Re: configure freeradius to use UPN instead of samaccountname
Angelica Delgado wrote: > We have our freeradius setup to authenticate with Active Directory for > EAP. Currently, it uses the samaccountname but we want to use UPN > instead. We get "NT_STATUS_NO_SUCH_USER" when testing with ntlm through > command line. > > ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com > > Can you please let us know what needs to be configured to support the UPN? ntlm_auth is from Samba. It's not part of FreeRADIUS. Ask the Samba people how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: > Hi again, > Sorry to bang on about this, but I'm struggling still. > Brand new machine, Ubuntu 13.04 server, never had freeradius installed > on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), I didn't see the 3.1.0... At this point, you may want to be running from the 3.0.0 release, or the v3.0.x branch. There are NO new features in "master" (3.1.0) over 3.0.0. Our plan for 3.1.0 is to finish the conversion to "talloc", which may introduce instabilities. In contrast, 2.2.x and 3.0.x will have minimal changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
a.l.m.bu...@lboro.ac.uk wrote: > this error is also present with 3.1.0 when using the provided > orginate-coa virtual-server - so its reproducable with a minimally > adjusted configuration (just drop originate-coa from sites-available > to sites-enabled) Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: > I guess at the end of the day my question boils down to the following: > where should I put the MAC check, so that the user gets assigned to the > right VLAN? In post-auth. > If I put it in the authorize part of sites-enabled/default, the VLAN > update request will get overwritten by the post-auth part of > sites-enabled/inner-tunnel; The default configuration for the inner-tunnel does *not* set a VLAN in post-auth. So one configuration you added prevents you from using another configuration you added. > and if I put it in the post-auth of the file > sites-enabled/default file (which gets executed after inner-tunnel), the > authorized_macs function always returns noop. Delete the "set VLAN" stuff from the post-auth of the inner tunnel. As you've seen, it breaks the other configuration you're trying to use. When you put "authorized_macs" into the "post-auth", it runs the "post-auth" processing. Which doesn't read the "users" file... as the "users" file is done only in the "authorize" section. You should be able to put "authorized_macs.authorize" in the post-auth section. That will make it process the "users" file, and do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: > First of all, sorry if my email is very long, I am just trying not to > leave any important details out. :) That's good. > So far, I managed to do the dynamic VLAN assignment, but cannot seem to > get it to work together with the MAC checking. They key thing to remember is that they are two independent pieces. Get them working independently. Then, put the pieces together. > I can get an auth to be refused if the MAC is not listed in the > authorized_macs file, but can't quite put the two things together. > Perhaps I am a bit confused with regards to where to put the MAC check. Put it into "authorize". > For now, I just managed to get the check to work only on the > authorization phase in sites-enabled/default, but then the VLAN > assignment, which is done in the internal-tunnel, seems to overwrite my > changes. That can be fixed. > So I tried to put the MAC check in the post-auth section in the default > file, but the MAC check doesn't seem to ever work. Because the "users" file works differently there. > Here are the relevant config files: Which seem to use a reasonable approach. > As you can see, the device wasn't listed in the file, the authentication > went fine, saying that the tunnel that I should get has ID 40, but that > wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message "Oh, there's an inner-tunnel, too". Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab "known good" passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote:
> I still get
> # Loading authorize {...}
> /usr/local/etc/raddb/sites-enabled/default[222]: "case" statements may
> only appear within a "switch" section
You need to upgrade your binary. You're not using the latest version.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eaps TTLS and Plain Text
Gilbert T. Gutierrez, Jr. wrote: > I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is > configured to handle radius authentication eaps ttls in a tunnel > (Motorola/Cambium Canopy Product). I want to be able to authenticate > plain text requests from other devices that do not support eaps. Can > Free Radius handle both encrypted and unencrypted connections at the > same time? If it can, can someone lead me down the correct path? Yes. And there's nothing to do. Just configure a user with a password. *All* authentication types will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
Phil Mayers wrote:
> I've just ported our config to 3.0 and I'm seeing a few error messages;
> they don't seem to be critical but are concerning me.
>
> Specifically I'm seeing:
>
> ERROR: Conditional evaluation failed due to internal sanity check.
That should be fixed. Either it can be deleted, or reworded.
> ...whenever I try to compare against absent attributes. What's the
> correct syntax for this now - do I need:
>
> if ((Attr) && (Attr op RHS)) {
>
> ...or can I ignore the message?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
Puzzel wrote: > I've made configure at top level ./configure > --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib > --with-oracle-include-dir=/usr/include/oracle/11.2/client64 If the build is having issues, you should READ the output of "configure". It tells you what it's building, and what it's not building. Just look for "oracle" in the output. It's not hard. > Then i made make, but i still can't find rlm_sql_oracle.so file. :/ Again, READ the output of "make". Look for oracle. It's not hard. You're like someone who's sitting next to a road sign, and claiming he's lost. Well... look up. You're not lost. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Phil Mayers wrote: > In order to prove this to the AD team, I need to gather some timing > stats for ntlm_auth; can anyone think of an easy way to do this within > FreeRADIUS? I had patches for this a while ago. But they won't apply to the current code. The idea was to update the modsingle struct to have an "elapsed" entry/array. Then, call_modsingle() calls gettimeofday() before and after the call to the module. It takes the elapsed time, and updates the modsingle struct. After a few more hooks, you can get at the stats via radmin. > Any obvious/easy thing I'm missing? Nope. Instrumentation is hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Phil Mayers wrote: > Perhaps architecturally, but not inherently; you could, at least in theory: > > 1. Receive 4-byte length > 2. Sanity-check the length > 3. Allocate buffer > 4. Read on TCP socket non-blocking in normal select loop until you've > filled the buffer > 5. Parse packet from buffer, dispatch packet That is *exactly* what the server does for TCP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Arran Cudbard-Bell wrote: > Isn't it required for doing any RADIUS over TCP? Nope. Only SSL. The reason is that sometimes reading from an SSL socket requires SSL writing data to the other end. So you end up with both ends waiting for something. And that knowledge is buried inside of OpenSSL. Having threads means that each thread can wait without blocking anything else. It can probably be fixed, but it's hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
John Dennis wrote: > 3.0 is not on the download page http://freeradius.org/download.html nor > is there a download link on the above announcement page. The announcement says: Version 3.0.0 (sig) has been released... The 3.0.0 is a link. I've added a link on the download page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli
Russell Mike wrote: >> So if you want to do something when the users traffic is over the quota, >> you have to do it in the accounting section. > > Could you please kindly indicate what should i do there ? i tried to > perform the check again when user is online by adding counter entry in > *session* section. but did not work either. Uh... you do know that "session" is not the same as "accounting", right? Why are you doing something wrong? > I am not very clear how to update mysql db & perform the check on > frequent basis. base on the output from the counter module > (ok,noop,etc..), i understand how to update the reply from un-lang to > log off user. Do you understand what the server does when it receives an accounting packet? Have you tried running the server in debugging mode, and seeing what happens when it receives an accounting packet? Do that before asking more questions. Watch the server go update SQL. Now... how do you query SQL (independent of RADIUS) to see if the users session is over quota? Then... put that query into the "accounting" section, via "unlang". Check if the user is over quota. If so, send a disconnect message. See raddb/sites-available/originate-coa for examples of originating a disconnect message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Adam Bishop wrote: > It appears the debugging switches don't work quite as I'd expect in > FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. > # radiusd -fxx -l stdout > > Works as expected (threaded debugging with no timestamps), however: > > # radiusd -fXx -l stdout > > Wed Oct 9 14:44:18 2013 : Error: > /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled > for TLS sockets to function properly. > Wed Oct 9 14:44:18 2013 : Error: > /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do > 'radiusd -fxx -l stdout' for debugging So... what's wrong with following that documentation? > '-fXxx -l stdout' reacts in the same way, Because the "-X" means "-f", which is invalid for radsec. > but '-fxxx -l stdout' does run and produce timestamps, Which is what the error message says to use. What's wrong with that? > so I think this one is just a documentation issue - I can't find anything > doc/ that says xxx is a valid combination. radiusd --help also indicates > that -fXx should still be valid. > > Similarly, when doing a config check: > > # ./sbin/radiusd -Cfxx -l stdout > > /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled > for TLS sockets to function properly. > /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do > 'radiusd -fxx -l stdout' for debugging > > The init scripts for debian (possibly RHEL too) trigger the latter one, as it > runs a config check on restart (which bails out due to the error above). The "-C" code should be changed to remove it's setting of "-f". We'll fix that for 3.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: > Trying version #d166290 results in Which is old. The bug has already been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli
Russell Mike wrote: > All-In-MB counter works. Please note, when a user has downloaded his > quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is "nothing". The users traffic doesn't go through FreeRADIUS, because FreeRADIUS isn't a router. What FreeRADIUS *may* see is an Accounting-Request for the user. Which contains the total traffic for the user. So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. > Which basically means that initially authorization is done by SQL then > "max_all_mb", checks are only done once when the user makes the logon > attempt and checks are never done again. Yes. That's what you've configured. If you want more, you need to tell the server to do more > This is where i have failed. > Since you are more in to this, is there a way to perform this check > on frequent basis and send reply to NAS to logoff user? then it should > work. Read the debug output. You'll see the server receiving Accounting-Request packets, with the users traffic over quota. THAT is when FreeRADIUS can do something. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of Session-Timeout
Volker Lieder wrote:
> Within the old version, we used a database config for groups with an
> attribute "Session-Timeout" and the value `%{expr:06:00}`
Which never worked. "06:00" isn't a number. You can't just invent
syntax and use i.
> With new version freeradius send an error while looking in debug mode like:
>
> Tue Oct 1 16:15:23 2013 : Info: [sql]expand: 06:00 -> 06:00
> Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at ":00"
> Tue Oct 1 16:15:23 2013 : Info: [sql]expand: %{expr:06:00} ->
>
> Can you explain why this value isnt working with new version or what we have
> to change to set the Session-Timeout that user get disconnected e.g. at 06:00
> am?
It didn't work in the old version, either. It just didn't complain.
You should use the "Expiration" attribute:
bob Cleartext-Password := "hello", Expiration := "06:00"
That should work.
Or, calculate the Session-Timeout manually.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
Brian Julin wrote: > You guys are truly obsessed. I get exhausted just reading your commit logs. > :-) It's what I do. I spend a fair amount of time on other things, too. But pushing FreeRADIUS ahead is a high priority. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Clint Petty wrote: > Hi Alan, > > Well I discovered a way to display a list of all active users without having > to implement FreeRadius accounting, which BTW is not as straight forward as > it should be. > > I was able to display all active users through my StrongSwan server, with the > simple following command: > > # strongswan leases > > FreeRadius should be so easy! RADIUS does a LOT more than strongswan. And yes, basic RADIUS really is easy. A large part of the difficulties are due to bad client implementations. No one wants to blame the client, so everyone blames FreeRADIUS. I've learned to deal with it, but that doesn't mean I have to like it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 3.0.0 has been released
After many years of development, the FreeRADIUS team is happy to announce Version 3 of the world's most popular server. The release was delayed from June in order to track down and solve a number of last-minute issues. We'd like to thank all of the beta testers for helping with that process. The release announcement is available on the web site: http://freeradius.org/press/index.html#3.0.0 In short, it's simpler, easier to use, and better organized. Upgrading instructions are available here: https://github.com/FreeRADIUS/freeradius-server/blob/release_branch_3.0.0/raddb/README.rst As this is a major version, you CANNOT just use your 2.x configuration files. Sorry, but many of the new features require changes which aren't compatible with 2.x. See the LDAP and SQL modules for new connection pools, for example. The debug output is colorized, with yellow WARNINGS and red ERRORS. This should help people understand which messages are important and need attention. RADIUS over TLS (RadSec) is supported. This means RADIUS has actual security, instead of the 20 year-old MD5 weirdness. Many configuration errors are caught at startup, rather than run time. Helpful messages are printed, including a pointer to which character caused the error. The raddb/ directory has been re-organized. The files should now be easier to find, as they use a consistent layout. DHCP and VMPS are still supported, but their code has been moved to plug-in modules. We expect to continue this process for the 3.1 release. The goal is to move RADIUS to a plug-in module. The server will then be capable of handling many more protocols. We have a number of new protocols in development, and will be announcing them later this year. SNMP traps are now supported. You can trigger a trap when a home server goes down, and when it comes back up again! While supporting many new features, the code is almost 10% smaller than version 2.2. In addition, it has daily builds on multiple platforms, including automatic static source code analysis. This means that the code is smaller, more secure, and easier to maintain. We'd like to add a special thanks to the Samba project, for the talloc library. Many of the new features we made possible by talloc. We expect more features in the future. Alan DeKok. FreeRADIUS Project Leader - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
a.l.m.bu...@lboro.ac.uk wrote: > now its monday AM and the load has gone back to higher levels > the server is freaking out and freezing witht he last message in > the log being > > > Mon Oct 7 07:50:28 2013 : Error: [event.c:2318] Internal sanity check failed At least that's clearer. It would be nice to be able to debug the exact state for that, but the fix should be simple. I'll push something to git later today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
a.l.m.bu...@lboro.ac.uk wrote: > interesting..the culprit may have been found. put HEAD onto server this > afternoon... > the logs had plenty of messages but look ... > no 'bad logs' since that restart logged. Good. It's the problem I thought it was, but the earlier fixes weren't complete The odd thing is that code hadn't changed from 2.2.0. So it looks like there were two bugs. One which hid the second one. When I fixed the first one, the second one caused this issue. > clarification/agreement from Stefan or others? If everyone's in favor, I'll release 2.2.2 on Monday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache for machine authentication
Garber, Neal wrote: > Can someone tell me if it is possible in FR to cache in memory (for a > short amount of time) Calling-Station-Id from successful machine > authentications so that subsequent user authentications can test whether > the user is connecting from an authorized device? This is a feature > that is available with Cisco ACS version 5 (using attribute > Was-Machine-Authenticated) that I am trying to emulate in FR. My suggestion would be to use the "redis" module. Cisco ACS seems to do it internally, because it's a monolithic application. FreeRADIUS is built out of pieces. We're not a database, so we recommend using one where necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
More debug output would help. The last patch came from output sent by Stefan. The patch seems to help. But there's an underlying issue which is harder to debug. It looks like a Linux specific IPv6 problem. I don't see any issue with v4. Alan DeKok. On 2013-10-04, at 9:41 AM, a.l.m.bu...@lboro.ac.uk wrote: > Hi > > early report :( > > > 2.2.2 HEAD still showing: > > Fri Oct 4 13:20:43 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:20:45 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:20:47 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:20:51 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:20:52 2013 : Info: WARNING: Child is hung for request 3766906 > in component module . > Fri Oct 4 13:20:56 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:21:03 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:21:15 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:21:17 2013 : Info: WARNING: Child is hung for request 3766906 > in component module . > Fri Oct 4 13:21:32 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:21:57 2013 : Info: WARNING: Child is hung for request 3767589 > in component module . > Fri Oct 4 13:27:32 2013 : Info: WARNING: Child is hung for request 3797280 > in component module . > Fri Oct 4 13:27:40 2013 : Info: WARNING: Child is hung for request 3797280 > in component module . > Fri Oct 4 13:27:51 2013 : Info: WARNING: Child is hung for request 3797280 > in component module . > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign vlan per group or per user
Jean Carlos Coelho wrote:
> I need to configure one radius server with ldap integration and dynamic
> vlan assign per user or group, didn't find any documentation about this
> procedures, someone knows any url about this?
See the NAS documentation for which attributes it expects in an
Access-Accept. Then, put those attributes into the reply.
In the "users" file, you can do:
bob Cleartext-Password := "password"
vlan attributes = ...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Clint Petty wrote: > I am not blaming, I am just wanting to get the radwho command to work. That is *entirely* the wrong attitude. There is no "just get it to work". There *are* multiple pieces involved, each of which has to be verified. I'm trying to convince you to use a methodical approach. If you read "man radwho", you'll see it uses accounting packets. That should indicate that you'll need to enable accounting. But you didn't do that. You were told to run the server in debugging mode, and you did once... but not the next time. The less you do yourself, and the more difficult you make it to help you, the less we're inclined to help. *THAT* is the goal of many of my responses. > I have now turned on accounting info to be sent from the StrongSwan server > to the FreeRadius server. For I can see the accounting info in > /var/log/radius/radacct//detail-20131003 file. Which isn't the radutmp file, is it? Again, "man radwho" says it reads the radutmp file. Again, your process should be something like this: - "man radwho" says it needs the radutmp file. - is the radutmp module enabled? - if enabled, is it doing anything? - where is the file? - is it being modified? > However I am still getting the same results with the radwho command, showing > just the titles, with no connections? You other message indicates that the module is being used, and is returning "ok". Does the "radwho" command print anything after the "radutmp" module returns "ok" ? It should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.2.2
I've pushed a fix for the proxy issue into the v2.x.x branch. If people can test it, that would be appreciated. We'll then release 2.2.2 and 3.0.0 on Monday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Clint Petty wrote: > Below is the results from radiusd -X (debug mode), while logging in: > > rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, > length=138 The radwho file logs *accounting* packets. That is an *authentication* packet. You're blaming FreeRADIUS because the NAS never sends an Accounting-Request. Go fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deny access to Switch Cisco by Group
Usuário do Sistema wrote: > how to deny access by group ? if user is member of the group it's able > login in otherwise the user is deny See the FAQ. Put this at the top of the "users" file: DEFAULT LDAP-Group != "allowed", Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control flow in FreeRADIUS authorize section
Bruce Bauman wrote:
> We want to stop executing the in the first two
> cases ("infected" and "tempsus"), effectively doing something like a return.
There is a "return" code. See doc/configurable_failover.rst:
ok {
ok = return
}
That may work. The issue is that there's really no multi-level "stop"
or "break". i.e. "stop doing ANYTHING, no matter how deeply nested you
are un the conditions.
The unlang code isn't really meant to do that, sorry.
> I've read the documentation a hundred times and can't figure out how to
> do what I want - everything I've tried doesn't work.
>
> If someone could give me a simple hint to point me in the right
> direction it would be greatly appreciated.
A simple thing:
update control {
Tmp-String-0 := "stop"
}
...
if (Tmp-String-0 != "stop") {
}
That should work. Ugly, but functional.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lifetime of dynamic clients
st...@comitcon.be wrote: > It is fairly clear that the experts claim they have the knowledge , but > are guarding it. Ah, yes. That's why I've wrote tons of documentation for the server, and have answered questions daily for 15 years. I'm trying to hide RADIUS knowledge. > I am secondly not lecturing you on how to use Radius, Nonsense. You lectured me on the use-case for rlm_raw. > but you are "expert" > are neither teaching me, by referring me to files I have read multiple > times. Well, you didn't say that. If you don't say what you're doing, it's a form of lying. > For the record > The IP address of a client is added using dynamic. I have set the lifetime > to 60 (and the file states seconds), but it is not removed after 1 minute > or even more. show client list in radmin also keeps showing it. Well, it works for me. Did you try sending another packet after 60 seconds? What happened? > So you admit you are frustrated? With all best respect, I love people > being helpfull, willing to test and try out. But if the immediate respons > is "not recommended", well don't bother responding because people might > have proper reasons for using it this way. I see. You're not a RADIUS expert, so you ask a question. When a RADIUS expert answers you, you disagree, and think they're wrong. And you say *I* am unhelpful? > Learn to adjust to the needs of the real world. This is not a student pet > thing here. I am merely walking the boundaries of what the system is > doing. You know, I could make the system check in using perl/php and > update the IP address as I am using SQL as a backend. Same deal. But no, I > don't see a purpose on a security level on doing it with rlm_raw / dynamic > clients etc... That's why you're not a RADIUS expert, and I am. > You know, I just needed to find out if the lifetime 60 will work because I > don't see it. The changelog of FR actually state at a certain revision it > was defaulted to 1 hour in case of lacking. Maybe there is a minimum? I just checked. There isn't. > an expert who refuses to set up a system Where the HELL did you get that idea from? And what kind of entitlement do you have? I'm supposed to do things for free to check that you've likely misconfigured things? Are you paying me? Do you even know how open source works? > (might not even be in real life, > but a matter as experimenting?) Sorry from an expert I expect atleast the > full reasons (or links) to the security issues which are claimed. Secondly > an expert would give me the response to the simple question. I expect that I can have technical discussions without people getting upset when I tell then they're wrong. That's what makes me an expert, and makes you banned from the list. I'm willing to learn from others. You're not. > Now this you can call rude. I was being polite in the previous mails. Refusing to follow instructions is rude. Complaining when I tell you you're wrong is rude. Refusing to learn is rude. Goodbye. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to change the radius default "testing123" password
Clint Petty wrote: > Hi Alan, > > Thanks for your reply. However, I have already changed the instances of the > password "testing123" in the following files: > > StrongSwan:/etc/strongswan/strongswan.conf That's good. > Radius:/etc/raddb/proxy.conf That's not good. The secret there is for home servers, not clients. I suggest changing it back. > Radius:/etc/raddb/sites-available/dynamic-clients > Radius:/etc/raddb/sites-available/originate-coa > Radius:/etc/raddb/sites-available/robust-proxy-accounting That's not good. Those files are NOT used by the running server. I suggest changing it back. > Radius:/etc/raddb/clients.conf That's good. > After restarting the strongswan and radiusd service, I was not able to > authenticate to my LDAP server, and had to change the entries back to > "testing123"? What am I missing here? Well, it should work. What does the debug output say? That should tell you *exactly* what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest Authentication with a Cisco device
Philip Walenta wrote: > I'm trying to do what might be an odd configuration. > > I'm attempting to digest auth users without caring about their > "User-name" attribute. That should work. > So in other words I want to auth on the "Digest-User-Name = "testuser"" > that comes in as part of the Digest-Attributes and a password. You should be able to do that. > So in the users file I have "DEFAULT Cleartext-password := > "password"" That will allow ANY user to authenticate using ANY authentication method, and with that password. > I created a partial digest file but it appears to be ignored on every test: > Digest-User-Name = "testuser" > Digest-Algorithm = "MD5" > Digest-QOP = "auth" I don't know what that means. What file is this? Why did you create it? What's reading it? > In the debug I see: > [digest] A1 = testuser:sp.eng:passwod > > I can change to username to anything I want and as long as the password > is correct the user will auth. That seems to be doing what you want. > Am I attempting something impossible or doing it incorrectly? I'm not entirely sure what you're doing, so I can't really answer that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lifetime of dynamic clients
st...@comitcon.be wrote: > first of all thank you for replying although I must sense quite some > hostility in your replies. On the other hand, I have read previous emails > coming from your end and this appears to be the way you respond. Perhaps you could read the *content* of my messages, instead of inventing some emotional projection. > Secondly I have read the documentation, but RTFM still appears to be the > common way of responding (even after using Linux for over 15 years). So you read the documentation saying that clients are defined by IP addresses, and then asked whether or not clients are defined by NAS or by user. Did you (a) NOT read the documentation, or (b) read it and not understand it, or (c) read it, understand it, and ask a misleading question? > Thirdly , the case below is a true real life situation, which does not > only occur only for me, but also for other. Even though the module is not > officially supported (maybe for the reason there are) it is in today's > world . You can decide, be a bernstein (like qmail) or adopt to a real > life situation. (Btw, if this was such uncommon, how come I find as many > question on it as there are. If YFI is actually supporting this, there > must be a need. Even if it is not meant like that. People do all kinds of crazy things. That doesn't mean those things are a good idea. It's fairly conceited for you, a non-expert, to lecture me about RADIUS. > Fourhtly, the issue I have has nothing to do with the whole running of > rlm_raw or any alike. Authentication works fine and as expected. I'm not really clear on the issue you're having, because your statements are contradictory. Am I allowed to get frustrated at that? > And yes I have read the statements on caching , what is used and even the > disclaimer that only the src ip is supported. So don't become patronising > that I didn't. Learn how to deal with people telling you you're wrong. It's a skill many adults have. > I also scrobbled google for quite some time and I have read > the debug more than you can think. But guess what? If the only output > after authentication is > adding client xxx.xxx.xxx.xxx with shared secret > > it does not state > a) lifetime > b) anything else usefull. It shows the IP of the client. It does NOT say "adding client keyed by Called-Station-Id" See? The debug output says what it means, and means what it says. Because you're unwilling to take it at face value, you think it's useless. That says more about you than anything else. > Now I am running radmin show client list and see the IP appear. I am now > testing when it disappear. > > Please refrain from responding if it will only be a load of 'you did not > do this or that', while you have no clue on what I read or already have > done. You have no business making that demand. See the last paragraph of this message for my response. You asked a question and you got told an answer. When you made mistakes, they were pointed out. We CANNOT help you if your questions are unclear, or if your statements are contradictory. You have NO BUSINESS getting offended when people try to help you. > If the response is coming to the basic question > "how can I check the lifetime of a dynamic client" feel free. > > Elsewise, let's keep this clean for people willing to find the proper > solution. Read the documentation. Follow instructions. Don't argue with the experts. It's not hard. If you fail to follow instructions, or if you keep arguing about the instructions, or if you keep complaining when I answer your questions, you will be unsubscribed and permanently banned from this list. Such behavior is anti-social, rude, and will NOT be tolerated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lifetime of dynamic clients
st...@comitcon.be wrote: > For those interested: > > Information gotten from > > http://sourceforge.net/apps/trac/hotcakes/wiki/YfiTechDynamicClients > > In regards to the usage of Called_Station_Id, rlm_raw and SQL checks. Which notes that rlm_raw doesn't come with the server. The reason is simple. It's not necessary, and a security risk. There have been a number of requests to include rlm_raw, and the answer has been (and will always be) "no". There are alternatives which are more secure, and generally better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to change the radius default "testing123" password
Clint Petty wrote: > How can I change the radius default "testing123" password? Is there a > command I need to run to do this? Edit raddb/clients.conf. Look for "testing123". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lifetime of dynamic clients
> 1. FreeRadius lacks the ability to actually run Nas's behind a link with a > dynamic IP. Although not recommended, this software does not support a > proper way of dealing with this. Nonsense. This is a fundamental limitation of the RADIUS protocol. If you want to use dynamic IPs, use a VPN, or TLS (RFC 6614) > This is indeed a fake. I have added this in mysql in the nas table under > the field community (described in ify /yfi setup). The connection actually > works. I can (ab)use this field as much as desired Because RADIUS depends on source IP. >> Of course. RADIUS depends on IP addresses, not on Called-Station-Id. >> This is documented in the "dynamic_clients" configuration. Right at >> the top of the virtual server. > > Yes, I have read the documentation (multiple sources, google etc...) I was > just wondering what happens when you use the raw module. It's not distributed with the server. So it's not a supported module. And no, I don't use it. And no, you haven't read the documentation. The files I mentioned *clearly* states that the dynamic clients use and cache the source IP. They say NOTHING about checking the Called-Station-Id for each packet. > Is a client defined by a NAS or a user? RADIUS clients are defined by source IP. The documentation you allegedly read makes this clear. So there's no need to ask the above question... because the documentation already answers it. > The output shows indeed when it goes through the the dynamic server > section and once it is authenticated it only runs through the default > (which is understandable) So... *nothing* else in the debug output is useful to you. I guess you've read it as carefully as you've read the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lifetime of dynamic clients
st...@comitcon.be wrote: > I have rebuild freeradius on debian 7.0. I have added rlm_raw and have a > working dynamic client configuration where I use Called_Station_ID to > authenticate / validate that a NAS is allowed to use this radius server. That's not a recommended configuration. > I wait for a couple of minutes > and I executed the following command of client A: > echo "NAS-IP-Address=10.1.2.236, > Called-Station-Id=00:40:96:aa:bb:cc,User-Name='testradius',User-Password='test'," > | radclient -c '1' -n '3' -r '3' -t '3' -x '46.18.36.232:1812' 'auth' > 'mysecret' > > This has a faulty Called-Station-Id in it. I would assume that it would > not allow me to connect. But this appears to still work. Of course. RADIUS depends on IP addresses, not on Called-Station-Id. This is documented in the "dynamic_clients" configuration. Right at the top of the virtual server. > I am wondering > - The first time the IP address of client A is added to the list of known > client > - So the second time , it will check first in the list if the IP is known, > if so it won't go checking using the process defined in dynamic clients? That's what the documentation says. > But no matter how long I wait, it appears that the cache if not cleared. > > I have added a lifetime of 60 in the dynamic client conf, so I would > assume that if I wait for a minute, the IP of client A would not be known, > and it would go through checking again. That's how it works. > Am I wrong in this? If not can I read the cache to find out why it is > keeping that record? You can use "radmin" to query the server about a client. It won't show you the lifetime of that client. But it will show you if the client still exists. And as always, run the server in debugging more. READ the output. It tells you exactly what's going on, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HTTP; JMS Access
George Innocent wrote: > I seek your support and advice to resolve this incidence relating to the > Radius server used for authentification. > > There is a user created on the Radius that is used by Netcool for the > synch with the SAM server. > > The user authenticates successfully but there is failure of connection > on the JMS and http with the error message below when RADIUS is used. That error has nothing to do with FreeRADIUS. See the documentation for the other software. It should tell you how to use it with RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory Group Membership filtering query
Simon Grierson wrote: > Authentication via Active Directory, but with access granted depending > on AD Group membership. That should be possible. > EG: User A Is allowed Wifi access, as they are in Wifi-Users group > > User B is not as they do not have membership of this group. That's easy. > So we have the Freeradius server up and running, and it can authenticate > against AD fine, but I cant figure out the group filtering portion of > the setup. The FAQ has examples. The configuration files have many references to "ldap", with comments describing what it does. > The documentation points to configuring the modules/ldap file to point > to our LDAP server (I.E. our AD server0, and to configure the /users > file with the following line > > DEFAULT Ldap-Group == > "CN=sec-eduroam-users,OU=Access,OU=SecurityGroups,OU=Groups,DC=testres,DC=org" > > DEFAULT Auth-Type = Reject The default *is* to reject the user, but that may work. > When I run freeradius in debug mode, we get all the usual output but no > ldap modules mentioned Is it a secret? The FAQ, "man" page, web pages, and daily messages on this list say to post the debug output. It's the ONLY way to solve the problem. > It dues include modules/ldap but little else. Which is probably fine. > FYI I have built this 3 times, Well, then you did it wrong 3 times. > What I cant get is LDAP to work through free radius. > > Am I doing something wrong, is there a better way to do this? Post the debug output as suggested in the FAQ, "man" page, web pages, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP session matching the State variable (and other various messages)
John Douglass wrote: > Any one have any similar battle scars that I can learn from (server > performance tweaks, optimizations, etc?). I've optimized as best I can > the SQL component. This all seems related to the samba/winbind/ntlm_auth. FreeRADIUS is dependent on other systems. So if Samba or AD block for 30 seconds, so does FreeRADIUS. In many cases, these errors are the result of something *else* going wrong. FreeRADIUS is complaining, because it noticed the problem, and told you. But there's nothing wrong with FreeRADIUS. You've got to fix the *other* problem to correct the issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote: > Nothing secret, as I said I tried both configuration (one at a time) > inside "gtc" sub-section of eap.conf. That's a problem. NOTHING in the documentation or examples says to do that. LOTS of documentation and examples give the CORRECT way to use ntlm_auth. > I did that, but that didn't work. See the FAQ for "it doesn't work" > Perhaps I didn't configure the > ntlm_auth module though there is modules/ntlm_auth created when I > configured EAP-MSCHAPv2 with ntlm_auth. Perhaps you could try following the examples on deployingradius.com, or the examples distributed with the server. > My understanding about RADIUS is that client sends AccessRequest and > wait for either: AccessReject, AccessAccept, or AccessChallenge. If it > gets AccessChallenge and later gets another AccessChallenge again, it > will response, until it gets AccessAccept or AccessReject. The client > that I am using is NetMotion Mobility XE. Which is all useless and irrelevant. I asked about the EAP-GTC spec, not RADIUS. > Thank you once again for your response. Apologize if I am wasting your > time, not my intention. If you ask questions on this list, you need to follow the instructions we give. Doing anything else is rude. You've been very careful to say as little as possible about what you're doing. You've also been careful to NOT follow the documentation or examples. That explains why you're having issues making it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote:
> I tried one of these inside "gtc" sub-section of eap.conf, that don't
> seem to work:
> auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
> or
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}"
Set where? You have been *very* vague about what you're doing. Is it
a secret?
> Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
> Do I have to place this under "gtc" sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth
sub-section of the "authenticate" section. All of that is documented in
the deployingradius.com page.
> See my comment earlier. Did I place the configuration at the right
> sub-section?
I have no idea. You've been careful to say as little as possible, in
a manner which is as confusing as possible.
> Yes, I saw the ntlm_auth configuration under modules/mschap and
> modules/ntlm_auth. As stated in my first email, I am able to configure
> freeRadius to authenticate against our Active Directory using
> EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
> work as well.
It WILL work. Just set "auth_type = ntlm_auth" in the gtc
configuration. As I said.
> As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
> = "/usr/bin/ntlm_auth ..." command execution, but that don't work.
So... rather than following instruction,s you're trying random things.
How about running it in debugging mode, as suggested in the FAQ, "man"
page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random
nonsense, you're wasting your time, and ours.
> The reason I am asking the question of multiple challenges because I am
> currently evaluating another vendor solution for multi-factor
> authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
> additional inputs during authentication. Here is the
> link: https://www.duosecurity.com/docs/netmotion. I thought if they can
> do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I
recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As
always,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Don wrote:
> That said, if EAP-GTC can be used along with ntlm_auth how do I
> configure it to make that work?
Read the "gtc" sub-section of eap.conf. It tells you how to make
EAP-GTC use a particular authentication method.
> I tried to execute ntlm_auth passing
> --password=%{User-Password}, but that didn't work as User-Password is
> empty.
You tried *where*? That matters.
> It says in eap.conf that GTC challenges the user with text and
> the response from the user is taken to be the User-Password. Perhaps I
> am executing ntlm_auth too early before GTC Password challenge is sent
> out and received the response.
>
> My questions are:
> 1. How can I configure freeRadius so GTC will work with ntlm_auth?
a) configure ntlm_auth as per the deployingradius.com docs, and the
examples in the config files
b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc
configuration.
> 2. Is it possible to send subsequent GTC challenge in addition to
> default Password challenge? If possible, how do I configure the
> subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple
challenges.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication [solved]
paul trader wrote: > hi alan - well, i did both. at first the $INCLUDE was put at the bottom > of the users file, and there was 1 entry in the included file, at line 1. Why do you have a $INCLUDE? You did NOT mention it in your other posts. The help here presumes that you accurately describe what you're doing. If you're not doing that, the help will be unhelpful. > i removed the $INCLUDE statement and put the username/password entry > directly in the users file, but it was at the bottom where the $INCLUDE > was removed from. So when you were told to put the entry on line 1, you instead put it on the bottom of the file? > either way the linux clients could authenticate but not > the windows ones. only after i tried moving the entry directly under the > 'steve' example did it start working, so i moved the $INCLUDE statement > there too. That makes absolutely no sense. Given your other mis-statments, I think you're wrong here, too. When you follow the documentation and instructions here, it WILL WORK. Doing random other things will make it NOT WORK. I have no idea what you're doing, or what you changed to make it work. And likely neither do you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: message freeradius
María Teresa Mondragón Reyes wrote: > I followed the instructions to configure freeradius plus remote mysql > server and when put in debug mode freeradius -f -X i get > this message. You don't need "-f -X". Just "-X" is good enough. > rad_recv: Accounting-Request packet from host 192.168.4.224 port 32769, > id=157, length=285 > Invalid packet code 4 sent to a proxy port from home server > 192.168.4.224 port 32769 - ID 157 : IGNORED > Ready to process requests. Home servers are supposed to send Accounting-Response, not Accounting-Request. You may have configured the client to send packets to the wrong port. > Im getting the connection, there is no problem, my user is reaching a ip > from the private network 192.168.6.xxx and can > access to internet. That is completely different, and not useful here. > My freeradius server is in the same machine that shorewall, DNS and > gateway... my shorewall rules That isn't useful here. What information did you put into the client? Server IP, port, secret, etc.? You likely entered the wrong information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: > Dear, I'm advancing in the Freeradius + AD authenticationjust a > short question: when I want to make the eapol_test tool, I get this > error: > > # make eapol_test > /usr/bin/ld: cannot find -lnl > collect2: error: ld returned 1 exit status > make: *** [eapol_test] Error 1 > > I've followed all the steps to use this tool, but I can't make it. > > What can be the problem ??? You do realize that eapol_test isn't part of FreeRADIUS, right? Please ask the eapol_test authors how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication [solved]
paul trader wrote: > hi phil - thanks for the advice, i figured out that placement of the > $INCLUDE statement (and user info in general) in the users file is > important for windows authentication. strangely enough, it doesn't seem > to matter for a linux dialup, though. That is a *terrible* explanation. It's wrong and misleading. It also contradicts your previous messages. You claimed you put the "users" file entry at line one of the file. But now you talk about a $INCLUDE statement. So... which is it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
paul trader wrote: > i used a default v2 install and only changed the users and clients.conf > files. everything else was left alone. Well, there's no magic. If the "users" file entry doesn't match, it's because the User-Name isn't "test". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Daniel Baker wrote: > [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) > [ldap] object not found > [ldap] search failed What part of that is unclear? > What can I try to fix the authentication issues so that all ports are being > successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Facing Problem in Asterisk peer Authentication with Freeradius.
Husnain Taseer wrote: > In tcpdump asterisk not sending request to the freeradius can u tell > after configuring freeradius what configurations are needed to be done > in asterisk. You were told to ask this question on the asterisk mailing list. We are not asterisk, and we know nothing about it. If you're not going to follow instructions, you will have a VERY hard time solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
WorkingMan wrote: > Can you give me an example on how to always accept connection on EAP-* > authentication (it will be password based from xauth-eap from strongswan) No. EAP doesn't (and can't) work that way. > but at the same time still honour Expiration logic? I am not sure what to > do it (or what to look for). I have been trying different settings for a > week now without success. Because EAP is designed to make this impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP and IPSEC/IKE1/2
WorkingMan wrote:
> So from what I gather I can make my VPN servers pointing to different ports
> (in strongswan.conf) and have freeradius's listen{} pointing to matching
> ports but I can keep the same IP for the virtual servers.
Yes.
> Does this look correct (or at least conceptually)? My test indicates
> VPN/RADIUS are talking to each other.
If it works, it works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
WorkingMan wrote: > My design is that I don't actually care about secondary authentication with > RADIUS since it's already doing certificate validation from strongswan side > before doing secondary authentication. All is good if I was only need > secondary authentication since I can bypass with verify_eap from strongswan > side but I want to make use of the Expiration module on freeradius side > (works > great). Bypassing authentication is generally a bad idea. > I have few questions so it can help me determine next course of action: > > 1) is there a way to configure freeradius for Accounting only and also does > the user expiration check? No. User expiration checks are done on authentication. > 2) is it possible for me in any way to reject expired user but accept eap > based authentication (from configuration or code modification)? Yes. > 3) when connection is rejected does the strongswan side (xauth-eap plugin in > particular) receive information that can differentiate this logic (send > attribute that it can handle maybe? I have no idea how that work)? A reject is a reject. The client usually doesn't get told *why* it was rejected. Rather than asking vague questions, it would help to read the config files. They're documented in exhaustive detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP and IPSEC/IKE1/2
WorkingMan wrote: > I am wondering is it possible to configure one server using a single IP to > handle PPTP/IPSEC <---> freeradius? Yes. > Does it make sense (or possible) to create > a virtual servers against PPTP and IPSEC separately? If you want. Read raddb/sites-available/README. It contains a lot of documentation on virtual servers, clients, and how they work together. > I am just wondering > what's the best practice. I don't want to increase number of hardware so > things can be segregated either. Uh... virtual servers don't require additional hardware. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The Operation of SQL module
Mehdi Ravanbakhsh wrote: > *i can not find any detailed document on this.* doc/rlm_sql. It's on the Wiki, and distributed with the server "tar" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu postgresql unknown client
rich carroll wrote: > I am having problems getting freeradius with ubuntu and postgres to > work. I have set up this setup on freebsd several time successfully. I > believe that it is not checking the database at all. Below is my radtest > command and my debug command. It's not using Postgresql because you haven't told it to use SQL. Notice that there's no "sql" in the debug output. > My configs are identical to my configs on a working freebsd server. No, they're not. > I would be happy to share what ever ones would be helpfull. The debug output is all that's needed. > I can uncomment the client.conf file out of the radiusd.conf and set my > nas in it and get a password error. Which you would expect if it wasn't > reading from accounts from the db also. Because you didn't tell it to read user information from SQL. > I installed freeraduis-postgresql normally I would have just installed > freeradius and configured it to use postgres. Really? If you configure sql.conf, then that *isn't* enough. Read raddb/sites-available/default, and look for "sql". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for help with DHCP
Not many people know that FreeRADIUS implements DHCP. I'd like to change that. I'm therefore offering to pay for some work on the feature. As background, the current version does DHCP, and DHCP relaying. It allocates IPs from an SQL pool. The git "master" branch has a script to import an ISC lease file into the SQL database. We need more. I'm looking for the following: - detailed documentation on how to get it working. Ideally a step-by-step guide, in the style of the EAP docs on http://deployingradius.com/ - the documentation should include examples of an ISC configuration, and how it maps to a FreeRADIUS configuration - the documentation should include simple tests, and common problems to check - it should include any new scripts, etc. necessary to get it working. - any code / configuration will become part of the main FreeRADIUS releases - the documentation and worked examples will get hosted on the FreeRADIUS web site, and prominently linked from the main page - your name will go on everything - since my company is paying for it, all copyright will belong to Network RADIUS SARL. This is a request for *paid* work. I'm prepared to pay reasonable rates for this. And not the "$100 bounty for 6 days work" kind of nonsense, either. Please send email to me with your proposal, background, and price. I'll pick someone in the next week, and work behind the scenes to get this done. The hope is to crush that pesky ISC server. It's been frustrating people world-wide for years. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relaying
Nikolaos Milas wrote: > Thanks. I guess it is supported in 3.0.0 as well ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relaying
Nikolaos Milas wrote:
> I would like to ask how we can direct FR dhcp server (using an ldap
> backend) to relay to another dhcp server.
...
update control {
DHCP-Relay-To-IP-Address := 192.2.3.4
}
...
> The idea is that we have a db of known MAC addresses which have an
> associated VLAN (assigned during MAC Auth) and a static IP address
> (assigned through FR dhcp server). If a MAC address is unknown, we would
> like to be able to relay to another dhcp server which will be
> responsible for dynamic IP address allocation (because, as I understand,
> FR does not support dynamic IP address allocation) on a private IP
> address range, with limited access.
In 2.2.1, it can handle dynamic IP allocation. See
raddb/sites-available/dhcp. Look for "pool".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ipad ssl error in free radius
val john wrote: > Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify This means that the *other* end shut down the TLS connection. To be polite, it sent a notification that it was doing so. > Do you guys any idea what cause this issue Maybe there's something in the CA / server cert which the iPad doesn't like. Much of SSL is magic... Try it with the test certificates created by the server. If the problem doesn't happen, then the problem really is the certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: > Sorry, so I'm a bit confused... Because you're unfamiliar with the correct terminology, and with how things really work. To recap: EAP-TLS uses certificates to identify users. And nothing else. No passwords, etc. AD is a database. MySQL is a database. They store user information. They don't authenticate users. FreeRADIUS is an authentication server. Where necessary, it pulls user information from a database. It also returns user profiles to a WiFI AP. e.g. VLAN, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: > Dear, I have several Windows 7 clients over WiFi autheticating throug > EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it > works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. > Now I have to change the authentication from MySQL to a remote Active > Directory on a Windows 2012 server. FreeRADIUS is an authentication server. MySQL is not. It's a database. Using the correct terminology menas it's easier to come up with a solution. Using the wrong terminology means you're lost, and you can't find a solution. > Because I don't know so much about Windows world, I need to know if I > have to use NTLM, LDAP or Kerberos in order to authenticate against > the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.2.1 has been released.
After a long wait, we have released the 2.2.1 version of FreeRADIUS.
The focus of this release is stability. Minor features may be added,
but the goal is to increase system stability at the cost of missing
features.
People interested in major new features should look at the v3 release
branch. Our focus now is fixing the last few issues in v3, before
making a new release.
Once v3 has been released, there will be no further new development on
Version 2. Bug fixes and security issues will be addressed for three
(3) years after v3 has been released.
The change log for v2.2.1 is as follows:
Alan DeKok
FreeRADIUS Project Leader
-
Feature improvements
* Updated dictionaries for alcatel, broadsoft, bskyb, dlink, meru,
telkom, trapeze, proxim, zeus, rfc6677, 6911, and rfc6930.
* Added %{randstr:..} support. Creates random strings in a
controllable format.
* Added operator support to rlm_python
* Added %{hex:...} for hex version of raw attribute data
* Added %{sha1:...} for SHA1 hashing of data
* Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
and %{base64tohex:...} to convert a base64 string to a hex string.
* rlm_expr is now responsible for registering many of the xlat
expansions. This is cleaner than bundling them all in the server
core. You should ensure 'expr' is listed in instantiate to ensure
correct operation of xlat expansions.
* Use correct terminology when printing errors regarding request/
response/message authenticators.
* Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
* radsqlrelay does multiple INSERTs in one transaction.
Patch from Uwe Meyer-Gruhl.
* Run Post-Proxy-Type Reject {} if the upstream server rejected the
request.
* On startup, the server checks if it was linked with the correct
OpenSSL libraries. If not, it errors out. This prevents later
crashes in OpenSSL, due to library incompatibilities.
* Added radmin command "hup main.log", to re-open the log files,
without HUPing any other part of the server.
* Added support for EAP-Key-Name. See raddb/sites-available/default,
and look for comments mentioning EAP-Key-Name. MacSec now works.
* Added support for hex numbers (0x...) to %{expr: ...}
* Backported TLS client certificate validation from 3.0.0.
* Run Post-Auth for EAP inner-tunnel methods.
* Added more RFCs
* Added "show config " to radmin. You can now examine any
configuration item in a running server.
* Added TLS-Client-Cert-X509v3-Extended-Key-Usage for TLS-based EAP
methods. It is set automatically from the fields in the certificate.
* Add CRLCP attribute in certificate creation script. Windows phones
require it. Patch from Alan Buxey.
Bug fixes
* Skip OCSP if there's no host / port / url, with soft_fail
* Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
* Thread max_queue_size has better bounds checking.
* Use correct variable for warning message if the user misconfigures
the server.
* radtest is more generous about parsing ppphint
* radeapclient now accepts -4 and -6, just like radclient.
Patch from John Dennis.
* Ignore ".rpmnew" and a bunch of other files when loading config
files from a directory.
* Wait for child threads before exiting. This prevents errors on
exit, but may increase exit time if databases are blocked!
Patch from Iliya Peregoudov.
* Wrap rbtree calls in mutexes in rlm_cache to prevent memory
corruption. Patch from Phil Mayers.
* Port fix for %{3GPP-*} expansion from master branch.
* Fix sample certificate scripts when multiple client certs are
made
* Track return code priorities across if/else/elsif in unlang.
Closes #107
* In debug mode, print out DHCP options when sending a DHCP packet.
* Fixes to the redis modules from Brian Candler
* Print better debug message for LDAP "operations error"
* Fix a number of minor issues as found by Coverity
* Frees module config in order to prevent occasional crash on exit
* Update DHCP debugging messages to make it clearer what's
going on.
* Print multiple DHCP options the correct number of times in
debugging mode
* On debug builds, don't dlclose() modules when '-m' is used.
This allows valgrind to show module symbols.
* Don't count Status-Server packets in Access-Request statistics
* Minor cleanups to debug output
* Be more careful handling module configurations to avoid crash
on otherwise clean exit.
* For raddebug, correctly set the group of the output file.
* renamed dhclient to dhcpclient. People who install it
shouldn't have their systems broken.
* for EAP-TLS methods, random_file is no longer required.
OpenSSL already reads /dev/urandom.
* Fix Suse and Redhat scripts. Patches from Fajar Nugraha.
* Minor bug fix for base64 decoding.
* Allow two consecutive WiMAX TLVs of the same number.
* Remove requirement that
Re: Last call for Version 2.2.1
a.l.m.bu...@lboro.ac.uk wrote: > ..so many new features... thought 3.x was where the new features and dev work > was going into ;-) Well, yes. 2.2.1 has a lot of tiny features that are minor code changes. v3 is nearly everything re-written or updated. Those re-writes allow the addition of major new features. Oh, and v3 is *smaller* than v2, even with the new features. Not by a lot, but it's definitely smaller. That means (long term) fewer bugs, and more stability. > PS has anyone tested it with MariaDB? Wondering if its 100% drop-in > compatible? It's 100% drop-in compatible from what I've seen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Beliars Fire wrote:
> The next Step wbinfo -a *user*%*password *works too, but i`m getting
> this Error-Message:
>
> /Could not authenticate user Username%Password with plaintext password/
> challenge/response password authentication succeeded
>
> Is this normal? How can I fix it? The Response seems to work correctly.
It's a Samba issue. Ask the Samba people.
> In my default ntlm_auth, the option
> "/--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*}" /is missing. Should i add it?
Sure. It's more needed if you use multiple domains.
> Actually i`m using my default uncommented ntlm_auth. So, i`m going to
> test the MS-CHAP authentification reuqest with this command:
>
> /$ radtest -t mschap bob hello localhost 0 testing123/
> //
> /And i`m getting this Error-Message:/
> //
> /Sending Access-Request of id 251 to 127.0.0.1 port 1812
Run the server in debugging mode as suggested in the FAQ,
"man" page, web pages, and daily on this list. Do NOT look at the
client output. It's unimportant.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Last call for Version 2.2.1
Unless there are any objections, we'll release 2.2.1 tomorrow. The list of changes is large: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Last call for Version 2.2.1
Unless there are any objections, we'll release 2.2.1 tomorrow. The list of changes is large: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static ip allocation
Petre Bandac wrote: > I have a rp-pppoe/freeradius/mysql instance running, with ip addresses > dynamically allocated from defined pools. > > I want for some users to have static ip addresses, the same ip at every > connect. > > this can be achieved by manually entering the Framed-IP-Attribute > in the radreply table ? Yes. The IP Pool module will notice there's already a Framed-IP-Address, and won't add another one. > or any other settings need to be changed ? No. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration parameters for perl module in rlm_perl
Cornelius Kölbel wrote: > I would like to avoid having the perl module read an additional > configuration file. Then edit the source code to rlm_perl, and add those features. > Is there a possibility to add such paramters somewhere in the freeradius > config like in > /etc/freeradius/modules/perl and than have the perl module access these > parameters? No. Why is it a problem to read a configuration file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Beliars Fire wrote:
> -> I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m
> configured Freeradius to use ntlm_auth > This was obviousy wrong, cause
> i want to implement LDAP-Severs.
Please, don't think you're smarter than people with decades more
experience than you. It's not polite.
Follow the instructions in the web page. Why? Because they work.
If you get rid of ntlm_auth, then your users won't be able to
authenticate using 802.1X.
> DEFAULT Auth-Type = ntlm_auth /# > Change it to LDAP, right?/
No. Follow the web page.
If you're not going to follow instructions, then there's no point in
asking questions on this list.
> ... /# Did i need these Settings in this Version?/
No.
> */etc/freeradius/sites-enabled/inner-tunnel*
> ...
> authenticate {
> ntlm_auth /# Change it to LDAP, right?/
No.
> ...
>
> _I`m editing this file, after your Post:_
>
> */etc/freeradius/users*
>
> DEFAULT Auth-Type = ldap
No.
> /After changing, I`m getting this Error:/
> //etc/freeradius/users[1]: Parse error (check) for entry DEFAULT:
> Unknown value ldap for attribute Auth-Type
> /
> /So, ldap isn`t possible as Auth-Type? Which one i`must using?/
It's possible. But it won't work for you. So don't do it.
> Thanks for Help! I´m working with Linux since 4 weeks, so its hard to be
> aware of all functions of Freeradius and Linux.
It's dead simple. Follow the web page. It has step by step
instructions for how to get it to work. The instructions are correct.
Anyone who knows how to use a text editor can follow them.
The point of documentation is so non-experts can get things done. If
you're going to ignore the documentation, then you're on your own.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unsubscribe
Romeo Mihalcea wrote: > unsubscribe > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is it really that difficult? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Kevin Bigalke wrote:
> i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login
> with 802.1 works perfectly. I`m using a Windows LDAP Server for the
> Login and want to add a second LDAP-Server for a Fail Over. I`m
> following the Tutorials to setup my Freeradius Server: **Click
> <http://deployingradius.com/>**. I`cant find a suitable Tutorial to
> adding a second LDAP Server for a Fail Over. Which files are responsible
> for the integration of a second LDAP server?
raddb/modules/ldap
> These are my current Settings:
That seems reasonable.
> */etc/samba/smb.conf*:
Which largely doesn't matter for FreeRADIUS.
> */etc/freeradius/sites-enabled/inner-tunnel:*
>
> authenticate {
> ntlm_auth
So... you're not using LDAP.
Let's start from the beginning. What, exactly are you trying to do?
What have you done? Why did you think that would work?
Be specific.
In short, you *can't* do LDAP fail-over if you're using ntlm_auth.
That's because ntlm_auth interacts with Samba. And you have *no* LDAP
configuration in the "authorize" section. And Samba takes care of
Samba-related fail-overs, so LDAP isn't necessary.
It's like you're asking for flying lessons, and showing up with a
bicycle. There's a bit of a disconnect somewhere.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius with custom LDAP libraries
Nikolaos Milas wrote: > ldconfig -v output does not list any *ldap* libraries in /usr/lib64 > although they exist (while it lists *ldap* libs in > /usr/local/openldap/lib64), obviously because: Well... this is a local OS issue. You'll need to consult your OS documentation to figure out what's going on. We're just RADIUS people. We come close, but we don't know *everything*. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
Nikolaos Milas wrote: > My understanding is that the term "production system" implies the > definition above. It's just a warning. If it works for you, it works. > Does the reference to "code" apply to the configuration file only > (sites-available/dhcp) or to the DHCP FreeRadius module (as I have > probably misunderstood)? "code" means "code", not "configuration files" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius eam sim authorization to everyone
Maxim Shoustin wrote: > Can I configure to give "OK" to any sim based on provider only, like > "Orange", for example/ No. The design of EAP-SIM makes that impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup
Swenson, Chris wrote: > Hi all, I have not used radius in about 15 years and found a need recently. > I have set up the rpm on a red hat 5.6 server and when I run radius -X the > system starts fine with the expected info. You're running a VERY old version. You may need the "freeradius2" package, instead of "freeradius" Check "radiusd -v". If it's not 2.x, then remove the RPM, and install a version 2 RPM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
Stefan Winter wrote:
> The idea is that make install is not supposed to touch my production
> config in any way. I don't want it to generously add directories without
> me knowing.
Honestly, the simplest might be to edit Make.inc, at the top where it
defines raddbdir and modconfdir:
ifeq "$(raddbdir)" ""
raddbdir= ${sysconfdir}/raddb
modconfdir = ${sysconfdir}/raddb/mods-config
endif
Then, do:
$ ./configure ...
$ make
$ make -Draddbdir=/tmp/garbage install
All of the raddbdir stuff will get installed to the /tmp/garbage
directory. The binaries will be built with the correct paths, and
installed in the correct locations.
> It was easy to tell it to back off earlier (even easier in v2 - just mv
> source/raddb/ out of the way), but now for some reason the old v3-style
> mechanism doesn't work any more.
Well... the build system has changed *completely*.
> I guess I could create the mods-config/ dir in my production config dir
> and it would make the symptom go away.
>
> I still found it worth reporting that some messing-around with the
> config dir is going on/attempted even when the source dir is told not to
> do that.
Because the rules for "install to config dir" are scattered through
the source, and not all in raddb. So when you nuke raddb, you don't
delete all of the rules.
> It's not nice if one module makes assumptions about a part of the
> directory structure it doesn't control. Nothing stops me from deploying
> a raddb with the configs lying in
> "raddb/modules-configuration-information/ and it would be very undue if
> the stock build process bails out on failure then during a subsequent
> installation.
Well... if you want to create a non-standard configuration, it's up to
you to do the work.
The default install process assumes that the installation is... a
default one. The customization is done via the paths at the top of the
Make.inc file. If you want to change *internal* paths, then all bets
are off. My only answer is "Good luck!"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Arran Cudbard-Bell wrote: > Can't we assume src as UTF8 for NAI (RFC4282)? Ha, ha, ha, ha . 4282 is wrong. And no one implements any of it. The MS-CHAP RFCs are silent on the subject of character encoding. The unofficial word from Microsoft is "MS-CHAP uses the local encoding". Ok... what's that? No one knows. And there's no way to find out. And UTF-8 uses up to 5 octets for a character. MS-CHAP requires no more than 2. There is *no* way to do the right thing. You can get close. Sometimes. Maybe. But doing the right thing always? Impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Matthias Nagel wrote: > Hi Phil, >> Probably a fairly trivial patch if you feel like it ;o) > I had a quick glace at the source code and I found two files named > "smbencrypt.c". If you give me a hint, which is the correct file to start > with, I will brosw the source code from that point and see what I can do. But > probably not before next month. Please check src/modules/rlm_mschap/smbencrypt.c The main issue is that there is *no* character set information in the MS-CHAP calculations. The character set could be UTF-8, or any non-standard 16-bit encoding. So the calculation of the NT hash will depend on the character set... which is largely secret. This makes it very difficult to create the *correct* NT hash. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get errors with radtest on ip address
Patricia Julien wrote: > - I made a change to the users file to add the testing > Cleartext-Password := "password". My hosts file indicates both lo and > the ip address for the server. I can ping the server without issues. > - After I added the line to the users file, I started radiusd -X >>debug.txt I then opened another terminal window on the same server > and performed the - radtest testing password 127.0.0.1 0 testing123. > - I received an error indicating failed to find ip address for > linux-mail.amber.net followed by nothing to do. radtest looks up the $HOSTNAME to get an IP address, which it puts into the NAS-IP-Address. If it says "failed to find IP address for host", it's because the host name doesn't have a corresponding IP address. > - I looked at clients.conf and change the ip address from 127.0.0.1 to > my ip address and added hostname. The results remained the same so I've > reverted to original config for this. You're changing the server configuration. You need fix your DNS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: differentiate authoriztion/ authentication in separate ldap modules
Hachmer, Tobias wrote: > - Rewrite DN? You can rewrite the DN. That's why it's editable, as the LDAP-UserDn attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
Daniel Pocock wrote: > The FTP masters just accepted the new freeradius-client package, it > should be available to install now using "apt-get" > > I've opened a bug request for removal of the radiusclient-ng package > from the Debian archive Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
Daniel Pocock wrote: > Could you please clarify that - it is possible to build a client library > from the server source tarball? Yes. RedHat already packages libfreeradius-radius as a separate RPM, IIRC. > In Debian, I see "libfreeradius2" built from the server source tarball > but that appears to be server-side library code, or is it also for > client applications? Yes. It's a fully-featured LGPL'd RADIUS library. It handles everything related to RADIUS. Sockets, encoding, decoding, dictionaries, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_perl in func_authenticate
Mehdi Ravanbakhsh wrote: > i have some problem in Understanding of capability of Rlm_perl > in authenticate ... > > if i use this : > > DEFAULT Auth-Type = Perl > Fall-Through = yes > > then all user authenticate be done with this Auth-Type ? Yes. That's what you told it to do. > So what is happen to PAP , CHAP module ? They're not called. > and what is the relation of all module in authenticate section ? Read the comments before the "authenticate" section. And doc/aaa.rst. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl hashes
Mehdi Ravanbakhsh wrote: > If i remove SQL module in default (site enable) in any section then > "%RAD_CHECK" hashes is still available in rlm_perl ? Yes. The modules are completely independent. > In my plan i need to transfer all policy mechanism to my database > (PostgreSQL) function but we have some limitation in xlat , so i need to > pass all value pairs from request to SQL function and get > all reply value pairs in function return . in this case my function > read all check value pairs directly from database so i think no need > SQL module any more ... Uh the SQL module *connects* to the SQL database. Without the SQL module, you can't access your stored procedures. > So can i transfer all SQL module Task to SQL function in my database ? Programming. Read the Postgres documentation to see how to use it's embedded language. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
Nikolaos Milas wrote: > Sorry, I don't know really what a "pull request" is, but googling info > makes me think it means I can submit a proposal for schema changes? If > so, I might, after I become a bit acquainted to the DHCP FreeRadius > component (and to DHCP in general). A "pull request" means submitting patches via github.com. > In the meantime, I've also found that I should be able to set an IP > Address to a host (connecting through our Cisco 2950/2960 switches) when > doing dot1x/MAB authentication (against FreeRadius), using the > "Framed-IP-Address" attribute in the reply (and I've also set > "radius-server attribute 8 include-in-access-req" as Cisco advises here: > http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html). That's only for PPP. > I tried it but the NAS doesn't seem to try to push to the authorized > host the IP Address (-yet the host had already a static IP address). > Should the host (Win Vista in this test case) specify "Obtain an IP > Address automatically"? Would this functionality work without using the > FreeRadius Server DHCP component? "Obtain an IP Address automatically" means "use DHCP". > Also, assuming that the authorized (using MAB) host has already a > (manually -or otherwise- preconfigured) static IP address, is there a > way FreeRadius can know which that is, so it can reject the host during > reauth if that IP Address is different than the one specified in the > host's LDAP entry? Only if the NAS does Accounting packets which contain the Framed-IP-Address attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Phil Mayers wrote: > On 29/08/13 18:16, Alan DeKok wrote: > >>i.e. set "proxy_tunneled_request_as_eap = no" > > Although IIRC that *definitely* had issues in 2.1.10, right? I don't recall... that was a long time ago, and I'm trying to get 3.0 out the door. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different groups to access services.
Luiz Alberto Avelino wrote: > There are two groups in Active Directory: CISCO and WIRELESS. > I'm using freeradius to authenticate my switches and my wireless network > with these groups. > All users in the group CISCO will authenticate in my swiths > ALL users in the group WIRELESS will authenticate on my wireless base. > What this happening and that all users of the group CISCO E group > wirelless are accessing in my switchs and at the base wireless. > How do I configure this restriction? By doing group checks. See the FAQ for examples of how to do group checks with LDAP (e.g. Active Directory) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Robert Roll wrote:
> If I actually look at the proxy-inner-tunnel I see the following for
> post-proxy..
The post-proxy stage has NOTHING to do with the home server. If the
home server rejects the request, the issue is WAY before the
post-process stage.
> I see that eap needs be invoked if using
>
> proxy_tunneled_request_as_eap = no
>
> Does it actually need to NOT be there for
>
> proxy_tunneled_request_as_eap = no
No.
See my reply to Phil. You need to set:
proxy_tunneled_request_as_eap = no
in eap.conf, peap{} subsection.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Peap-MSchapv2 proxy from innertunnel
Phil Mayers wrote: > [peap] Got tunneled request > EAP-Message = 0x02090006031a > > 0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?) That's EAP-MSCHAP-v2. > ...which the proxy server then rejects: > > rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71, > length=49 > Proxy-State = 0x313232 > EAP-Message = 0x04090004 > > So the solution is simple - if you're going to proxy the inner auth, > ensure the client inner auth method and upstream proxy auth method are > mutually compatible. i.e. set "proxy_tunneled_request_as_eap = no" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: > This brings me back to my earlier question: what values are available > where, and when, > via which mechanism? This was asked and answered. I suggest reading responses to your messages. Asking what "values" are available is wrong. There are no magic "values" in the server. There are just attributes in a packet. If you want to know what attributes are available, look at the debug output. That REALLY is it. It's not hard. It's not rocket science. There's no magic. > I think I still don't fully understand how modules hang together, how > I pass information > from e.g. an EAP request into line-log, Read doc/aaa.rst You don't "passd" information into a module. The incoming packet (and associated data) is given to the module. The module then decides what to do. > sites-enabled/eap-inner-tunnel, how > I tell f_ticks (or linelog, or any other modules for that matter) > which values I'd like to work > with. Have you tried reading the debug output? It's *telling you* what it's doing. The f_ticks module is telling you what it's doing. Have you tried reading the default configuration for the "linelog" module? It has LOTS of documentation describing how it works. Ask *specific* questions about what's confusing you. > I would like f_ticks to write out a single line into syslog that > contains the inner and outer > identity of an authentication request, the station ID and MAC address. So... do you see that data in the debug output? If so, read "man unlang" for how to reference attributes. See the default "linelog" configuration for how the module works. Put the two together, and you'll have it. > Can anyone point me at a walk-through or how-to? I've now spent days > flicking from one wiki-page to > the next, and reading mailing list archives w/o find anything that > helps me understand. There are NO examples which document exactly what you're trying to do. Most deployments are unique. Creating documentation for every possible deployment is impossible. It sounds like you're not understanding basic concepts, and reading random web pages, looking for a magic solution. This isn't the best approach. Read doc/aaa.rst. Read "man unlang". Read the debug output. Read the default "linelog"configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISCO ASA VPN3000 dictionary
Arran Cudbard-Bell wrote: > In that list they have type 'boolean', but RADIUS can't encode attributes > smaller than a byte. > > For boolean does anyone know if they really mean a standard 32bit integer > with the values 0/1, or > if they're wanting a single byte with the values 0/1, or whether it's some > other cisco craziness? My guess is that it's a single byte. In v2.2.x, that's "byte" type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
Martin Kraus wrote:
> I'm using TTLS+TLS.
Then what are you looking up in ldap?
> I can see that the eap { ok = return } automagically skips to the
> authentication section but the first two access-requests in the session cause
> it to return updated status so the ldap lookups are executed.
> I assume there isn't much I can do about that, right?
Sure. You can look at the debug output, see what's different between
packets N and N+1, and use those differences to selectively run ldap.
> I then have a separate problem with the inner-tunnel where the inner-eap never
> returns ok in the authorization section so it keeps on doing the ldap lookups.
> in the session I have it did 9 separate passes which together with the outer
> tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a
> single user login.
Again, look at the debug output.
> There are also these warnings in inner-tunnel
>
> WARNING:
> !!
> WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING:
> !!
>
> but the inner tls session seems to be still progressing fine since the last
> warning is right before the last access-request which results in the
> access-accept for the user.
Read it again. The ONLY time that message is produced is when the EAP
session doesn't finish. There are likely 2-3 failed attempts before one
success. If you only look at the succes...
> Is there something I can do about the 9 lookups in the inner-tunnel server?
> I'll have a look at the rlm_cache as well but I'm just curious as to why is it
> happening.
Because that's what you told it to do. The server is pretty dumb that
way.
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
And rlm_cache should help a lot, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: > Cool - I'll give that a go. Is there a comprehensive list anywhere of > which kind of values > is permissible in which context? See the debug output. If it's in the debug output, you can use it. If it's not in the debug output, it doesn't exist. And you can't use it. You can always reference the outer tunnel from the inner one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Groups in active directory and checks in MySQL
Atomikramp wrote: > I'm in a situation now where i can successfully retrieve group > membership of users in the active directory LDAP tree using rlm_ldap, > and check them against files. OK. > so if i have a user with "memberOf" attribute set to groupA > and i set in the raddb/users the following entry: > > DEFAULTLdap-Group == "groupA", Auth-Type := Reject > Reply-Message = "Not Allowed." > > i successfully deny access to that user. That should map directly to the SQL tables. > Since i'm already using MySQL for storing accounting informations i was > really interested in being able to use the same backend (mysql) also for > performing checks against groups. > > If i perform checks against usernames using the table radcheck they work > properly (users retrieved from the LDAP backend), i've tried setting a > radcheck like the following: > userA Max-Daily-Session := 7200 > > and after 2 hours the user is unable to authenticate to the NAS because > the time allowed has expired. > > > But i cant seem to be able to do the same thing with the groups. Post the debug output. And what do you have in SQL? > i've configured sites-enabled/default like this: Note that the FAQ, README, "man" pages, and web pages ALL say to post the debug output. We really don't care about the configuration. It doesn't show what happens when the server receives a request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User get after few minute
Sokphak TOUCH wrote: > I have issue with configure radius. I have one Juniper MX80 for doing as > LNS in my lab and FreeRADIUS Version 2.1.12 installed. I can see there > is successful connected log to radius but after around 1mn it connect > again and again. I have check in MX80 but has no any significant log. > Below is the full log in debug mode of radius during connect. Please advice Read your NAS documentation. The NAS is hanging up the connection, not FreeRADIUS. You may need to add a Session-Timeout attribute to the reply. Again, read your NAS documentation to see which attributes it needs in the Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Phil Mayers wrote: > PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no > "bare" MSCHAP variant, because there's no spec for how to derive the > MSCHAP challenge from the TLS master secret. FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP / MS-CHAP inside the tunnel. It *has* to be EAP. > Microsoft could solve a lot of problems right now by providing an API to > execute EAP-PWD with the NT-hash variant of the secret against an AD > controller. Instead, we're all flailing around with the very best of > early 90s crypto protecting our wireless :o( Pretty much. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NEW NAS Password Doesn't Authenticate
mr. s wrote: > Understood, however I am not the one who set this up or created the > non-default configuration. Any other guidance is greatly appreciated. Ask the people who created this configuration. We didn't create it, and we don't have access to your system to debug it. The data is in SQL. Look at it. The password "**-User-Not-Allowed-To-Use-This-NAS-**" should explain itself. Does it suggest anything to you? Perhaps you should look at your SQL queries and your SQL database to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
