Fwd: Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Sorry, my mail program tricked me and used the wrong destination address. -- Weitergeleitete Nachricht -- Betreff: Re: smbencrypt calculates false hash for German umlauts andother non-ASCII letters Datum: Samstag 07 September 2013, 19:13:17 Von: Matthias Nagel matthias.h.na...@gmail.com An: Alan DeKok al...@deployingradius.com Hello everybody, as it was me who came up with the issue. The password must be encoded as UTF-16 in little endian and then the MD4 is calculated. For example: Assume one uses smbencrypt from command line interface in order to calculate the hash. The linux console is set up to use en-US.utf8. Then, at first a character encoding into UTF-16 little endian is necessary, and in a second step the MD4 hash can be calculated. Matthias Am Samstag 07 September 2013, 12:10:38 schrieben Sie: Arran Cudbard-Bell wrote: Can't we assume src as UTF8 for NAI (RFC4282)? Ha, ha, ha, ha cough. 4282 is wrong. And no one implements any of it. The MS-CHAP RFCs are silent on the subject of character encoding. The unofficial word from Microsoft is MS-CHAP uses the local encoding. Ok... what's that? hysterical laughter No one knows. And there's no way to find out. And UTF-8 uses up to 5 octets for a character. MS-CHAP requires no more than 2. There is *no* way to do the right thing. You can get close. Sometimes. Maybe. But doing the right thing always? Impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Hello, if a do a smbencrypt ä then the output for the NT hash is B5CF5E386433C7CB69E43ED774717792 but the correct hash would be 3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It is a small a with two dots, unicode code point 00E4.) Similar results hold for other umlauts, too. My Freeradius version is 2.2.0 running on Linux 3.8.13 with system locale set to en_US.utf8. I wrote an own utitly to calculate NT hashes to fill the Radius database. While I compared the results of my own utility with those from smbencrypt, I found these discrepancies. In order to check which result was the correct one, I took a Windows computer, added a dummy user to it and set the passwords in concern. Then I extracted the NT hashes from the SAM database. One note of caution: If you take a web site like http://www.onlinehashcrack.com/hash-calculator.php, do not trust it. If it comes to non-ASCII letters the output is false, too. Matthias -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smbencrypt calculates false hash for German umlauts and other non-ASCII letters
Hi Phil, Probably a fairly trivial patch if you feel like it ;o) I had a quick glace at the source code and I found two files named smbencrypt.c. If you give me a hint, which is the correct file to start with, I will brosw the source code from that point and see what I can do. But probably not before next month. Matthias Am Sonntag 18 August 2013, 17:44:46 schrieb Phil Mayers: Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, if a do a smbencrypt ä then the output for the NT hash is B5CF5E386433C7CB69E43ED774717792 but the correct hash would be 3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It is a small a with two dots, unicode code point 00E4.) Similar results hold for other umlauts, too. My Freeradius version is 2.2.0 running on Linux 3.8.13 with system locale set to en_US.utf8. I wrote an own utitly to calculate NT hashes to fill the Radius database. While I compared the results of my own utility with those from smbencrypt, I found these discrepancies. In order to check which result was the correct one, I took a Windows computer, added a dummy user to it and set the passwords in concern. Then I extracted the NT hashes from the SAM database. One note of caution: If you take a web site like http://www.onlinehashcrack.com/hash-calculator.php, do not trust it. If it comes to non-ASCII letters the output is false, too. Matthias -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Almost certainly. Nt hashes are the 16-bit encoding, and smbencrypt likely treats each byte in the utf8 encoding as on ASCII char and pads it to 16 bits. I made some effort to handle this in the mschap password change code, but really the server should probably pull in libiconv for the few places this is needed (such as calculating correct nt hashes). Probably a fairly trivial patch if you feel like it ;o) -- Matthias Nagel Parkstraße 27 76131 Karlsruhe Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: RE: Help with chap
Hello, actually this behaviour is totally correct. The switch tries to authenticate a client, when the switch learns the clients MAC address. As the MAC address is extracted from the ethernet header there must be some packages sent from the client in order to do so. If the client is quiet, the switch cannot do anything about it. Matthias Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 ICQ: 499797758 Skype: nagmat84Franks Andy (RLZ) IT Systems Engineer andy.fra...@sath.nhs.uk hat geschrieben:..Just an update.. might be interesting for people - rebooted the switch and not all clients were authenticated, but it seems all those that weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are switched off and the switch seems to need some packets to flow for it to detect that the client needs authenticating. Otherwise it looks like it will sit with the port in an up state unathenticated all day long. I guess this sort of makes sense, but in my simple view of how things this isn't intuitive. Also HP manuals don't seem to mention it.. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer Sent: 21 May 2013 22:27 To: FreeRadius users mailing list Subject: RE: Help with chap Thanks Phil. I'll keep that up my sleeve for future use. We tend to separate admin / wireless / mac-based auth off on to different radius boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of their stuff tends to be pap or eap. HP doing chap here seems to limit quite a lot of backend options. It's still also the only protocol, or so it seems, chosen for iscsi authentication which is an interesting choice consider it's vulnerabilites. Guess ipsec gets used instead where it needs to be secure. Now to work out the useraccountcontrol setting. Seems to be different in users and computers than in an ldap viewer, but the ldap is probably a decimal conversion or something. Thanks again Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 21 May 2013 08:06 To: freeradius-users@lists.freeradius.org Subject: Re: Help with chap On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in the authorize section just let the chap bit work on the assigned password? Yes. In fact that's the best approach. Something like: authorize { ... if (some condition) { update control { Cleartext-Password := %{User-Name} } } ... } some condition would normally be some sort of check to ensure it was a macauth-via-CHAP request - obviously you wouldn't want to force password==username for a PPP/EAP/other real user request. On the other hand if your server / virtual server only receives this traffic, you can omit the condition. I really dislike vendors who do macauth as CHAP. It seems to completely lack value, and adds complexity. Le sigh.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Hello, I've recently got into mac based auth on a procurve 5406. [...] [...] when i reboot the switch or clear the authentication on the ports it can take up to ten minutes for 10-15 clients to authenticate, simply because the nas (i guess) gets overwhelmed and consequently I see loads of eap did not complete messages. We have a setup of one HP 5412zl, one HP 5406 and one HP 2910. Together all but two module slots are equipped with 24-port line interface cards, hence we have about 400 ethernet ports. We either use 802.1X authentication or mac-based authentication with mschap-peap on every port but a dozen. Our FreeRADIUS server is running on a virtual machine with only 512 MB RAM and is connected with 1GB/s to the 5412zl. Anyway after a power cycle of all three switches at once, with all clients running, it only takes seconds until all clients (approx. 380) are authenticated again. Neither the HP switches nor the RADIUS server gets overwhelmed. So there must be some mis-configuration at your setup. Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hello, did you do what the warning says and double checked the shared secret? As far as I see the squid_rad_auth.conf does not use quotation marks () to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line secret in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see. Matthias Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar: Hi All, I have successfully configure freeradius with mysql. i can radtest using command : sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = alice User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20 Now i try squid using radius authentication. i followed step by step from : http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043 But i got error message log on cache.log Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server On radius -X debug there is error message like bellow : Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT What is that error ? How i can solve this Thanks -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hello, Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar: Hi Matthias, I don't use on my squid_rad_auth.conf I know, that is the reason why I asked you to check for non-printable characters AFTER your shared secret. No space on my scret. And what is between the last printable character of your secret and the new line? Matthias This is my squid_rad_auth.conf server 192.168.2.3 secret testing123 On my radcheck, i also using Cleartext-Password on my racheck table Any another clue ? Thanks On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel matthias.h.na...@gmail.comwrote: Hello, did you do what the warning says and double checked the shared secret? As far as I see the squid_rad_auth.conf does not use quotation marks () to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line secret in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see. Matthias Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar: Hi All, I have successfully configure freeradius with mysql. i can radtest using command : sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = alice User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20 Now i try squid using radius authentication. i followed step by step from : http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043 But i got error message log on cache.log Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server On radius -X debug there is error message like bellow : Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT What is that error ? How i can solve this Thanks -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hello, perhaps it is an encoding problem between the browser and squid. You should check what kind of encoding squid expects the browser to use and what encoding the browser actually uses. But this is not a radius problem, hence I cannot help you on that problem. Anyway, somewhere on the link browser - squid - radius the password gets screwed up. If the problem was between the browser and squid, the user name likely would screwed up, too. Hence, I still believe the problem is between squid and radius. But if a wrong secret isn't the solution, I am out. Sorry. Regards, Matthias Am Donnerstag 11 April 2013, 16:35:33 schrieb Iftakhul Anwar: I just use enter after my shared secret. Any suggestions ? On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel matthias.h.na...@gmail.comwrote: Hello, Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar: Hi Matthias, I don't use on my squid_rad_auth.conf I know, that is the reason why I asked you to check for non-printable characters AFTER your shared secret. No space on my scret. And what is between the last printable character of your secret and the new line? Matthias This is my squid_rad_auth.conf server 192.168.2.3 secret testing123 On my radcheck, i also using Cleartext-Password on my racheck table Any another clue ? Thanks On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel matthias.h.na...@gmail.comwrote: Hello, did you do what the warning says and double checked the shared secret? As far as I see the squid_rad_auth.conf does not use quotation marks () to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line secret in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see. Matthias Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar: Hi All, I have successfully configure freeradius with mysql. i can radtest using command : sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = alice User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20 Now i try squid using radius authentication. i followed step by step from : http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043 But i got error message log on cache.log Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server On radius -X debug there is error message like bellow : Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT What is that error ? How i can solve this Thanks -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131
Re: MAC Address Auth
Hello Eric, two remarks. The first one replies to your question, the second is a comment on your user entry. 1) At the moment I believe that you either have a very old FreeRADIUS installation or that you broke your configuration with regard to the dictonary files. Atttr-2352-145 is a Redback attribute (Vendor ID 2352) and means Mac-Addr (Atrribute ID 145). In my installation (Debian Squeeze, Freeradius 2.1.10) this attribute is already contained in the dictionary files out of the box. Hence, Freeradius should replace all occurences of Atttr-2352-145 by the more friendly name Mac-Addr and one should use that in the user file, too. But if your debug output and your accounting logs show Atttr-2352-145 instead of Mac-Addr, then Freeradius does not seem to know this attribute, which means something is broken. 2) For a moment ignore the problem about the unknown attribute Attr-2352-145. Anyway you must use this attribute (or Mac-Addr) as a check item not as a reply item and the correct operator is == not =. (See my last mail and http://freeradius.org/radiusd/man/users.html). So it must be on the first line. I also doubt that you want Password = 006060, but Cleartext-Password := 006060 instead. Read http://freeradius.org/radiusd/man/users.html. Matthias PS @ Alan DeKoK: I believe I found the problem, why so many people use = instead of the correct operator. The doc (http://freeradius.org/radiusd/man/users.html) says: Each item in the check or reply item list is an attribute of the form name = value (2nd paragraph). Perhaps it would be better to write: Each item in the check or reply item list is an attribute of the form 'name op value'. This would make clear that op is not always =. Am Donnerstag 04 April 2013, 23:07:02 schrieb Mulindwa: Thanks Mattias, I get an error saying; Unknown attribute Attr-2352-145 This is how i have it setup user20001@ut3 Password = 006060, Simultaneous-Use = 1 Attr-2352-145 = 5c-7d-5e-3f-d0-f7, Service-Type = Framed-User, Qos_Policy_Policing = broadband_128_policing, Qos_Policy_Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M From: Matthias Nagel matthias.h.na...@gmail.com To: freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 5:41 PM Subject: Re: MAC Address Auth Hello, add the correct check item to your user database. In the case below (User-Name = user2000@ut3) you should have the check item Attr-2352-145 == 5c-7d-5e-3f-d0-f7 for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want. Best regards, Matthias Am Donnerstag 04 April 2013, 07:25:55 schrieb Mulindwa: Great, i have run the debug and i did get the attribute required. If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145 How would i need to twick my radiusd.conf file to achieve this? User-Name = user2000@ut3 CHAP-Password = cccddd' CHAP-Challenge = Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = UT-BRAS-EDGE NAS-IP-Address = x.x.x.x NAS-Port = 855649483 NAS_Real_Port = 855638816 NAS-Port-Type = Virtual Attr-87 = 3/3 vlan-id 800 pppoe 11467 Medium_Type = 11 Attr-2352-145 = 5c-7d-5e-3f-d0-f7 MAC Address Attr-2352-98 = 3 Attr-2352-112 = 6.2.1.9 Acct-Session-Id = 020268008FC9-515D8419 Eric M From: Mulindwa meri...@yahoo.com To: Alan DeKok al...@deployingradius.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:58 PM Subject: Re: MAC Address Auth Thanks Alan, Let me do so. Eric M From: Alan DeKok al...@deployingradius.com To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:47 PM Subject: Re: MAC Address Auth Mulindwa wrote: Hi All, Have been trying to authenticate my ADSL users using Mac Address Auth, however i have failed even after going through the documentation. I want to authenticate with the highlighted, anyone done this and can help? It's been done. This is how the accounting file looks; If you're trying to debug authentication, it helps to look at *authentication* traffic, and not *accounting* data. And run the server in debugging mode as suggested in the FAQ, man page, web pages, and daily on this list. Honestly, there is NO excuse for refusing to do this. Alan DeKok. - List info/subscribe
Re: MAC Address Auth
Hello, add the correct check item to your user database. In the case below (User-Name = user2000@ut3) you should have the check item Attr-2352-145 == 5c-7d-5e-3f-d0-f7 for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want. Best regards, Matthias Am Donnerstag 04 April 2013, 07:25:55 schrieb Mulindwa: Great, i have run the debug and i did get the attribute required. If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145 How would i need to twick my radiusd.conf file to achieve this? User-Name = user2000@ut3 CHAP-Password = cccddd' CHAP-Challenge = Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = UT-BRAS-EDGE NAS-IP-Address = x.x.x.x NAS-Port = 855649483 NAS_Real_Port = 855638816 NAS-Port-Type = Virtual Attr-87 = 3/3 vlan-id 800 pppoe 11467 Medium_Type = 11 Attr-2352-145 = 5c-7d-5e-3f-d0-f7 MAC Address Attr-2352-98 = 3 Attr-2352-112 = 6.2.1.9 Acct-Session-Id = 020268008FC9-515D8419 Eric M From: Mulindwa meri...@yahoo.com To: Alan DeKok al...@deployingradius.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:58 PM Subject: Re: MAC Address Auth Thanks Alan, Let me do so. Eric M From: Alan DeKok al...@deployingradius.com To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:47 PM Subject: Re: MAC Address Auth Mulindwa wrote: Hi All, Have been trying to authenticate my ADSL users using Mac Address Auth, however i have failed even after going through the documentation. I want to authenticate with the highlighted, anyone done this and can help? It's been done. This is how the accounting file looks; If you're trying to debug authentication, it helps to look at *authentication* traffic, and not *accounting* data. And run the server in debugging mode as suggested in the FAQ, man page, web pages, and daily on this list. Honestly, there is NO excuse for refusing to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] Return Access-Accept/-Reject depending on other active sessions during post-authentication
Hello, problem solved. I post this message for the sake of completeness and in case, if anyone will ever need to solve a similar problem. Of course, any comments on how my solution can be improved are welcomed. 1) At the SQL side I created a view (active_users) with three columns (nasipaddress, nasport and vlan) that always shows the active sessions. Basically it selects all entries from the accounting table (radacct) where the stop time is NULL and then the result is joined with the user attribute table (radreply) in order to append the vlan to each record. Of course, the join is done by the user name. 2) In the RADIUS config the following expression is added to the post-auth section of the default server. # Prevent multiple untagged VLANs on the same port at the same time. # Otherwise there would be short-curcuit fault between the affected VLANs if ( %{sql:SELECT COUNT(*) FROM active_users WHERE nasipaddress = '%{NAS-IP-Address}' AND nasport = %{NAS-Port} AND vlan '%{reply:Tunnel-Private-Group-ID}' } != 0 ) { reject } The SQL statement counts all (active) sessions on the same NAS on the same NAS port with a different VLAN assignment than the VLAN the current user is going to be assigned to. If the number does not equal zero, there is at least one session on the same port with a different VLAN. In that case the user is rejected. 3) Prevent stalled-session Accouning-Stop messages can be lost. In that case a session will falsely remain active and thus likely block out any other user. I use an interim update intervall with five minutes. If three updates were missed, i.e. the last update time is less then the current system time minus 15 minutes, the session is considered to be stalled and the stop time is set to the last update time. This way a stalled session is closed 15 minutes after the last update. Yours, Matthias Am Sonntag 16 Dezember 2012, 17:07:53 schrieb Alan DeKok: Matthias Nagel wrote: Now, I would like to write some kind of RADIUS policy to prevent this behaviour. (a) store information in a database (b) use unlang to query the database This policy is supposed to do the following during the post-authentication phase: 1) If there is no active session on the NAS port, just return Access-Accept You may need to create a new table which stores active sessions. INSERT data into it on authentication / accounting start. DELETE data on accounting stop. 2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept. Store the Tunnel-Private-Group-ID of a session on INSERT. Query it on the next session authentication. 3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject. Query the DB. If it doesn't match, reject. Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if unlang or some other configuration directive can perform such a check. unlang is just a way to write policies. It does NOT store data. SQL databases store data. The two together can solve this problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Return Access-Accept/-Reject depending on other active sessions during post-authentication
Hello together, my NAS supports used-based authentication, this means it is possible to have multiple sessions on the same ethernet port (same user multiple times and/or different users). Each attached supplicant must authenticate itsself. The switch prohibits a supplicant to use piggy-backing on top of some other already authenticated supplicant. Moreover I use RADIUS-assigned VLANs. If the same user or different users that are assigned to the same VLAN are authenticated on the same port, everything is fine. The trouble starts, if an additional user with a different VLAN than the VLAN that is already assigned to the port is sucessfully authenticated. In the past an additional user was denied access by the switch, if such a VLAN mismatch occured. This means is was impossible to have serveral different untagged VLANs on the same port. But my current NAS also grants access to the addtional user and assignes this user's VLAN to the port, too. This means there are more than one untagged VLAN on the same port at the same time and the result is some kind of short-circuit fault between the affected VLANs. Now, I would like to write some kind of RADIUS policy to prevent this behaviour. This policy is supposed to do the following during the post-authentication phase: 1) If there is no active session on the NAS port, just return Access-Accept 2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept. 3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject. Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if unlang or some other configuration directive can perform such a check. Best regards, Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius + LDAP
Hello, what exactly ist your problem? a) Do you want to know how to configure a web administration GUI (phpldapadmin) for your LDAP server? Then your problem is purly related to LDAP server, PHP and a web server. Hence, this is Thermometer wrong mailing list to ask for advice. b) Or do you want to know how to use a LDAP directory as a password backend? But then this question has nothing to do with phpldapadmin. You said, that RADIUS is already configured and running. Where are the user credentials stored at the moment? Matthias Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 ICQ: 499797758 Skype: nagmat84Brekler Custodio brekle...@hotmail.com hat geschrieben:Hello guys, i was wondering, anyone knows how to configure an LDAP (phpldapadmin) to work with freeradius ? I search all over the web and couldnt find a tutorial that teachs how to configure a simple DB to work with FR. The FR is configured already, its very simple, but the LDAP i cant handle. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Re: Radius Code set to 2??
Hello, some APs have the option to work as a RADIUS proxy. Perhaps the AP is not actually broken, but only wrongly configured. Matthias Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 ICQ: 499797758 Skype: nagmat84Arran Cudbard-Bell a.cudba...@freeradius.org hat geschrieben: On 4 Dec 2012, at 10:14, ashok kumar vijayashok@gmail.com wrote: Hey folks, I have and AP from which I get a RADIUS message with code field set to 2. It was received from on port 1812. Can anybody tell me the significance of this problem because when I change the APs everything works fine. I need to ascertain whether any configuration change is required on AP/ Radius server. Your AP is broken. It shouldn't be sending Access-Accepts to the RADIUS server... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: store encypted passwords
Am Dienstag 09 Oktober 2012, 09:10:15 schrieben Sie: I was mixed up on what table I am talking about its the radcheck table. I was using navicat to set the attribute to Crypt-Password and refreshing the database. The password stayed in plain text. I do not use MySQL a lot and I have never used Navicat before, but what I can see from the homepage, that this only is a GUI to administrate MySQL by wrapping SQL statements into a user-friendly interface. Hence, I assume all what you essentially did is to perform a statement like: UPDATE radcheck set attribute = 'Crypt-Password' WHERE attribute = 'Cleartext-Password' Of course this does not change the value in the column 'value'. Why should it be otherwise? MySQL (and Navicat) does not know anything about FreeRadius. If you only update the column attribute nothing else will be modified. This is normal SQL behaviour. You are also responsible to modify the column attribute accordingly. This means you have to fill in the encrypted version of the password. No one else will do this for you. As I said before you must use something like UPDATE radcheck set attribute = 'Crypt-Password', value = SOME_FANCY_CONVERT_FUNCTION( value ) WHERE some_senseful_condition_here; where SOME_FANCY_CONVERT_FUNCTION takes the cleartext and converts it into the encrypted version. I have never used FreeRadius with MySQL, so I cannot be more specific on SOME_FANCY_CONVERT_FUNCTION. But I am astonished on some other fact. If you changed 'Cleartext-Password' to 'Crypt-Password' but did not change the value attribute, authentication must fail. Because FreeRadius now treats the value as the encrypted version which it is not. How can it be that you wrote nothing changed? To be absolutely clear, the possible values for the 'attribute' column to specify a password are: Cleartext-Password Crypt-Password MD5-Password SMD5-Password SHA-Password SSHA-Password NT-Password LM-Password The value of the 'value' column must be the correctly encrypted password with reference to what kind of password you use. That is what I meant by change accordingly. And secondly everything must support the authentication protocol. On Mon, Oct 8, 2012 at 4:29 PM, Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, first, please use the correct way of quoting for mailing list. This is to say, write your comments below the original text that it refers to. That way readers who pick up a thread later can follow more easily. But now back to topic. Am Montag 08 Oktober 2012, 16:17:52 schrieb jon jon: On Mon, Oct 8, 2012 at 4:02 PM, Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, I have set up FreeRADIUS Version 2.1.10 on an Ubuntu server 12.04, Mysql Server version: 5.5.24. Everything is up and running but the users passwords are stored in plain text in raddacct. I tried changing the attribute to Crypt-Password but it doesn't change anything. What do you mean by doesn't change anything? If you have changed the attribute name to Crypt-Password and you also modified the attribute's value accordingly, what do you expect? If it still works, then be happy. doesn't change anything = password is still showing as plain text. What do mean by modified the attribute's value accordingly? You wrote that you changed clear text passwords to crypt-passwords. This means to me you updated your database, hence your database does not show clear text passwords anymore. What exactly did you do, when you changed from clear text to crypt-passwords? I assumed to did something like this: UPDATE radcheck set attribute = 'Crypt-Password', value = SOME_FANCY_CONVERT_FUNCTION( value ) WHERE some_senseful_condition_here; Anyway, I now notice that you were speaking of radacct. This table is not to show any password at all. Do I need to make a change to a config file also? Not sure what type of encryption would be best one that works MD5? For a copatibilty of password encryption schemes and protocols, see here: http://deployingradius.com/documents/protocols/compatibility.html Thanks, Matthias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: store encypted passwords
Hello, I have set up FreeRADIUS Version 2.1.10 on an Ubuntu server 12.04, Mysql Server version: 5.5.24. Everything is up and running but the users passwords are stored in plain text in raddacct. I tried changing the attribute to Crypt-Password but it doesn't change anything. What do you mean by doesn't change anything? If you have changed the attribute name to Crypt-Password and you also modified the attribute's value accordingly, what do you expect? If it still works, then be happy. Do I need to make a change to a config file also? Not sure what type of encryption would be best one that works MD5? For a copatibilty of password encryption schemes and protocols, see here: http://deployingradius.com/documents/protocols/compatibility.html Thanks, Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: store encypted passwords
Hello, first, please use the correct way of quoting for mailing list. This is to say, write your comments below the original text that it refers to. That way readers who pick up a thread later can follow more easily. But now back to topic. Am Montag 08 Oktober 2012, 16:17:52 schrieb jon jon: On Mon, Oct 8, 2012 at 4:02 PM, Matthias Nagel matthias.h.na...@gmail.com wrote: Hello, I have set up FreeRADIUS Version 2.1.10 on an Ubuntu server 12.04, Mysql Server version: 5.5.24. Everything is up and running but the users passwords are stored in plain text in raddacct. I tried changing the attribute to Crypt-Password but it doesn't change anything. What do you mean by doesn't change anything? If you have changed the attribute name to Crypt-Password and you also modified the attribute's value accordingly, what do you expect? If it still works, then be happy. doesn't change anything = password is still showing as plain text. What do mean by modified the attribute's value accordingly? You wrote that you changed clear text passwords to crypt-passwords. This means to me you updated your database, hence your database does not show clear text passwords anymore. What exactly did you do, when you changed from clear text to crypt-passwords? I assumed to did something like this: UPDATE radcheck set attribute = 'Crypt-Password', value = SOME_FANCY_CONVERT_FUNCTION( value ) WHERE some_senseful_condition_here; Anyway, I now notice that you were speaking of radacct. This table is not to show any password at all. Do I need to make a change to a config file also? Not sure what type of encryption would be best one that works MD5? For a copatibilty of password encryption schemes and protocols, see here: http://deployingradius.com/documents/protocols/compatibility.html Thanks, Matthias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Indeterministic EAP error
Hello, sometimes I get the error WARNING: !! EAP session for state 0xABCDEFGHIJKLMNOP did not finish! in my log files / debug output. Before anybody says have a look at http://deployingradius.com/documents/configuration/eap-problems.html that will help, please read on, because I already have done that and I believe the problem is a little bit more tricky. I support PEAP+MsCHAPv2 only and 90% of time it just works. I am pretty sure that the certificate is all right. If anybody wants to check it, one can find it here https://freeradius:eaper...@www.stud.uni-karlsruhe.de/~uzbii/hekauth-certs.pem The certificate file includes all intermediate issuers and the trusted CA. The CA is Germany's biggest telco, so most OSes ship with that by default. The certificate also includes the X509v3 Extended Key Usage TLS Web Client and Authentication and TLS Web Server Authentication in order to satisfy Windows clients. My radius config looks like that: certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/hekauth-key.pem certificate_file = ${certdir}/hekauth-certs.pem # CA_file = CA_path = ${certdir}/empty-by-purpose/ If a new client connects for the very first time, most OSes automatically detect the correct authentication scheme, ask for username and password, present the certificate for confirmation and it works out of the box. (No errors on neither client nor server side.) Randomly, I get this error message although the respective client normally works. In that case the client just restarts the authentication and then succeeds on the second trial. Hence the only difference the user might notice is an authentication that might take some milliseconds longer. During the last four days there have been 1278 such errors, 2519 session, 9651 successful authentication attempts, i.e. each session triggered approximately 3.8 re-authentications, 93 different clients and at least 6 different OSes. I cannot find any pattern, so I do not believe it to be a client side issue. Of course, one can argue to ignore the warning as it works most of the time, but I do not like indeterministically behaving IT systems, hence it preys on my mind. Has anybody an idea what the reason might be? If anybody wants to see a full debug output or a tcpdump, I can provide you with plenty of that. But I could not find anything. Yours, Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
Hello, Am Donnerstag 04 Oktober 2012, 17:09:35 schrieb Phil Mayers: On 04/10/12 16:45, Matthias Nagel wrote: I cannot find any pattern, so I do not believe it to be a client side issue. Has anybody an idea what the reason might be? If anybody wants to see a full debug output or a tcpdump, I can provide you with plenty of that. But I could not find anything. One thing: that logging only happens in debug mode. Most people don't run in debug mode all the time, so as far as I know, it could be normal - maybe everyone sees failure rates of that order? That would be nice, indeed. But if the reason is signal strengh of a WiFi, then the numbers heavily depend on your WiFi coverage. So it is difficult to compare. Anyway, first things - check your eap {} module config, specifically ensure that max_sessions is high enough to support your load, that timer_expire isn't too low, and if applicable, that your TLS session caching is ok (size, particularly). I did not find max_sessions anywhere in the config files. Where is it supposed to be set and what is the default if not set? timer_expire is 60 seconds. The cache size for session resumption is set to 0. I read that this means infinite somewhere. I see a lot of session resumptions that work. I found the entry # fragment_size = 1024 to be commented out. Does anybody has experiences with HP E-MSM 430 APs? Probably, this is a dummy question: I always believed that the smallest MTU that must be supported by an ethernet devices is 1500. Are there really APs that support less? I did not find anything on that in the specifications of my AP. And second question: Does a wrong value for fragment_size always fail? Or to state it conversely: If a default fragment size of 1024 works most of the time (as it does with me), can this still be a reason for the failure, if it is too high? Otherwise - I assume you are authenticating wireless clients? Half-half. It is a HP 5412 chassis solution with an integrated MSM 765zl WiFi controller. Most clients are wired (desktop pcs) and some clients (Smartphones, Tablets, Laptops) are wireless. But yes, if I (hopefully correctly) link the error message to the corresponding access challenge, most errors are from wireless sessions. Are you able to determine where the EAP sessions have got to before they hang up? Are they still in TLS setup, or inner-tunnel? Does it hang up after e.g. the EAP-MSCHAP challenge? I am not sure, if I do the linking between error message and access challenge correctly. But if I do so, there is no particular point. Regrettably the session did not finish logging isn't great, so determining this is hard - I keep meaning to see if it can be improved e.g. log some attributes from the original packet, log the state of the EAP session, etc. At the moment I do the following: I pick the hex number from the error message and look for an access challenge, that has the same number in its State AVP. If this is the wrong way to do, then all I said before is non-sense. Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Hello, Hi, i new bie in Freeradius i am facing problem that when i run radiusd with 'radiusd -X' command it it is genrating log of it in log file but when i run radiusd with 'radiusd' command it is not genrating it log in log file.. anyone please help me in this :( Um when you run radiusd -X it prints everything to stdout... you can use -x[xx] to add additional debugging in daemon mode... -Arran I believe the question was how to get a log file in non-debug mode. Have a look at the main configuration file. It depends on your distro where it is installed. (For example in Debian it is /etc/freeradius/radiusd.conf). In that file you find a variable logdir at global scope and normally you find a section log { } where all the logging related parameters are defined. But normally the ditro has sane defaults there. Perhaps your are looking for the log file in the wrong place? Or freeradiusn logs to the syslog deamon? The you have to find out, what the syslog daemon does with the logging messages. Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug/Enhancement request: Race condition with short-term accounting (FreeRadius 2.1.10)
Hello everybody, if two accounting messages for the same session are sent by the authenticator very quickly, the messages may be processed by the radius server in the wrong order. This results into two sessions being accounted instead of one. The second phantom session stays open for ever, because it never receives any update and/or stop message. Example: If a supplicant authenticates and immediately disconnects again, the following steps are executed: 1) The authenticator sends an accounting start message 2) The authenticator sends an accounting stop message immediately 3) The RADIUS server receives the start message and assigns it to thread #1 4) The RADIUS server receives the stop message and assigns it to thread #2 5) Thread #2 terminates first and the accounting stop message is written to the PostgreSQL database. The SQL UPDATE statement fails, because there is no entry for this session that could be updated, as the start message has not been processed yet. Hence, an INSERT INTO statement is executed as a fail-over measure. 6) Thread #1 terminates and an SQL INSERT statement is performed in order to log the start message. The result is, that the same session is accounted with two entries in the database. The first entry is complete, this is to say it has a start and stop time. This is the result of step 5. The second entry is incomplete, i.e. it only has as start time. The latter never will be completed, because the stop message has already been processed and acknowledged to the authenticator. At the moment my work around is to run FreeRADIUS in debug mode to keep it single threaded. But I would like to propose the following solution. Instead of assigning incoming requests to the thread pool randomly, first preprocess the request and assign requests that have identical user names (or some other senseful attribute) to the same thread. This way requests that might belong to the same session are processed by the same thread and cannot outperform each other. Requests that never can belong to the same session are still processed concurrently. Best regards, Matthias Nagel -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug/Enhancement request: Race condition with short-term accounting (FreeRadius 2.1.10)
Hello, Am Dienstag 28 August 2012, 23:11:57 schrieb Alan DeKok: Matthias Nagel wrote: if two accounting messages for the same session are sent by the authenticator very quickly, the messages may be processed by the radius server in the wrong order. This results into two sessions being accounted instead of one. The second phantom session stays open for ever, because it never receives any update and/or stop message. This is a well-known issue with RADIUS. Packets may appear in any order. Example: If a supplicant authenticates and immediately disconnects again, the following steps are executed: 1) The authenticator sends an accounting start message 2) The authenticator sends an accounting stop message immediately 3) The RADIUS server receives the start message and assigns it to thread #1 4) The RADIUS server receives the stop message and assigns it to thread #2 5) Thread #2 terminates first and the accounting stop message is written to the PostgreSQL database. The SQL UPDATE statement fails, because there is no entry for this session that could be updated, as the start message has not been processed yet. Hence, an INSERT INTO statement is executed as a fail-over measure. 6) Thread #1 terminates and an SQL INSERT statement is performed in order to log the start message. That doesn't make sense. If the table indexes are set up correctly, the SQL insert will fail at step (6). The module will then try the update query, which should succeed. This is correct, if one has some kind of key to identify a session that could be used as a database index. But unfortunately there are a lot of authenticators out there, that do not correctly generate radius accounting session ids. Basicly I see three different types (despite the correct one): 1) Authenticators that do no send a session id at all (Acct-Session-Id is empty) 2) Those that always return the same session id (even if the user name differs) 3) Those that always return a new session id even if the requests (start/update/stop) belong to the same session Of course one can try to use other attributes to construct an own artificial identifier which is actually done by the unique module. But the question is, what attributes should be used? If one uses user-name, nas-ip-address, calling-station-id and friends, then the same session id might be used for different sessions. For example, one session by the same user from the same supplicant in the morning and a new session in the afternoon. So the result is the same as in case 2) If one includes some timestamp related information, the session identifier is always changing. This means we are faced with case 3). Hence, at the moment my SQL query does not rely on identifiers at all, but does the following: 1) If a start request comes in, just create a new row in the database 2a) If a update/stop message comes in, select all rows that have the same user name, nas ip address and some other identical columns and that do not have a stop time. This is to say, select all possibly matching and running sessions. Then order these session by update time and take the most recent one. This row is then updated with the new information 2b) If 2a) fails, because there is no row in the selection, create a new row as in 1) Of course this procedure relies on the correct order of the radius messages. The result is, that the same session is accounted with two entries in the database. The first entry is complete, this is to say it has a start and stop time. This is the result of step 5. The second entry is incomplete, i.e. it only has as start time. The latter never will be completed, because the stop message has already been processed and acknowledged to the authenticator. That is a database consistency issue. You can't have two rows using the same keys. But I would like to propose the following solution. Instead of assigning incoming requests to the thread pool randomly, first preprocess the request and assign requests that have identical user names (or some other senseful attribute) to the same thread. This way requests that might belong to the same session are processed by the same thread and cannot outperform each other. Requests that never can belong to the same session are still processed concurrently. That is not going to happen. It's a bad fix. The correct fix is to use the SQL indexes. I can see your point. Do you have any other suggestions to solve the issues? (Changing the hardware is not going to happen.) Any ideas for a more sophistcated SQL query that does not rely on identifiers (see above)? Alan DeKok. Best regards, Matthias Nagel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721