Re: mod_auth_radius
On Thu, Jul 19, 2007 at 09:14:28AM -0400, Nick Owen wrote: On 7/19/07, Rascher, Markus [EMAIL PROTECTED] wrote: Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help: http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/ http://www.howtoforge.com/apache_radius_two_factor_authentication The latter is more recent. I tried mod_auth_xradius but found it has a major bug where it won't let you configure more than one RADIUS server. When I tried mod_auth_radius-2.0 this built OK with my server but I couldn't figure what to put in httpd.conf to make it work. Has AuthAuthoritative been replaced by AuthBasicAuthoritative? If so, does anyone know how what the httpd config for apache2 should look like? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]
On Thu, Oct 26, 2006 at 12:22:48AM +0100, Phil Mayers wrote: B Thompson wrote: On Wed, Oct 25, 2006 at 10:57:55AM +0100, Phil Mayers wrote: B Thompson wrote: I cannot continue to use 1.1.3 as we are regularly using HUP to re-read the configs and there appears to be a problem with this in versions 1.0.1. Yes, there does. I haven't had time to gather the relevant debugging info (we just restart instead of HUP the server as a workaround) but we have several processes running on the same box. Some crash on hup, some don't. Those that do are the ones with the eap/peap modules enabled, so I am thinking it might be SSL related. What platform are you running on? We're on RHEL4, OpenSSL 0.9.7a, FreeRadius 1.1.3 Yes, Same here. Found it. Double-free at line 460 of src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c - see the email I just sent. There must be two separate issues with HUP as this has not fixed the problems we are seeing. Here is my original email about it :- http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-March/051856.html -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd service hang
On Thu, Oct 26, 2006 at 12:03:37PM -0500, Karthik R wrote: Am running freeradius on a RHEL v3 box, to authenticate 802.11users against AD. All of sudden the 802.11 users cant get authenticated against AD, unless i reboot the radius service on linux box. It looks like radius service get hangs atleast weekly once for no reason, i couldnt find anything in the log file /var/log/messages. Is anyone facing this issue ? everytime when the user complain that wireless i not working, have to restart the service manually. any help would be appreciated. Which version of FreeRADIUS are you running? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it.
On Tue, Oct 24, 2006 at 07:58:17PM -0400, Alan DeKok wrote: B Thompson [EMAIL PROTECTED] wrote: Looking at the timestamps it would seem that this is the packet which caused the error even though tcpdump shows no Tunnel-Password attribute was present. So, something is definitely odd here. Is there any way to verify this is the offending packet other than matching timestamps? Run the server in debugging mode? Run tcpdump for a long time, and search it's output for Tunnel-Password? The server will get many packets in the same second. Timestamps are useless... OK. I have done all these things and I still get the same result: the packet causing the error does not contain the Tunnel-Password attribute. I have upgraded to 1.1.3 and the error message has gone away so that seems to suggest that there is a problem or at least something different going on with 1.0.1? I cannot continue to use 1.1.3 as we are regularly using HUP to re-read the configs and there appears to be a problem with this in versions 1.0.1. -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUP causes crashes [was: Error: ERROR: Tunnel-Password attribute in request]
On Wed, Oct 25, 2006 at 10:57:55AM +0100, Phil Mayers wrote: B Thompson wrote: I cannot continue to use 1.1.3 as we are regularly using HUP to re-read the configs and there appears to be a problem with this in versions 1.0.1. Yes, there does. I haven't had time to gather the relevant debugging info (we just restart instead of HUP the server as a workaround) but we have several processes running on the same box. Some crash on hup, some don't. Those that do are the ones with the eap/peap modules enabled, so I am thinking it might be SSL related. What platform are you running on? We're on RHEL4, OpenSSL 0.9.7a, FreeRadius 1.1.3 Yes, Same here. -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it.
Hi
We are seeing a problem with RADIUS accounting from some of our Colubris AP's.
We are getting the following errors in /var/log/radius/radius.log :-
Tue Oct 24 14:02:59 2006 : Error: ERROR: Tunnel-Password attribute in request:
Cannot decrypt it.
Could someone explain a bit more about what this means and whether it is likely
to be a problem with the NAS?
We are running FreeRADIUS 1.0.1.
Here is the tcpdump print out of the packet which caused the above message :-
14:02:59.913634 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17,
length: 323) nasphysap0.york.ac.uk.32770 nasaaa2.york.ac.uk.radius-acct: [udp
sum ok] RADIUS, length: 295
Accounting Request (4), id: 0xa7, Authenticator:
7f79db43885d7e9745205662885af3bc
Accounting Session ID Attribute (44), length: 19, Value:
94c34058-0007
0x: 3934 6333 3430 3538 2d30 3030 3030 3030
0x0010: 37
NAS Port Attribute (5), length: 6, Value: 10
0x: 000a
NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x: 0013
NAS ID Attribute (32), length: 12, Value: nasphysap0
0x: 6e61 7370 6879 7361 7030
NAS IP Address Attribute (4), length: 6, Value: nasphysap0.york.ac.uk
0x: 9020 c4b8
Framed MTU Attribute (12), length: 6, Value: 1496
0x: 05d8
Username Attribute (1), length: 18, Value: [EMAIL PROTECTED]
0x: 7879 3530 3640 796f 726b 2e61 632e 756b
Calling Station Attribute (31), length: 19, Value: 00:0c:f1:1b:47:7b
0x: 3030 3a30 633a 6631 3a31 623a 3437 3a37
0x0010: 62
Called Station Attribute (30), length: 19, Value: 00:03:52:dc:e5:31
0x: 3030 3a30 333a 3532 3a64 633a 6535 3a33
0x0010: 31
Accounting Status Attribute (40), length: 6, Value: Stop
0x: 0002
Accounting Session Time Attribute (46), length: 6, Value: 18 secs
0x: 0012
Accounting Input Packets Attribute (47), length: 6, Value: 30
0x: 001e
Accounting Output Packets Attribute (48), length: 6, Value: 34
0x: 0022
Accounting Input Octets Attribute (42), length: 6, Value: 2181
0x: 0885
Accounting Output Octets Attribute (43), length: 6, Value: 7541
0x: 1d75
Accounting Termination Cause Attribute (49), length: 6, Value: Lost
Carrier
0x: 0002
Accounting Delay Attribute (41), length: 6, Value: 289:15:29 hours
0x: 000f e3b1
Vendor Specific Attribute (26), length: 58, Value: Vendor: Microsoft
(311)
Vendor Attribute: 17, Length: 52, Value:
.]..D?...D7.?}v.X.xS.)/..7.).Z. .SiG...:
0x: 0137 1134 945d bea2 85ee bfde 443f
0x0010: e6c6 d544 37a6 3f7d 7608 58f1 78cb cca7
0x0020: fd53 0429 2fd8 0437 c529 845a ae20 c653
0x0030: 077f 6947 e27f e8c1
Vendor Specific Attribute (26), length: 58, Value: Vendor: Microsoft
(311)
0x: 0137 1034 9f5b 63ae ecb4 7e23 af47
0x0010: 7be9 c08b 5cbd b35f 7f8d 9b11 1a08 a52f
0x0020: b52c 09c5 f5ca 5e2c 8d53 8390 0d8f 24fb
0x0030: 3e39 1668 6858 af32
0x: 0030 4883 9880 0003 5204 635a 0800 4500 .0H.R.cZ..E.
0x0010: 0143 4000 4011 8fb5 9020 c4b8 9020 [EMAIL
PROTECTED]@.
0x0020: c4fb 8002 0715 012f 922a 04a7 0127 7f79 .../.*...'.y
0x0030: db43 885d 7e97 4520 5662 885a f3bc 2c13 .C.]~.E.Vb.Z..,.
0x0040: 3934 6333 3430 3538 2d30 3030 3030 3030 94c34058-000
0x0050: 3705 0600 0a3d 0600 1320 0c6e 7..=...n
0x0060: 6173 7068 7973 6170 3004 0690 20c4 b80c asphysap0...
0x0070: 0600 0005 d801 1278 7935 3036 4079 6f72 [EMAIL PROTECTED]
0x0080: 6b2e 6163 2e75 6b1f 1330 303a 3063 3a66 k.ac.uk..00:0c:f
0x0090: 313a 3162 3a34 373a 3762 1e13 3030 3a30 1:1b:47:7b..00:0
0x00a0: 333a 3532 3a64 633a 6535 3a33 3128 0600 3:52:dc:e5:31(..
0x00b0: 022e 0600 122f 0600 1e30 ./.0
0x00c0: 0600 222a 0600 0008 852b 0600 001d *.+
0x00d0: 7531 0600 0229 0600 0fe3 b11a 3a00 u1.)..:.
0x00e0: 0001 3711 3494 5dbe a285 eebf de44 3fe6 ..7.4.]..D?.
0x00f0: c6d5 4437 a63f 7d76 0858 f178 cbcc a7fd ..D7.?}v.X.x
0x0100: 5304 292f d804 37c5 2984 5aae 20c6 5307 S.)/..7.).Z...S.
0x0110: 7f69 47e2 7fe8 c11a 3a00 0001 3710 349f .iG.:...7.4.
0x0120: 5b63 aeec b47e 23af 477b e9c0 8b5c bdb3 [c...~#.G{...\..
0x0130: 5f7f 8d9b 111a 08a5 2fb5 2c09 c5f5 ca5e _.../.,^
0x0140: 2c8d
Re: Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it.
On Tue, Oct 24, 2006 at 01:19:29PM -0400, Alan DeKok wrote: B Thompson [EMAIL PROTECTED] wrote: Tue Oct 24 14:02:59 2006 : Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it. Could someone explain a bit more about what this means and whether it is likely to be a problem with the NAS? The NAS is sending an attribute it's not supposed to send. Yes, it would appear to be a problem. Here is the tcpdump print out of the packet which caused the above message :- Nope. Look at what you posted: there's no Tunnel-Password in it. Looking at the timestamps it would seem that this is the packet which caused the error even though tcpdump shows no Tunnel-Password attribute was present. So, something is definitely odd here. Is there any way to verify this is the offending packet other than matching timestamps? Thanks -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building Freeradius RPM on Redhat ES 4.0
On Wed, Aug 30, 2006 at 06:48:41PM -0400, King, Michael wrote: I seem to be having the same problem. Editing Line 102 allowed the package to build. Where did you remove /usr/local/bin from your path? It may be that you don't have to remove it at all, and just changing the order so that /usr/bin appears before /usr/local/bin might do the trick. To view your path : # echo $PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin To change your path : # export PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:/usr/local/bin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building Freeradius RPM on Redhat ES 4.0
On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote: cp: will not overwrite just-created `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with `README' error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc) I get this error too. It looks like line 102 in the spec file is causing it :- %doc doc/* LICENSE COPYRIGHT CREDITS README Should this line simply be : %doc doc/* This change allows the package to build on my system but when I try to install the rpm I get the following message :- error: Failed dependencies: /usr/local/bin/perl is needed by freeradius-1.1.3-0.i386 -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building Freeradius RPM on Redhat ES 4.0
On Wed, Aug 30, 2006 at 08:47:13AM +0100, B Thompson wrote: On Tue, Aug 29, 2006 at 07:32:23PM -0400, King, Michael wrote: cp: will not overwrite just-created `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with `README' error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc) I get this error too. It looks like line 102 in the spec file is causing it :- %doc doc/* LICENSE COPYRIGHT CREDITS README Should this line simply be : %doc doc/* This change allows the package to build on my system but when I try to install the rpm I get the following message :- error: Failed dependencies: /usr/local/bin/perl is needed by freeradius-1.1.3-0.i386 Having googled about for this I removed /usr/local/bin from my path and ran rpmbuild again. This time everything worked OK. -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd usage
Hi
We used to list all our fifty thousand usernames individually in the
users file, but this made it quite large so following advice on this
mailing list I decided to use rlm_passwd instead. This seems to work
very well and the file size is much smaller. I have configured my
passwd style users file as follows :-
passwd york_passwd {
filename = /etc/raddb/yorkpasswd
format = *Stripped-User-Name:NT-Password:Crypt-Password
hashsize = 10
ignorenislike = yes
}
However, I would now like to restrict access to a particular NAS
device to a particular set of users and I am not sure how best to go
about this. If these users were still listed in the users file I could
do something like this for users allowed access :-
user1 NT-Password := blah, Crypt-Password := blah
...and this for disallowed users :-
user2 NT-Password := blah, Crypt-Password := blah, NAS-Identifier !=
restrictednas
Could anybody suggest a solution using my rlm_passwd setup?
Thanks
--
Ben Thompson
University of York
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use does not match on Huntgroup-Name
On Tue, Jun 27, 2006 at 01:21:57PM +0100, B Thompson wrote: I have just been testing out Simultaneaous-Use and I cannot get it to match on a Huntgroup-Name (where the the huntgroup is a list of NAS-IP-Address entries). If I specify Simultaneous-Use against each NAS-IP-Address individually in the users file it works fine. This was caused by bug #233. -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use does not match on Huntgroup-Name
Hi I have just been testing out Simultaneaous-Use and I cannot get it to match on a Huntgroup-Name (where the the huntgroup is a list of NAS-IP-Address entries). If I specify Simultaneous-Use against each NAS-IP-Address individually in the users file it works fine. This works :- DEFAULT NAS-IP-Address == x.x.x.x, Simultaneous-Use := 1 Fall-Through = Yes This does not work :- DEFAULT Huntgroup-Name == blah, Simultaneous-Use := 1 Fall-Through = Yes This is with the stock RedHat FreeRADIUS 1.0.1 Am I doing something wrong or is this a bug? Thanks Ben -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error: Installed (but unpackaged) files(s) found: on REDHAT Enterprise 4.0 (RHEL4) and FreeRadius 1.1.2
On Fri, Jun 23, 2006 at 09:30:24AM +0100, [EMAIL PROTECTED] wrote:
%files
%defattr(-,root,root)
# start of modification Tadej Bregar
sed -i s at doc/freeradius at doc/freeradius-%{version}@
doc/Makefile doc/examples/Makefile doc/rfc/Makefile
%doc doc/ChangeLog doc/README* todo/ COPYRIGHT INSTALL
I think the sed command does not want to go in the %files
section. Someone else suggested puting it just before the %build
line, near the beginning of the file.
--
Ben Thompson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error: Installed (but unpackaged) files(s) found: on REDHAT Enterprise 4.0 (RHEL4) and FreeRadius 1.1.2
On Thu, Jun 22, 2006 at 12:32:32AM +0200, Tadej Bregar wrote: Hello, I'm struggling to build a RPM package on RHEL 4 also (based on freeradius.spec file), I have tried adding sed line as suggested in on of the previous posts and also suggested %doc lines, but with no success. How do i have to modify freeradius.spec file to build it successfully? Can you post your modified freeradius.spec file? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy - EAP problems
On Thu, Jun 22, 2006 at 10:06:05AM +0200, Wladyslaw Pietraszek wrote: Thanks for the hint. BTW do you have any links to info about how to implement magic Microsoft OID's - Google search did not give much :-( There is a link to this article on the front page of the FreeRADIUS web site :- http://www.linuxjournal.com/article/8095 See the xpextensions section. -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian TLS support
On Thu, Jun 22, 2006 at 03:36:52PM -0500, Scott Hughes wrote: Is there a HOWTO for example on how a person can do what I am trying to do? Have you tried downloading the source and running dpkg-buildpackage? -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RPM build problems on RedHat AS4
Hi
Following previous posts on this mailing list I patched my freeradius.spec as
shown at the end of this email. I ran rpmbuild -bb and got the lib_eap
packaging problems and during the build many messages like this :-
(cd /usr/src/redhat/BUILD/freeradius-1.1.2/src/modules/rlm_eap; /bin/sh
/usr/src/redhat/BUILD/freeradius-1.1.2/libtool --mode=relink gcc -release 1.1.2
-modul\e -export-dynamic -o rlm_eap.la -rpath /usr/lib rlm_eap.lo eap.lo mem.lo
state.lo rlm_eap.c eap.c mem.c state.c
/usr/src/redhat/BUILD/freeradius-1.1.2/src/lib\/libradius.la libeap/libeap.la
-lltdl -lnsl -lresolv -lpthread)
gcc -shared rlm_eap.lo eap.lo mem.lo state.lo
-L/usr/src/redhat/BUILD/freeradius-1.1.2/src/lib/.libs -L/usr/lib -lradius
-leap -lltdl -lnsl -lresolv -lpthre\ad-Wl,-soname -Wl,rlm_eap-1.1.2.so -o
.libs/rlm_eap-1.1.2.so
/usr/bin/ld: cannot find -leap
collect2: ld returned 1 exit status
libtool: install: error: relink `rlm_eap.la' with the above command before
installing it
libtool: install: warning: remember to run `libtool --finish /usr/lib'
gmake[6]: Leaving directory
`/usr/src/redhat/BUILD/freeradius-1.1.2/src/modules/rlm_eap'
I then ran rpmbuild again and although I don't remember changing anything it
worked fine
and built me an rpm. However when I came to install, I still have the following
dependency problem :-
error: Failed dependencies:
/usr/local/bin/perl is needed by freeradius-1.1.2-0.i386
The output of whereis perl :-
perl: /usr/bin/perl /usr/local/bin/perl /usr/share/man/man1/perl.1.gz
# ls -l /usr/local/bin/perl
lrwxrwxrwx 1 root root 13 Jun 21 2004 /usr/local/bin/perl - /usr/bin/perl
Could anyone suggest why I am gettting the failed dependendcy?
Thanks
Ben Thompson
Here is the patch :-
--- freeradius.spec.orig2006-05-21 18:32:53.0 +0100
+++ freeradius.spec 2006-06-20 11:40:59.0 +0100
@@ -38,6 +38,9 @@
--with-rlm-krb5-lib-dir=/usr/kerberos/lib
make
+sed -i [EMAIL PROTECTED]/[EMAIL PROTECTED]/freeradius-%{version}@
doc/Makefile doc/examples/Makefile doc/rfc/Makefile
+
+
%install
[ $RPM_BUILD_ROOT != / ] rm -rf $RPM_BUILD_ROOT
@@ -111,6 +114,18 @@
%attr(0700,radiusd,radiusd) %dir /var/log/radius/radacct
%attr(0700,radiusd,radiusd) %dir /var/run/radiusd
+
+%doc doc/Acct-Type doc/Autz-Type doc/CYGWIN doc/ChangeLog doc/DIFFS doc/MACOSX
+%doc doc/OS2 doc/Post-Auth-Type doc/RADIUS-LDAP-eDirectory
doc/RADIUS-SQL.schema
+%doc doc/README doc/Session-Type doc/Simultaneous-Use doc/aaa.txt doc/ascend
+%doc doc/bay doc/bugs doc/cisco doc/coding-methods.txt
doc/configurable_failover
+%doc doc/duplicate-users doc/ldap_howto.txt doc/load-balance.txt doc/misc-nas
+%doc doc/module_interface doc/mssql doc/performance-testing
doc/processing_users_file
+%doc doc/proxy doc/radrelay doc/release-method.txt doc/rfc/
+%doc doc/rlm* doc/supervise-radiusd.txt
+%doc doc/tuning_guide doc/variables.txt todo/ COPYRIGHT INSTALL
+
+
%changelog
* Thu Dec 15 2004 Alan DeKok
- update for 1.1.0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
