by default and you do actually have to switch it on. A On 8 Feb 2013, at 17:27, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. That is a stupid response from them. If they follow the specs, they should pass EAP straight through to the RADIUS server. If they do anything else, they are *intentionally* breaking inter-operability. So you're forced to buy their crappy RADIUS server. All of the other WiFi vendors can get EAP to work. If Aruba can't, it's because (a) they're incompetent, or (b) being rude about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. I've got a strange thing here as well. In the inner-tunnel config there's a commented option that says uncomment this if you want to pass back the inner user-name attribute to the outer level. I uncommented this on my 2.2 server and tested that things worked o.k. using windoze, os/x and iOS clients manually configured. I then used the test utility from wpa-supplicant to try different combinations of inner/outer user-names and that worked as well. Imagine my surprise when I connected with my iPhone which was configured using our XpressConnect setup which failed telling me that i had an identity mismatch. When I commented out the config option again, my iPhone started working again. Interestingly enough even without the commented config, the User-Name appears in the outgoing Access-Accept packet. Haven't looked to see why yet, got other issues. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
Think I just had senior moment. The server runs 2.2 code compiled from source but I copied all the configs over from the UKERNA freeradius sample and then amended them to run against our AD service. The UKERNA control-socket config does have the text. My fault Rgds Alex On 8 Feb 2013, at 17:31, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: And from the control-socket code In older versions of the software. Version 2.2.0 does *not* have that text. The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security type issues There are no security issues with using the control socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with ldap
I'min trouble andI think thatfreeradiusis,can anyonehelp me,I configured theldapgroupand createdawireless andwantonly theusersof this groupto accessmywifi network? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSHA512
Hi Are there any plans to support SSHA512 with the 4000 ish folds etc. as this is pretty much the default for most linux distros these days? Thanks JH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2 com autenticação Samba
Good morning, you can authenticatetheUserand passwordsamba infreeradius? Marlos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 with MSCHAPv2 using system user
Alan thanks, I'lltry to seewith mysql. Marlos Em 22/03/2012 12:09, Alan Buxey escreveu: Hi, Really? Does freebsd store passwords as cleartext or nt-hash? Otherwise I can't imagine how mschapv2 will work with system users. ah yes - sorry , didnt see that small phrase - system users would be a pain WHATEVER os you use as they'll be crypted in some way. the basic stuff will all be fine though alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2 with MSCHAPv2 using system user
Hello everyone I amnew to the listand neverworked withfreeradius, I need implementin mywireless networkauthenticationusingMSCHAPv2 system users, has anyonedone this? using: -Freebsd8 -Freeradius2 Marlos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: setup freeradius to generateng COA
Hi, I have setup 'coa' virtual sever and enabled it. Freeradius is not listening on port 3799. However, I was wondering how can I make Freeradius to originate a COA message? When using the following example, Freeradius is simply replaied back with a CoA-NAK message. echo Cisco-Account-Info='S10.1.1.1:2813',Cisco-Command-Code='\004 ' | /usr/local/bin/radclient -x 10.10.10.1 coa testing123 What I am looking is how to make Freeradius to originate a COA message using radclient or radtest. Thanks, ASM Date: Mon, 17 Oct 2011 16:01:21 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: setup freeradius to generateng COA Hi, look in sites-available read the 'coa' virtual server enable it (link it from sites-enabled or copy) - then run the server. CoA , be default is on port 3799 ... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: setup freeradius to generateng COA
Hi, FreeRadius not originating COA message due to the following error in the debug: rad_recv: Access-Request packet from host 10.10.10.1 port 35664, id=254, length=43 User-Name = test User-Password = abc123 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Sending Access-Accept of id 254 to 10.10.10.1 port 35664 WARNING: Unknown destination 10.10.10.1:3799 for CoA request. Do CoA Fail handler here Is there any place I need to configure the COA destination? Thanks, ASM Date: Wed, 19 Oct 2011 16:46:33 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: setup freeradius to generateng COA Alex rsm wrote: I have setup 'coa' virtual sever and enabled it. Freeradius is not listening on port 3799. However, I was wondering how can I make Freeradius to originate a COA message? raddb/sites-available/originate-coa When using the following example, Freeradius is simply replaied back with a CoA-NAK message. echo Cisco-Account-Info='S10.1.1.1:2813',Cisco-Command-Code='\004 ' | /usr/local/bin/radclient -x 10.10.10.1 coa testing123 What I am looking is how to make Freeradius to originate a COA message using radclient or radtest. This is documented. You don't need radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: setup freeradius to generateng COA
Yes, I read it and followed the instructions: added update coa statement in my default config. update coa { User-Name = %{User-Name} Acct-Session-Id = %{Acct-Session-Id} NAS-IP-Address = %{NAS-IP-Address} } Based on the following docs, it should sends COA to my NAS-IP but it doesn't: # The default destination of a CoA packet is the NAS (or client) # the sent the original Access-Request or Accounting-Request. See # raddb/clients.conf for a coa_server configuration that ties # a client to a specific home server, or to a home server pool. Date: Wed, 19 Oct 2011 22:42:38 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: setup freeradius to generateng COA Alex rsm wrote: FreeRadius not originating COA message due to the following error in the debug: rad_recv: Access-Request packet from host 10.10.10.1 port 35664, id=254, length=43 User-Name = test User-Password = abc123 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Sending Access-Accept of id 254 to 10.10.10.1 port 35664 WARNING: Unknown destination 10.10.10.1:3799 for CoA request. Do CoA Fail handler here Is there any place I need to configure the COA destination? Yes. Read raddb/sites-available/originate-coa This is documented. I said that in my previous message. Did you read it? If you did, you already know how to solve the problem. If you didn't read it, you're being rude by ignoring the people who try to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setup freeradius to generateng COA
Hi, I am trying to setup freeradius to generateng COA after receiving Access-Request packets. Is there any document on how to configure this setting? It seems I am sending Accounting packet to authorization port: After sending ... echo User-Name=test,User-Password=abc123 | /usr/local/bin/radclient -x localhost:11812 coa testing1234 I got the following debug log: Listening on authentication address * port 11812 Listening on accounting address * port 11813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 11814 Ready to process requests. Invalid packet code 43 sent to authentication port from client localhost port 34917 : IGNORED Ready to process requests. Invalid packet code 43 sent to authentication port from client localhost port 34917 : IGNORED Ready to process requests. Invalid packet code 43 sent to authentication port from client localhost port 34917 : IGNORED Ready to process requests. Thanks, ASM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: password in EAP request
Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? Thanks, ASM Date: Wed, 5 Oct 2011 22:01:01 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: password in EAP request Hi, In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of the EAP request message. How can I get the password of the EAP request? $RAD_REQUEST{'User-Password'} won't return the password. it certainly wont for PEAPv0/MSCHAPv2 which is what your request looks like - hint, its a challenge response mechanism, the password is never disclosed alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: password in EAP request
I agreed, the EAP message sent from Access Point does not send the password. The client sends the encrypted password. I think I should ask, how FreeRadius can retrieve the password in 802.1x authentication mechanism. Date: Thu, 6 Oct 2011 14:11:34 +0100 From: p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: password in EAP request On 06/10/11 14:06, Alex rsm wrote: Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? No. As others have said, EAP does not usually send the password. I would advise you go and read up on EAP, and how EAP methods work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I just installed freeradius 2.1.12 on ubuntu server from src file and got the following error: # radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory Thanks, ASM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentication sub in perl
I've built FreeRadius2.1.11 from src files on ubuntu 8.04 server: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 8.04.4 LTS Release:8.04 Codename: hardy # ./configure | grep WARN configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: WARNING: silently not building rlm_dbm. configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ttls. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found! configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h krb5. configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap_r ldap.h. configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs openssl-includes openssl-includes openssl-includes openssl-includes openssl-includes. configure: WARNING: silently not building rlm_pam. configure: WARNING: FAILURE: rlm_pam requires: libpam. configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: libperl.so libperl.so. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path. configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=path. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. # apt-get install OpenSSL Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package OpenSSL # apt-get install ssl-devel Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package ssl-devel . Date: Mon, 3 Oct 2011 16:32:44 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: authentication sub in perl Hi, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out did you build it yourself then? if so, then what platform? as that will decide the package name. ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the required RPM or PKG file that must be installed if you'd piped the output of the ./configure stage through grep eg ./configure --with-whatever-options | grep WARN you'd see all the warnings about functionality that wont work because of lack of development headers/libraries alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: authentication sub in perl
813215468657265206973206e6f2073756368207468696e67206f757473696465205553311330110603550407130a45766572797768657265310e300c060355040a13054f434f5341313c303a060355040b13334f69636520666f7220436f6d706c69636174696f6e206f66204f74686572776973652053696d706c65 EAP-Message = 0x2041616972733120301e060355040313176c61622d7375706572686f73742e62686e69732e6e6574312b302906092a864886f70d010901161c726f6f74406c61622d7375706572686f73742e62686e69732e6e6574301e170d3130303432323230333833355a170d3130303532323230333833355a3081eb310b3009060355040613025858312a3028060355040813215468657265206973206e6f2073756368207468696e67206f757473696465205553311330110603550407130a45766572797768657265310e300c060355040a13054f434f5341313c303a060355040b13334f69636520666f7220436f6d706c69636174696f6e206f66 EAP-Message = 0x204f74686572776973652053696d706c652041616972733120301e060355040313176c61622d7375706572686f73742e62686e69732e6e6574312b302906092a864886f70d010901161c726f6f74406c61622d7375706572686f73742e62686e69732e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a8095e7a92fe7feabe7940d9ba51310a55bba6c96949d67a1798a515961ab951cfe04d4234251d36e6854920ced26224b1d6ae09fa4e793c14d464b53e2faa9606b4f785c63f270a3c1a18fee3abfc1985e86e19d86fbe775c6171c952b3bd88dc6659099d07a84ac6d360d7cd23745031635d9093ea91d4 EAP-Message = 0x8108b36edcb15eb10203010001300d06092a864886f70d0101050500038181002ac5e5a95601c5d650cf06ab8b89bde90ff4435de070cb80076e7f0e25411dc2826996807af37acccfe9ada9a1f41c90be7301fda6bf6f1e9282c57e4a4923ae6c33b827032b0691cf516299f084f128c6631e3e80a6b7e77bc214ee36b3861a39819fae257557a2a023482750e50a19755919348bcb32d83e6cf0be37e0281716030100040e00 Message-Authenticator = 0x State = 0x2c81558c2e824cde6687486c2848c067 Finished request 12. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=22, length=387 User-Name = abc NAS-IP-Address = 10.0.0.31 NAS-Identifier = belair NAS-Port = 0 Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x Calling-Station-Id = 5C-59-48-F0-34-8B Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020300d0198000c6160301008610820080371b287b2a288bb51773c591b925c51dc9dd35e78e31ca6572ba50103ff255b33f8f8d50222d2a360a84f9a626651502fce20b21dd5fd14a59094f2b1655bb2a2d11332b186fc5a94438859f67ec287724f63519e5cc82820cf91b5a9a9c4c26f33e31a74bddb88d1cb3b0b64ebf82e98fa1c5d1bd12b88a6774889fd868140d14030100010116030100304dcd33a4d2301013eb09a3e10798b8b1f5a6321a50a5b0ca6bd7c16c43fa7f1a4d442c1d5b5ab7421a7aa42b715abce2 State = 0x2c81558c2e824cde6687486c2848c067 Message-Authenticator = 0xa0a47b0b334f107a54ff4e9abac2969a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = abc, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 22 to 10.0.0.31 port 50071 EAP-Message = 0x0104004119001403010001011603010030b7da9f1ff65aa82945313f6e0b13f88565316368755ae23680a9a60583941b0aacfc3e71103a1e5eec9da651ae5a9d2d Message-Authenticator = 0x State = 0x2c81558c2f854cde6687486c2848c067 Finished request 13. Going to the next request Waking up in 4.6 seconds. Date: Mon, 3 Oct 2011 18:55:42 +0100 From: a.l.m.bu...@lboro.ac.uk To: alex-...@hotmail.com Subject: Re: authentication sub in perl Hi, hint: https://help.ubuntu.com/community/OpenSSL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl
I got it working. Thanks for the help. I had to add my debugging statement in the authorize sub rather than authenticate sub. Date: Fri, 30 Sep 2011 09:52:23 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: rlm_perl hi, which version of FR? if its the latest version, then just edit the modules/perl file , ensure that the TYPE of perl you want to use is uncommented...eg for authentication, ensure that func_authenticate line is uncommented, then add 'perl' into the authenticate section of your virtual server for older versions...creaky old...you need to ensure that the server was compiled with experimental-features , you need to ensure that the INCLUDE experimental.conf is uncommented in radiusd.conf (and then edit the perl section and the server config as before...) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
missing rlm_perl.so in the built from src file
Hi, I built a fresh freeradius on a ubuntu server from source files. When I add perl module and start the freeradiusin the debug mode, it is asking for rlm_perl.so that can not find it. It seems the make file does not create the shared lib file for perl module. Is there any change should be made in Makefile to create rlm_perl.so file? Thanks, ASM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication sub in perl
Hi, I am trying to call an external perl function within authentication sub - functions are uncommented in modules/perl file ... func_authenticate = authenticate func_authorize = authorize ... - subs are modified in /raddb/example.pl sub authenticate{ print TEST1\n; } sub authenticate { print TEST2\n; /usr/local/etc/raddb/test.pl; } When freeradius receives a REQUEST, only authenticate sub is called and not authenticate sub. How can I enable authenticate to be called when a REQUEST is arrived? Here is the debug log: ali@lab-openser01:~$ sudo radiusd -X FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Sep 29 2011 at 14:33:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration
RE: authentication sub in perl
my apology. It was a copy/paste typo: sub authorize { print TEST1\n; # For debugging purposes only # log_request_attributes; # Here's where your authorization code comes # You can call another function from here: test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { print TEST2\n; # For debugging purposes only # log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = 100; return RLM_MODULE_OK; } } Date: Fri, 30 Sep 2011 17:36:32 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: authentication sub in perl Alex rsm wrote: I am trying to call an external perl function within authentication sub - functions are uncommented in modules/perl file ... func_authenticate = authenticate func_authorize = authorize ... The default example works. - subs are modified in /raddb/example.pl sub authenticate{ print TEST1\n; } sub authenticate { print TEST2\n; /usr/local/etc/raddb/test.pl; } When freeradius receives a REQUEST, only authenticate sub is called and not authenticate sub. That makes NO sense at all. You have TWO authenticate subroutines, and you expect that Perl will magically call the one you want? Computers don't work that way. How can I enable authenticate to be called when a REQUEST is arrived? Ask a question that makes sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentication sub in perl
As I said only authorize sub is being called when receiving a REQUEST and not authenticate sub. So I need to change Auth-Type to be Perl? Here is my subs in the example.pl: sub authorize { print TEST1\n; # For debugging purposes only # log_request_attributes; # Here's where your authorization code comes # You can call another function from here: #test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { print TEST2\n; # For debugging purposes only # log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = 100; return RLM_MODULE_OK; } } and my debug: FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Sep 29 2011 at 14:33:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in
rlm_perl
Hi, How can I configure Freeradius to call example.pl perl script in the rlm_perl module? i.e., I want the perl script to be called when Freeradius receives a request. Thanks, ASM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl
Hi Arran, Thank you for the response. I add perl in the sites-available/default file as follow: authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess ldap perl . } And added the following into raddb/modules/perl file perl { module = path/example.pl } And added the following in src/modules/rlm_perl/example.pl sub authorize { print This is a TEST\n; . } However, When I send a simple test request I don't see my debug line. I also don't see the message perl loaded when start Freeradius in debug mode (radiusd -X). Am I missing anything? I appreciate it. ASM From: a.cudba...@freeradius.org Subject: Re: rlm_perl Date: Thu, 29 Sep 2011 19:39:55 +0200 To: freeradius-users@lists.freeradius.org On 29 Sep 2011, at 19:25, Alex rsm wrote:Hi, How can I configure Freeradius to call example.pl perl script in the rlm_perl module? i.e., I want the perl script to be called when Freeradius receives a request. read/modify raddb/modules/perl and list perl in sites-available/default authorize {} Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP reply with opt82
Thanks Alan, but git pull said that local sources are up to date. I've even downloaded them again to another server (no previous versions of freeradius at it) according to http://git.freeradius.org/ $ git clone git://git.freeradius.org/freeradius-server.git $ cd freeradius-server $ git fetch origin v2.1.x:v2.1.x $ git checkout v2.1.x dhcp.c has this changes: http://github.com/alandekok/freeradius-server/commit/7d44b0a545a50012aaa60ba996cc976d15745d08 dictionary.dhcp is from 2.1.10 but result is the same (tcpdump): Agent-Information Option 82, length 6: Unknown SubOption 0, length 4: 0x: 01e3 0420 Agent-Information Option 82, length 8: Unknown SubOption 0, length 6: 0x: 001f cab0 ef00 What am I doing wrong? - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, July 20, 2010 01:54 Subject: Re: DHCP reply with opt82 Alex wrote: FreeRADIUS Version 2.1.10 (from git sources). I'm using dhcp feature of freeradius to assign static ips to computers dynamically. $ git pull $ (cd src/lib;make) (cd src/main;make) but both this two values (0x000401e30420 and 0x00060000) are assigned to DHCP-Relay-Agent-Information. tcpdump shows both as opt82 suboption 0: 5206000401e30420 520800060000 Need help in setting this options correctly. Double-check that you're using the dictionary.dhcp file that comes with 2.1.10. *Don't* use the file that comes with 2.1.9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP reply with opt82
Sources, server version and dictionary was ok. The problem was in using old attributes: DHCP-Agent-Circuit-Id := %{request:DHCP-Agent-Circuit-Id} DHCP-Agent-Remote-Id := %{request:DHCP-Agent-Remote-Id} Changed them to: DHCP-Relay-Circuit-Id := %{request:DHCP-Relay-Circuit-Id} DHCP-Relay-Remote-Id := %{request:DHCP-Relay-Remote-Id} and now it works without any problem. Debug still shows old attibute DHCP-Agent-Circuit-Id and doesn't show remote id at all: Received DHCP-Discover of id 4a76b25e from 1.1.1.1:67 to 0.0.0.0:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 1 DHCP-Transaction-Id = 1249292894 DHCP-Number-of-Seconds = 0 DHCP-Flags = 0 DHCP-Client-IP-Address = 0.0.0.0 DHCP-Your-IP-Address = 0.0.0.0 DHCP-Server-IP-Address = 0.0.0.0 DHCP-Gateway-IP-Address = 1.1.1.1 DHCP-Client-Hardware-Address = 00:11:22:33:44:55 DHCP-Message-Type = DHCP-Discover DHCP-Client-Identifier = 00:11:22:33:44:55 DHCP-Hostname = test DHCP-Parameter-Request-List = DHCP-Subnet-Mask DHCP-Parameter-Request-List = DHCP-Broadcast-Address DHCP-Parameter-Request-List = DHCP-Time-Offset DHCP-Parameter-Request-List = DHCP-Classless-Static-Route DHCP-Parameter-Request-List = DHCP-Router-Address DHCP-Parameter-Request-List = DHCP-Domain-Name DHCP-Parameter-Request-List = DHCP-Domain-Name-Server DHCP-Parameter-Request-List = DHCP-Hostname DHCP-Agent-Circuit-Id = 0x000401e30420 - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, July 20, 2010 16:01 Subject: Re: DHCP reply with opt82 Alex wrote: Thanks Alan, but git pull said that local sources are up to date. Or... git pull origin v2.1.x:v2.1.x dhcp.c has this changes: http://github.com/alandekok/freeradius-server/commit/7d44b0a545a50012aaa60ba996cc976d15745d08 Yes, that should be it. dictionary.dhcp is from 2.1.10 Are you *sure*? The version in the source is from 2.1.10. What about the installed version? (/usr/local/share/freeradius/...) Go *check*. but result is the same (tcpdump): Agent-Information Option 82, length 6: Unknown SubOption 0, length 4: 0x: 01e3 0420 Agent-Information Option 82, length 8: Unknown SubOption 0, length 6: 0x: 001f cab0 ef00 What am I doing wrong? Probably not using the right dictionary, or the right version of the server. When I perform the test that's in the git commit message, I get the correct sub-option format. Please try that. If you don't get the correct suboptions, then you need to use the right dictionary and/or the right source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP reply with opt82
Hello. FreeRADIUS Version 2.1.10 (from git sources). I'm using dhcp feature of freeradius to assign static ips to computers dynamically. Sometimes its needed to reply to dhcp packets with same opt82 as in request. For example, cisco uses opt82 from replied packet to know from which port request has arrived (IP source guard, ip verify source port-security interface command). For this scenario, I added following to dhcp update sections: DHCP-Agent-Circuit-Id := %{request:DHCP-Agent-Circuit-Id} DHCP-Agent-Remote-Id := %{request:DHCP-Agent-Remote-Id} In this case, radius debug output shows correct assignment of options: Sending DHCP-Offer of id 7c0f40cd from 0.0.0.0:67 to x.x.x.1:67 DHCP-Subnet-Mask = 255.255.255.0 DHCP-Router-Address = x.x.x.1 DHCP-Domain-Name-Server = y.y.y.y DHCP-IP-Address-Lease-Time = 86400 DHCP-DHCP-Server-Identifier = z.z.z.z DHCP-Agent-Circuit-Id = 0x000401e30420 DHCP-Agent-Remote-Id = 0x00060000 Finished request 10. but both this two values (0x000401e30420 and 0x00060000) are assigned to DHCP-Relay-Agent-Information. tcpdump shows both as opt82 suboption 0: 5206000401e30420 520800060000 Need help in setting this options correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius proxy authentication problem with realm stripping for EAP
Hi, I'm trying to configure free radius server as a proxy radius server with realm defined and strip option enabled. Authentication fails on external radius server when EAP is used. Without EAP authentication is fine. Any configuration option required for EAP to work (with realm stripping)? Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius proxy authentication problem with realm stripping for EAP
Thanks, Alan. From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, July 1, 2010 12:58:18 PM Subject: Re: radius proxy authentication problem with realm stripping for EAP Alex Myself wrote: Hi, I'm trying to configure free radius server as a proxy radius server with realm defined and strip option enabled. Don't strip the user name. Authentication fails on external radius server when EAP is used. Without EAP authentication is fine. Any configuration option required for EAP to work (with realm stripping)? EAP will work *only* without realm stripping. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
State of 2.x?
Hi, We're running 1.1.8 on FreeBSD 5.3 and have been delaying the move to 2.x until absolutely necessary. Given the recent libtool22 issues, I'm thinking it's time to move. Just wondering if people would recommend moving now to 2.1.9 or waiting a while longer for a stable 2.2? Thanks -- Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: State of 2.x?
Thanks Alan Alan, that's what I wanted to know. -- Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default reply for username incorrect-s
Ok I think i got the idea, will no go and try it out! thank you! as to 2nd reply, yes my NAS supports Reply-Messages 2010/1/4 Charles (KOL-Goma) char...@goma.kivu-online.com Does your NAS support the option? - Original Message - *From:* EasyHorpak.com i...@easyhorpak.com *To:* FreeRadius users mailing listfreeradius-users@lists.freeradius.org *Sent:* Monday, January 04, 2010 6:27 AM *Subject:* Re: Default reply for username incorrect-s Alex M wrote: Happy New Year to you all! I have quick question: How can I send default reply to all users that have incorrect username / password combination, right now FR just rejects them w/o any message. I use MySQL i tried to add DEFAULT as user name in rad reply but that did not help :( Hope some one can help me? TNX -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html try this man http://www.easyzonecorp.net/network/view.php?ID=1038 it 's only accept not found username. for wrong password you must use unlang try this http://www.easyzonecorp.net/network/view.php?ID=1042 -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink http://www.easyhorpak.com/superlink- ?? 5 free Domains with Select Hosting Plans. Get yours! com net org info us name biz cc tv ws mobi -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Buy a domain : http://www.1and1.com/?k_id=25085883 5 free Domains with Select Hosting Plans. Get yours! com net org info us name biz cc tv ws mobi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default reply for username incorrect-s
Happy New Year to you all! I have quick question: How can I send default reply to all users that have incorrect username / password combination, right now FR just rejects them w/o any message. I use MySQL i tried to add DEFAULT as user name in rad reply but that did not help :( Hope some one can help me? TNX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
Yes that helped =) Thank you! 2009/12/27 zhongwei feng feng...@gmail.com hi , try to exchange sequece ? if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { update reply{ Reply-Message := Hello Hello Hello } reject } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
Ok I still having trouble with this. Here is my code: if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply { Reply-Message = Hello Hello Hello } } The problem is that I don't see the Reply Message... I see other one that i got from the Usergroup. My userr is the member of default user group that sends reply message to every one saying that Username is incorrect that is my way to output the message where Usename Password (Probably there should be a better way to do that and maybe that is a problem) but that what i have now. So that message is getting outputed even though the mac address is banned Here is copy of my output.. Hope you can help me out? TNX === rad_recv: Access-Request packet from host x4.xxx.74.xxx port 62760, id=111, length=139 NAS-IP-Address = 192.168.0.104 NAS-Identifier = xxx.com User-Name = alexus7 User-Password = open Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 5 Framed-IP-Address = 192.168.1.199 Called-Station-Id = 00:0d:b9:06:xx:xx Calling-Station-Id = 00:0b:6a:29:xx:xx +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = alexus7, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - alexus7 [sql] sql_set_user escaped user -- 'alexus7' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alexus7' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alexus7' ORDER BY id WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alexus7' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alexus7' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'alexus7' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'alexus7' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Ban' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Ban' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'All' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'All' ORDER BY id [sql] User found in group All [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'All' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'All' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++? if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) sql_xlat expand: %{User-Name} - alexus7 sql_set_user escaped user -- 'alexus7' expand: SELECT mac FROM `lrc_banlist` WHERE
Re: Rejecting User By their Calling-Station-Id (Mac Address)
As suggested I just tried to replace operator = with := and even with == but reply message is not getting outputted :( Maybe I'm missing something? if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply{ Reply-Message := Hello Hello Hello } } On Sat, Dec 26, 2009 at 12:08 PM, Alex M freerad...@lrcommunications.netwrote: lol true! I always use that one for reply messages... i guess i was too sleepy last night :( Thank you! On Sat, Dec 26, 2009 at 11:19 AM, Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 26/12/2009 08:05, Alex M wrote: Ok I still having trouble with this. Here is my code: if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply { Reply-Message = Hello Hello Hello } } Wrong operator. You want := to overwrite the attribute value that already exists... update reply { Reply-Message := Hello Hello Hello } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
that worked well! thank you I guess once reject is sent there is no further processing of the code. On Sat, Dec 26, 2009 at 1:16 PM, Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 26/12/2009 10:11, Alex M wrote: As suggested I just tried to replace operator = with := and even with == but reply message is not getting outputted :( Maybe I'm missing something? Try moving the reject to after the update stanza. I think a return code of reject stops the server processing the current section. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
I need to ask again for help. So I added this code to Autorize section of Default config file it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far... So maybe some one can tell me how to add reply-message to this logic? Thank you a lot and Marry Xmas if (Calling-Station-Id == %{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}) { reject #reply := Your account has been disabled. } On Wed, Dec 16, 2009 at 4:07 PM, Alex M freerad...@lrcommunications.netwrote: ok fair enough =) will go dig config file... How can I send the reason for rejection? Just add reply command somewhere along the lines? Can I link reply message to the reply message associated with reply in groups? Tnx again! On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :( Can some one tell me how the logic works for groupcheck? Why? You were given a simple solution. I suggest trying that. Trying to figure out how to get groups to do what you want is a waste of time when you *already* have a solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
o no wonder all my trys didnt work =) Thanks a lot! On Fri, Dec 25, 2009 at 7:10 PM, t...@kalik.net wrote: I need to ask again for help. So I added this code to Autorize section of Default config file it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far... So maybe some one can tell me how to add reply-message to this logic? Thank you a lot and Marry Xmas if (Calling-Station-Id == %{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply { Reply-Message = Your account has been disabled. } #reply := Your account has been disabled. } Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
ok fair enough =) will go dig config file... How can I send the reason for rejection? Just add reply command somewhere along the lines? Can I link reply message to the reply message associated with reply in groups? Tnx again! On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :( Can some one tell me how the logic works for groupcheck? Why? You were given a simple solution. I suggest trying that. Trying to figure out how to get groups to do what you want is a waste of time when you *already* have a solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
wow... i managed to make it work w/ groups but i like your way better =) Thank you! On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here. Create a table called blocked MACs, and put the MAC addresses in there. Then, in the authorize section, do: if (Calling-Station-Id == %{sql: SELECT }) { reject } Fix the SQL statement to SELECT the row containing the Calling-Station-Id. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :( Can some one tell me how the logic works for groupcheck? If I have Calling-Station-Id and reply reject spesified for the same user what should happen? what if i have 100 MAC addressed entered how do we check for that? I had 1 MAC address entered and geting rejected well. If 1 MAC is entered but not my MAC then im not getting rejected, yet when 2 Mac addresses entered im geting rejected regardless of my mac address. (My ban group has priority of 1) I would love to solve my problem w/ groups so I don't have to edit radius xinfig files,,, but if im geting this trange results or if its not possible i'm more or less ok w. adding more settings to configs... Thanks for helping me out! On Tue, Dec 15, 2009 at 2:41 PM, Alex M freerad...@lrcommunications.netwrote: wow... i managed to make it work w/ groups but i like your way better =) Thank you! On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here. Create a table called blocked MACs, and put the MAC addresses in there. Then, in the authorize section, do: if (Calling-Station-Id == %{sql: SELECT }) { reject } Fix the SQL statement to SELECT the row containing the Calling-Station-Id. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting User By their Calling-Station-Id (Mac Address)
Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here. Here is what I tried: *radusergroup* (username, groupename, priority) all user-names registered Ban Test_User Home 1 *radgroupcheck* (groupname, attribute, op, value) Ban Calling-Station-Id == 00:0b:6a:xx:xx:xx Ban Reply-Message == You have been banned Ban Auth-Type := Reject *radcheck* (username, attribute, op, value) Test_User password == letmein So far that dint work at all... I tried changing priority but no matter what I do the user still authorized to enter the network. I'm sure I did something wrong but im not sure what? So maybe some one can help me out? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Alan, Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. r...@crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do? ++[chap] returns noop ;I can tell that chap was not selected as a protocol, right? ++[mschap] returns noop ;as above [suffix] No '@' in User-Name = cisco, looking up realm NULL ;why @ is expected in a name or password? [suffix] No such realm NULL ;what this mean? ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop ++[unix] returns notfound ;what is this? ++[files] returns noop ? ++[expiration] returns noop ? ++[logintime] returns noop ? [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it's arguments. ? Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - cisco attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 187 to 127.0.0.1 port 43663 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=20 [r...@crest raddb]# Cleaning up request 5 ID 187 with timestamp +411 Ready to process requests. Rgrds, Alex -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 2:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi, Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := testpassword alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Gera _ From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of gera Sent: Thursday, December 10, 2009 11:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Where did you create the user and password cisco? in the /etc/raddb/clients.conf. A copy of your users configuration file would be great Which config files do you need, radiusd.conf, or clients.conf? There is also, /etc/raddb/users which I have not even touched, cuz I did not see it readily on the wiki, and I did not know about till now. I'm not clear on the purpose of the attachment you mailed? This file is not accessible: http://wiki.freeradius.org/FAQ Alex On Thu, Dec 10, 2009 at 12:05 PM, g gerard...@gmail.com wrote: Where did you create the user and password cisco? A copy of your users configuration file would be great. On Thu, Dec 10, 2009 at 11:03 AM, Alex Bahoor alexbah...@sbcglobal.net wrote: Alan, Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. r...@crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = cisco User-Password = cisco NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do? ++[chap] returns noop ;I can tell that chap was not selected as a protocol, right? ++[mschap] returns noop ;as above [suffix] No '@' in User-Name = cisco, looking up realm NULL ;why @ is expected in a name or password? [suffix] No such realm NULL ;what this mean? ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop ++[unix] returns notfound ;what is this? ++[files] returns noop ? ++[expiration] returns noop ? ++[logintime] returns noop ? [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it's arguments. ? Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - cisco attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 187 to 127.0.0.1 port 43663 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=20 [r...@crest raddb]# Cleaning up request 5 ID 187 with timestamp +411 Ready to process requests. Rgrds, Alex -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 2:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi, Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := testpassword alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __ The message was checked
RE: Testing radius server
Ivan, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to RFC1855 http://www.faqs.org/rfcs/rfc1855.html . The reason I'm having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it's written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of t...@kalik.net Sent: Thursday, December 10, 2009 10:58 AM To: FreeRadius users mailing list Subject: RE: Testing radius server [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ;I do have a password (cisco). No, you don't. Or should I say - where did you store that password? I edited /etc/raddb/clients.conf. Below is the only thing I edited in this file. And I take it it's wrong, so please point me to the right lines. # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } # Ivan Kalik Rgrds, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html