Trying other authentication methods when the first is invalid
Sorry for the wall of tet, I'd rather give too much info than not enough.
Our FreeRADIUS server (version 2.1.8 running on Ubuntu 10.04 LTS x64, installed
from packages) currently does mac-based authentication of hosts onto edge
switches using perl scripts (rlm_perl) talking to the API for our network
access control system. I would like to extend this to also be able to support
802.1x based authentication, but only for certain specific networks (ones with
access to more important servers or similar. For example the finance network
should need 802.1x to auth, but our student residence network shouldn't as then
no games consoles and the like would work).
The initial method I had set up was to look for the presence of an EAP-Message
in the request in the authorize section, and call the eap module if EAP-Message
was present to set Auth-Type to EAP and then do authentication using eap (tls
or peap) (and then expect to hand off to perl in post_auth just for the VLAN
assignment) or to call the perl module to set Auth-Type as Perl if there was no
EAP-Message, and handle it in authenticate as a simple MAC auth using perl.
(The reason for not just calling eap then perl all the time is that the
rlm_perl module, despite my authorize subroutine containing simply
"$RAD_CHECK{'Auth-Type'} = 'Perl'; return RLM_MODULE_OK;", seems to alter the
value of User-Name such that calling eap in authenticate *always* fails with
the error "Identity does not match User-Name, setting from EAP Identity." and
rejects the user if perl has been called in authorize, even if it is called
after eap and the eap stanza reads "eap { ok = return }"). This worked !
fine on our HP Procurve switches.
Anyway, we have got some Juniper EX2200 switches. The problem with these is
that they do mac-auth as a 'fake' 802.1x auth. The request has the User-Name
attribute set to the MAC address correctly, but also has an EAP-Message
present, it just doesn't contain anything we want to have to care about (It
actually contains, once the eap header has been decoded, the md5 of the
mac-address). This causes the eap module, if called in authorize, to think the
request should be handled by itself and set Auth-Type to EAP and expect to do
eap-md5 (even if the default-auth-type in eap.conf is set to something else,
like peap). However, as we do not actually want to do an eap-md5 auth we have
no Cleartext-Password anywhere for the tens of thousands of MAC addresses (with
new ones every day, which we auth onto a special 'unregistered' network with
limited access instead of rejecting) on our network.
The eap module in this case returns 'invalid' in authentication, rather than
'reject'. I was hoping I could detect this and tell it to move on to perl if
this happened. I can't seem to make that work. As soon as eap returns invalid,
all further processing is halted for that request and FreeRADIUS jumps straight
to the Post-Auth REJECT section. Can anyone suggest a way around this? I was
originally thinking that I could use the perl module after eap in authorize to
check if the decoded eap data was simply an md5 hash of the MAC, and set
Auth-Type to Perl even though there was an EAP-Message in that case, but of
course if I ever then do that check on a valid 802.1x auth EAP breaks (as I
mentioned above).
Thanks for any help anyone can offer
--
Dan Meyers
Lancaster University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: ASSERT FAILED threads.c[406]
Will do :) Just to check I've understood properly - Do you expect the new version to just fix the ASSERT FAILED error, and what's happening in the perl is still something I need to investigate (and is probably thread related), or should the fix also stop me getting unresponsive children in the perl accounting method? Thanks Dan > Meyers, Dan wrote: > > Ran fine for a week or so, but in the last few days we've had it > crash > > twice, both times with the same message. The logs initially fill with > > messages of the sort: > > > > "Sat Jul 24 01:05:08 2010 : Error: WARNING: Unresponsive child for > > request 128145, in module perl component accounting" > > Oops. > > > "Sat Jul 24 01:05:27 2010 : Error: ASSERT FAILED threads.c[406]: > > (*request)->magic == REQUEST_MAGIC" > > That looks like a bug which will be fixed in 2.1.10. See > http://git.freeradius.org, branch v2.1.x. Download that and install > it. > It should fix the problem. > > If so, please say so. > It's a corner case that wasn't being handled properly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: ASSERT FAILED threads.c[406]
Quick bit of background. We're using FreeRADIUS in combination with rlm_perl for network access control at our site. Everything was running fine on FreeBSD 8.0 with FreeRADIUS 2.1.8 compiled from ports and Perl 5.8 compiled to be non-threaded and not support multiplicity. We got new higher spec servers from Dell, and sadly the only *nix OS that currently supports the RAID card in them seems to be Ubuntu Server 10.4, so we're now on that. Perl is compiled (as it is by default on Ubuntu) with threads and multiplicity, but some testing by hammering the server from multiple different machines using radclient and some test packets from a file seemed to show that (unlike the last time we tried, which I believe was on FreeRADIUS 2.1.3) using threaded perl was stable and worked fine with rlm_perl in FreeRADIUS (it used to lock up eventually). Ran fine for a week or so, but in the last few days we've had it crash twice, both times with the same message. The logs initially fill with messages of the sort: "Sat Jul 24 01:05:08 2010 : Error: WARNING: Unresponsive child for request 128145, in module perl component accounting" and "Sat Jul 24 01:05:08 2010 : Info: WARNING: Child is hung for request 128145." We'll end up with 32 of the former type of error message (we're currently running with 32 threads configured in the thread_pool in radius.conf), interspersed with the latter, then a stack of the latter type of error (Always for the same set of requests, i.e. one of the ones we got an initial error for, but we'll get the second error multiple times for a given request). Then eventually we get "Sat Jul 24 01:05:27 2010 : Error: ASSERT FAILED threads.c[406]: (*request)->magic == REQUEST_MAGIC" All our accounting module does in perl is convert the incoming radius hash to yaml and then attempt to write it to a database with a timestamp. I am strongly suspecting that the initial problem is to do with threading in combination with the DBD::MySQL module in perl or the MySQL client rather than FreeRADIUS, despite our testing seeming to show it was OK. But I do not think that final ASSERT FAILED error should be being generated as a result of the former issue. I am trying to understand what is going on. Is FreeRADIUS attempting to kill the deadlocked threads and being unable to do so? Thanks Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logins against AD failing in *most* cases. Can see why, but don't*understand* why.
> Given *my* background: I tend to blame everything *other* than > FreeRADIUS. If there's a bug, it gets fixed pretty quickly. That's > more than you can say for Microsoft. Finally got it sorted, and it was indeed nothing to do with FreeRADIUS but was a combination of several factors all related to Samba (posted here in case anyone else has similar issues in future and thinks it's FreeRADIUS): 1) We needed to upgrade to a newer version of Samba to be able to talk to Windows Server 2008 R2 (R2 made some significant changes over straight 2008, according to our Windows admins, so R1 or straight 2008 might be more lenient) using ntlm_auth (something we did quite early in the attempt to get it working). We're now on 3.4.3 compiled from source (3.4.0 in packages for Debian 5.0 didn't seem to work). 2) We needed to change our smb.conf. The config that worked with Server 2003 seems to not work with 2008 R2. 3) (And this was the one that really got me towards the end and caused me much confusion for the last few days when it sometimes worked and sometimes didn't): You *must* start Samba (i.e. nmbd and smbd) before winbind. If you start winbind first, then ntlm_auth gives every indication of working correctly. An ntlm_auth --username=whatever and then giving a password returns NT_STATUS_OK: Success (0x0). An incorrect password returns NT_STATUS_WRONG_PASSWORD, so it's evidently talking to the DC OK. Likewise taking a username, challenge and nt response from a radius request in debug mode and testing on the command line does return an NT key like it should. *However* that NT key, which is the same every time the command is run for a given username, challenge and response, is *not* the same as the NT key returned for the same username, challenge and response if you start Samba before winbind. If you start winbind first, the client will reject the NT key returned. If you start Samba first, it works fine. Bit of a noddy error on my part, that one. But if ntlm_auth had actually given any indication of not being able to talk to the domain I would have spotted it much sooner. Because all indications were that it was communicating fine it never occurred to me that the NT key being returned might be invalid. Thanks all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logins against AD failing in *most* cases. Can see why, but don't*understand* why.
> > It was also my (possibly > > erroneous) understanding that FreeRADIUS would never get to the point > of > > being able to get the MSCHAPv2 password from the client if the CA > cert > > was incorrect, as it would never complete the setup of the EAP > session > > inside which the MSCHAPv2 data is contained. > > Yes. That's what you're seeing. The *client* is deciding it doesn't > like the certificate, and is stopping. But even in the failed example I am getting far enough for the server to receive a username and MSCHAPv2 password from the client, and auth them using ntlm_auth. Surely by the time the server gets an MSCHAPv2 password from the client the EAP session should have been set up, server certs validated etc etc on the client side, otherwise what's the point of the validation as you've already handed details to a potentially untrusted server. Or am I misunderstanding something major here? > And FreeRADIUS always gets the blame. It explains why I come across > as cranky much of the time. Apologies, I didn't actually mean to blame FreeRADIUS. I was reasonably certain that my issue was with either Samba or the AD (though it now seems the wireless controllers are a possibility as well) or a misconfiguration on my part within FreeRADIUS specifically when dealing with Windows Server 2008 R2. Or that it would simply be a known case of "This doesn't work yet for reasons X, Y and Z. Use this workaround" where the workaround was using some clever data fettling or similar via rlm_perl and FreeRADIUS. Initially I thought the latter to be most likely, hence my posting on this list rather than, say, the Samba one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logins against AD failing in *most* cases. Can see why, butdon't*understand* why.
> > I am perfectly willing to accept that you may be right and this may > be > > my issue, I just don't understand how it has suddenly become a > problem. > > Are you using a Cisco Wireless LAN Controller (WLC)? We had a similar > issue with our Cisco 2112 WLC (EAP conversation stops on the > NAS/supplicant side). For what it's worth, our WLC was working fine > for a while and then suddenly stopped. A reboot fixed it one time, but > then it eventually failed again and a reboot didn't fix it. It was > resolved by changing a setting in the WLC (I'll get you the details if > it's applicable). We are indeed. Cisco Wireless Control System with 4 Cisco 4400 series WLAN controllers, with about 300 connected Cisco APs spread across the 4 of them. I thought i'd got it just now, as I got it working reliably from several different machines in our office with freeradius in debug mode (but without changing anything, which I found very odd). Just to check, I restarted samba, winbind and freeradius. Now all of a sudden it's not working again. ntlm_auth is working and returning an nt key but the Access-Challenge is not being responded to where 2 minutes ago it was just fine. It never occurred to me that the Cisco controllers could be our issue... Though I have just checked with a colleague and he did try restarting them after hours yesterday, and it didn't help matters. If you can find out what setting you changed that would be ideal, but probably best to email me directly as this is getting somewhat off-topic for the list. -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logins against AD failing in *most* cases. Can see why, but don't*understand* why.
> > Secondly, my colleague's machine actually responds to the > > Access-Challenge sent at the end of the packet where the ntlm_auth is > > done, whereas my machine does not. This is the crucial point I think. > > Without this final response the Access-Accept is never sent back. My > > colleague is using Windows XP with the Intel Pro/Set Wireless drivers > > and supplicant. If he changes to using the XP inbuilt supplicant, > > everything stops working. I am on Windows 7 using the inbuilt > > supplicant. As best we can tell, this is the problematic difference. > The > > Intel supplicant is presumably getting and responding to the > > Access-Challenge where the windows inbuilt supplicant is not, but I > > don't know why or what could be causing it. My machine also doesn't > > respond to the Access-Challenge under Ubuntu 9.10, using the Gnome > > inbuilt supplicant. > > This is most likely a CA cert problem. The comments in the default > "eap.conf" give a very specific warning about this (access-challenge > which is never replied to) and explain the issue. This being the case, why does my machine successfully respond to all the other Access-Challenges before the MSCHAPv2 password is dealt with? The trace I gave was for an Access-Challenge id 107. Ids 100 (my initial request) to 106 (the other parts of the EAP setup) all finish with an Access-Challenge with an EAP-Message being sent to my client, and all of those Challenges are successfully responded to. It was also my (possibly erroneous) understanding that FreeRADIUS would never get to the point of being able to get the MSCHAPv2 password from the client if the CA cert was incorrect, as it would never complete the setup of the EAP session inside which the MSCHAPv2 data is contained. Additionally I am using exactly the same certificates, file ownership and permissions and eap.conf settings that worked fine before the AD upgrade, and the certificates are not used in talking to the domain to auth credentials so I can't think that the issue lies there. I am perfectly willing to accept that you may be right and this may be my issue, I just don't understand how it has suddenly become a problem. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logins against AD failing in *most* cases. Can see why, but don't *understand* why.
Still trying to get our FreeRADIUS system working nicely after the AD
upgrade to server 2008. Compiling Samba to version 3.4.3 from source
fixed our ntlm_auth issue, but most users were still unable to connect.
I have 2 examples here, one of a user who failed to connect, one of a
user who succeeded (you may wish to skip to the end of the mail for some
things i've noted, and only then look back at all the debug output ;) ).
Firstly, the last packet of my auth attempt after the EAP negotiation
has been done, where my MSCHAPv2 password gets authenticated against the
domain (sorry for the wall of text):
rad_recv: Access-Request packet from host 148.88.249.136 port 32770,
id=107, length=325
User-Name = "us...@lancaster.ac.uk"
Calling-Station-Id = "00-19-D2-7A-32-37"
Called-Station-Id = "00-22-55-EF-12-70:eduroam"
NAS-Port = 29
NAS-IP-Address = 148.88.249.136
NAS-Identifier = "open-lwapp03"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "431"
EAP-Message =
0x0209007b19001703010070617a586349258a547c06634d0fddf4595a1335caed798858
583e7abb666d98687d584b69e92570c58f855442a0e4cfbee722a8e408ec1c952f97b3ef
286ed3b611ff5799f587048f82e762c79a90e9b20c01e5a1ed175726e2db392b9e7b5a4a
bf57e82a3fd0caf93f164fc3d14b547f
State = 0x358f4053338659fabf419b83279b13d2
Message-Authenticator = 0x57a488c36caaca604135f6e50b03a561
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] Looking up realm "lancaster.ac.uk" for User-Name =
"us...@lancaster.ac.uk"
[suffix] Found realm "lancaster.ac.uk"
[suffix] Adding Stripped-User-Name = "user1"
[suffix] Adding Realm = "lancaster.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++? if ("%{User-Name}" =~ /^(.*)(.*)$/)
expand: %{User-Name} -> us...@lancaster.ac.uk
? Evaluating ("%{User-Name}" =~ /^(.*)(.*)$/) -> FALSE
++? if ("%{User-Name}" =~ /^(.*)(.*)$/) -> FALSE
[eap] EAP packet type response id 9 length 123
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020900521a0209004d31edbf49d61deaee3bc54da173c7fa87f388
ad0f8484b8ba14e9d5a5f87ebbd0dc0995dcfacd4c8947006d657965727364406c616e63
61737465722e61632e756b
server {
PEAP: Setting User-Name to us...@lancaster.ac.uk
Sending tunneled request
EAP-Message =
0x020900521a0209004d31edbf49d61deaee3bc54da173c7fa87f388
ad0f8484b8ba14e9d5a5f87ebbd0dc0995dcfacd4c8947006d657965727364406c616e63
61737465722e61632e756b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "us...@lancaster.ac.uk"
State = 0x87479817874e82241c779ef3ac5e3935
Calling-Station-Id = "00-19-D2-7A-32-37"
Called-Station-Id = "00-22-55-EF-12-70:eduroam"
NAS-Port = 29
NAS-IP-Address = 148.88.249.136
NAS-Identifier = "open-lwapp03"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "431"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
++? if ("%{User-Name}" =~ /^(.*)(.*)$/)
expand: %{User-Name} -> us...@lancaster.ac.uk
? Evaluating ("%{User-Name}" =~ /^(.*)(.*)$/) -> FALSE
++? if ("%{User-Name}" =~ /^(.*)(.*)$/) -> FALSE
++? if ("%{User-Name}" =~ /^(.*)\@(.*)$/)
expand: %{User-Name} -> us...@lancaster.ac.uk
? Evaluating ("%{User-Name}" =~ /^(.*)\@(.*)$/) -> TRUE
++? if ("%{User-Name}" =~ /^(.*)\@(.*)$/) -> TRUE
++- entering if ("%{User-Name}" =~ /^(.*)\@(.*)$/) {...}
expand: %{1} -> user1
expand: %{2} -> lancaster.ac.uk
+++[request] returns noop
++- if ("%{User-Name}" =~ /^(.*)\@(.*)$/) returns noop
[eap] EAP packet type response id 9 length 82
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{Stripped-User-Name} -> user1
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> user1
[sql] sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'user1' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE
UserName='user1'
rlm_sql_postgresql:
ntlm_auth and Server 2008 R2 (or, how to select a group for a proxied request)
Info (For the short version of what I need, skip to the last paragraph): For a while now we've been running a stable solution for our wireless system 802.1x auth involving FreeRADIUS. Specifically, when a client tries to do a PEAP/MSCHAPv2 auth the eap module of FreeRADIUS successfully negotiates and terminates the EAP tunnel, and the MSCHAPv2 data is extracted and then shelled out to ntlm_auth which talks to our domain controllers (Windows Server 2003) to verify whether the MSCHAPv2 encoded password is correct for the given username. This worked fine, right up until we upgraded our domain controllers to Windows Server 2008 R2. Suddenly, ntlm_auth stopped talking to the DC. The message we were getting back when we tried to auth (either via radius or on the command line with a simple ntlm_auth --username= and then specifying the password at the prompt) was NT_STATUS_PIPE_DISCONNECTED: Named pipe dicconnected (0xc0b0). wbinfo -u successfully gets a list of every user the DCs know about, so we can still talk to them (This is on Samba 3.4.0, the latest on Ubuntu Server 9.10). As we couldn't seem to talk to the DC directly, we instead proxied to a Windows Server 2003 RADIUS server which was on the domain, which then terminated the EAP tunnel and queried the DC for the info we needed. We'd rather not need this step, but it got around the ntlm_auth issues we were having. The problem now, is that our authorize section in our inner-tunnel (used when there is a PEAP connection) used the sql module to extract group information from the user group table of the radius postgres database. Thus we could return a radius key:value pair that would dump a user into a group based on the returned result of the group_membership_query. As we are now proxying the request instead of doing authorize ourselves, this query is not getting run and every single user is ending up in the default group. 'sql' as a module can't go into post-proxy, so i'm unsure how to get this query to be run once the Windows server has returned OK for a request. The Windows RADIUS server does not seem to have enough functionality to get the group information we require. So, I either need to work out what to do to ntlm_auth to make it play nicely with Server 2008 R2 domain controllers for user verification, or I need to work out how to get FreeRADIUS to do the group sql query and add the relevant pairs before returning the result to the client after it has got an Access-Accept from the Windows RADIUS server for the request it proxied there. Has anyone got any experience of either of these things? Thanks in advance Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: rlm_python - Unresponsive child
> As I told - all working file in freeradius debug mode (with -X), I > have problems with productional threads pool mode. I see the same issue with rlm_perl and my perl code. Works fine in radiusd -X, or if perl is compiled to not use threads, but as soon as I compile perl for threading and start trying to use CLONE I get all sorts of issues with unresponsive children. When I used radclient to hammer the hell out of my server the messages appeared for 10-15 seconds or so, then went away. I theorised that radius was trying to hand off work to radius/perl threads that hadn't been fully instantiated yet. On the current live system (using an older version of FreeRadius - 2.0.3 - until we have another stable development version to move to) it sometimes shows up and just never goes away until radiusd is restarted. I never managed to nail down what the issue was. I did wonder if DBI or DBD::Mysql was doing something funky in a threaded environment and hanging on database access. You may be having similar issues? Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl/radius issues with db connections
I'm having a few issues with FreeRadius 2.1.4 (2.1.6 isn't in ports yet) and MySQL 5.1 on FreeBSD 6.2. Specifically, I am using the CLONE method in my perl script to create my database handles every time a new thread is spawned. If I start radius and then do 'show processlist' on the MySQL server I see no connections from the radius server. If I then send a single update from radclient I get a connection in show processlist, and a timely response to my request. However in our live environment the radius server is fairly heavily used by a large number of NASes, so as soon as it is turned on it gets a large influx of requests, and the logs fill with 'Error: WARNING: Unresponsive child for request X' messages. This goes on for a good 10-20 seconds or so, during which the processlist on the MySQL server still shows no connections. Then, suddenly, the error messages stop and all my connections appear in the processlist. I'm *think* this delay is in instantiating perl for each radius thread, as the error messages still get spammed into the log for 10-20 seconds even if my authenticate and accounting perl functions simply contain 'return RLM_MODULE_OK;'. I am guessing that once perl has been instantiated for the radius thread the creation of db connections and such occurs quite quickly, but if radius suddenly tries to start a large number of perl processes at once the server gets bogged down. This behaviour can be replicated in our test environment using radclient. No matter how long I wait after starting the radius server, I always get these error messages as soon as I start bombarding the server with requests. And of course until I start bombarding it it doesn't need to start any extra threads. The initial issue was that we were getting these error messages in the live environment after some time of the server running, and they weren't ever going away. You had to restart radius to get rid of them, and there was a reasonable chance that they'd reappear as soon as you restarted it. I *believe* the issue there was actually to do with mysql requests hanging as well as perl starting, although I am still unsure as to why, as our client was compiled with the thread safe options and the server doesn't appear to have resource issues. That was, however, with 2.0.3. The issue of the threads never becoming responsive again doesn't *appear* to exist in 2.1.4, from my testing. An issue we are still seeing, however, is that sometimes no results are returned from the db. DBD doesn't throw an exception or error, we just get an empty result set back occasionally. I'm investigating that at the mo. I was just wondering if anyone else had come across any similar problems, and how you got around them. Ideally, i'd like for the perl process to be instantiated before radius starts trying to use the thread for requests. That way the radius server would simply not respond to a request if no threads were ready and free, and my NASes could retry/fail over/whatever, whereas at the moment it seems to be sending back rejects while perl is still instantiating in the thread. I could also then tell radius to start with a reasonable number of threads to handle 'normal' load, and it wouldn't actually say it was ready to process requests, and start sending anything back, until all my normal required threads and their respective perl processes had been started. -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS Server Version 2.1.6 has been released
Can I just check, as I can't seen anything about it in the changelog and the wiki page for it appears to be the same as before - What is the rlm_perl behaviour with the new version of FreeRADIUS? As I recall rlm_perl no longer handles its own threading. One of the issues for several people introduced with the previous version of FreeRADIUS was there only ever being a single perl thread, which was a bottleneck, where the desired functionality was 1 perl thread (or process, if compiled with multiplicity instead of threading) per radius thread. I'm also assuming multiplicity takes preference, as our system installed with 2.1.4 had perl installed with both, and our radius process starts up at 200M but doesn't grow in the way you'd expect if we had a memory leak in our perl. I can't think what's taking up all that memory if it's not multiple perl processes. The same code on a system with perl compiled without threading or multiplicity only takes 16M. Thanks for the update, the radwatch script in particular will be very useful for us :) -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - Intermediate CA
I was having this exact same problem for a significant period of time when I bought a new Verisign cert for our servers which was chained (the old one being directly root signed, which Verisign no longer do). It would appear to be a bug/security patch in XP sometime after SP2 that causes this. Odds are, assuming you have set it up right (I used this exact same list with some setup issues I was having) that FreeRadius *is* sending your Intermediate CA to the client, but the client is ignoring it. Using Wireshark or similar to packet dump should show you how may certs you are being passed. I am reliably informed by networking staff at another University who had the same issue that if you try with a vanilla install of SP2 with no additional security patches or similar then it will work correctly. At some point after SP2 (They were not sure exactly which patch causes it) certificate chaining for PEAP stops working. Windows Vista follows the chain fine, as do various non-Microsoft OSes I tried. I didn't have a vanilla XP SP2 to test and wasn't sufficiently bothered to make one, as we weren't going to advise our users to remove security patches. The setup I have is, in eap.conf under the tls section, certificate_file points to a file which actually contains both the server cert and the intermediate cert. The server cert is at the top of the file, with the intermediate cert below. Very simple to do this, just cat the contents of the intermediate cert file to be appended to the server cert file (make sure both are the same file type. I had an issue initially where one was DOS and one was Unix, so I go a lot of metacharacter rubbish when I cat-ed one into the other). Wireshark shows FreeRadius is passing both certs, and anything that isn't XP SP2 works fine. For XP SP2 we had to supply the intermediate cert on our website and ask our users to install it from the wired network in the connect instructions for using wireless (which is where we were using PEAP). Dan > I am having an issue where FreeRadius is not handing the intermediate > CA to a windows WPA2 client. We are in the process of deploying > WPA2/AES with PEAP. So we purchased a certificate from a company that > has a Trusted Root CA in Windows, Mac OSX, and Linux. However, it was > signed with there intermediate CA, so the OS will not vailded the > certificate during authentication. > > The only solution seems to be installing the intermediate CA certifcate > on all my clients (2,000-3,000). If it possible to chain the > certificates together like you can in Apache? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: failover and load balancing
> I use a PostgreSQL DB form my three AAA server and the DB is enough > quick for serveral request per second. Aah. We were wanting to handle 100 or so requests a second. Postgres might well have done this, but we wanted room for expansion and our tests with 10'000 requests at ~100 a second showed Postgres being noticeably slower than MySQL. As long as it's good enough for your purposes there's no reason to switch though. > However, I am looking for a (free) master-master DB, and the > replication in postgres crashes. And the problem in MySQL it was told > before. > > I admit suggestions for a BETTER free DB. We had a good look and were unfortunately unable to find anything for free. If you can deal with master-slave, MySQL seems to be the best bet. If you must have master-master, you're out of luck until Postgres gets it working or someone else implements it. It seems that to get something like this you'll have to end up paying Oracle or someone similar a fat pile of money. I could be wrong, there might be one we've missed. If so, i'd love to know as well, as master-master replication would make our lives easier too :) -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: failover and load balancing
> -Original Message- > From: freeradius-users- > bounces+d.meyers=lancaster.ac...@lists.freeradius.org > [mailto:freeradius-users- > bounces+d.meyers=lancaster.ac...@lists.freeradius.org] On Behalf Of > Kanwar Ranbir Sandhu > Sent: 17 April 2009 21:52 > To: freeradius-users@lists.freeradius.org > Subject: RE: failover and load balancing > > > I also believe you're saying that I could load balance, too. In this > case, auth and accounting could be done on both machines, and I would > still have one freeradius server in use (primary), from the NAS' point > of view. There are probably many better ways of doing it, but the simplest way to load balance across multiple FreeRADIUS servers is just to set each server as 'primary' on an equal number of NASes, i.e. 2 servers = half your NASes with server A as primary, half with server B as primary. A NAS will always talk to its primary server if it can possibly manage it. If all NASes have the same IP for their primary server then you'll have to start doing funky things external to both the NAS and FreeRADIUS to load balance nicely. I guess you could proxy from one server to the other for some requests using unlang rules or similar, but by that point you might as well just handle it on the server it's already hit. > In this scenario, don't the mysql databases on each machine have to be > kept in sync? I've assumed that I would have to present one logical > database to the freeradius server, even if the database itself is > running on multiple mysql servers. That's why I mentioned "database > cluster". I don't know if my assumption is correct. MySQL has replication inbuilt. You can run one server as the master and as many others as you want as slaves. Slaves can't be written to, but can be read from. We're actually using this setup for redundancy in a system we're currently developing. 2 databases within a single MySQL process per server (each of which also runs FreeRADIUS). 1 database is replicated across all the servers, with one server acting as the master. The other database is unique to each server, not replicated. We have a script that runs on the master server every 5 seconds, pulls data from all the 'writable' (i.e. non-replicated) dbs on all the slaves, and writes it to the master replicated db. All systems read data from their local copy of the replicated DB, and write to their local non-replicated DB. It means we can have data that is up to 5 seconds out of date, but at any one point all FreeRADIUS servers have exactly the same view as they read, so it isn't too much of a problem (for us). Please note that we're doing this using rlm_perl and having 2 database handles per perl thread, one for reads and one for writes. I'm not sure if you can separate out the read and write databases like this if you're just using rlm_sql or similar. If you do far more reads that writes (we're writing a lot of logging data back, but if we weren't reads would far outnumber writes) then you might want to consider the simpler system of reading from the local database and just always writing back to the master. You do then run into the issue of the master being a single point of failure for writes, whereas with our system no data is lost, it's just buffered until the master comes back online and the script runs again. Postgres does supposedly have a version in beta for full master-master replication, but every time we've tried to get it running it's crashed on us as soon as we tried to actually write any data. Postgres in general seemed much slower than MySQL for reading the data we needed as well. -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl behavior
> >> It should be running one Perl thread per system thread. The server > >> core already manages min/max spare threads, idle threads, etc. > > I hope this implementation will satisfy Borislav too. Will he be > > able to > > instantiate different perl scripts for different needs? > > > > So, when do I start testing :) Just to say, we're currently using FreeRadius 2.1.3 with rlm_perl in a project currently in active development, and having read this i'm holding off upgrading to 2.1.4 as we also use the multiple perl threads functionality of the module to parallel process and increase throughput. We have a specific development server/environment, and would be more than happy to test any patches designed to fix this 2.1.4 issue on it. -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
> Dan, > > It's unclear to me exactly: > > a. what you're expecting to happen > b. what is happening > > We have exactly the same setup - verisign root->intermediate->our cert. > What happens with an XP client on our WPA EAP-PEAP network is exactly > the same as documented here: > > http://www.albany.edu/its/windows_detailed_document.pdf > > ...that is, after clicking all the tedious boxes in XP, once connecting > a dialog box pops up as per page 6 of the PDF above. Once clicked, the > user is never prompted again. Yes, this is the behaviour we are seeing too. The issue is that, with said popup and a directly root-signed cert, you can click on the 'View Server Certificate' button and see that it is trusted to a known root, and Windows says something along the lines of 'This is a trusted certificate'. The reason we shifted to using a Verisign cert instead of a self-signed one with the right bits set was that we were getting a surprisingly large number of users refusing to accept a cert that windows flashed up as 'Untrusted. Warning, this certificate cannot be traced to a known trusted root etc etc' (or whatever the actual text is, I can't recall offhand), and then complaining that they couldn't get on the wireless network. It was easier to get a 'proper' cert from Verisign than it was to try and get all our users to install our local CA on their personal machines. Now that Verisign are using an Intermediate CA the cert we have paid for is no better than a self signed one in this case. The chain does get picked up correctly in Vista, which backs up your point of it being an XP specific issue and nothing to do with FreeRADIUS. I was unfortunately testing on XP only as that is the only Windows I had readily available. If it used to work then God knows why MS decided to break it in a security update, but bring the functionality back in Vista. Unfortunately the majority of our users are still on XP. Thanks all for your help. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
> >Googling suggested that simply catting the 2 certs (server and > >intermediate) into a single file (server at top, intermediate at > bottom) > >and listing that in the config as the certificate_file should work > > No, that's not going to work. Client machine will still look for the > intermediate CA in it's store and not in that bundle. So there is no way at all to get the client to pick up the cert chain without directly installing the intermediate cert on it? Is this actually a client issue of it refusing to use chains for this then, rather than a FreeRADIUS issue of it not passing the chain? Thanks very much for all your help. This only came up because Verisign have stopped issuing directly root-signed certs, as have the other major cert authorities, it would seem. Our previous cert was directly root signed, and thus worked fine. I (possibly foolishly) assumed that if all the major CAs were shifting to chained certs for everything that the majority of clients using ssl supported them as well. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
> >I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which > does > >not require a client certificate. My understanding however is that for > >passing of the server certificate to validate our server to the > clients > >the options with the tls subsection of the eap.conf file are still > used. > > > > For that you need to export just the intermediate certificate used to > sign the server certificate onto the clients. They should have the root > one already. > > Import intermediate certificate (.der or .crt version) onto a client. > Copy server.crt onto the client desktop and see if Windows recongnized > the chain. Yes, if I import just the intermediate certificate to the client, install it, and then try and auth, the chain is picked up correctly (or if I just copy across the server cert and check it). But of course the reason for this is because the intermediate cert is then directly trusted by the client, and the server cert is signed by it. This was my reasoning for thinking that FreeRADIUS was not passing the intermediate cert when the auth attempt was being made. I did originally think it should work without the root cert, because the client already had that, and only installed it as well as the intermediate cert when I failed to get the output I expected just using the intermediate one. Googling suggested that simply catting the 2 certs (server and intermediate) into a single file (server at top, intermediate at bottom) and listing that in the config as the certificate_file should work, but it'd didn't seem to for me (and i've checked the file formats this time). The client got the server cert, but still didn't pick up the chain. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
> >My client is still giving the same behaviour of not getting the > >certificate chain, however. > > > > OK. So which certificate signed the client certificate? Sorry, i'm still getting to grips with this system after the previous admin of it left. I've adminned FreeRADIUS before, but never done any of the EAP/PEAP/MSCHAP etc user auth with it. On my other system we are using it for client MAC auth via perl modules. I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which does not require a client certificate. My understanding however is that for passing of the server certificate to validate our server to the clients the options with the tls subsection of the eap.conf file are still used. Apologies for any wasted time and/or confusion I caused :( Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
> >I've actually dropped the -crl_check from this test, as i'm not doing > >crl checking within FreeRADIUS until i've got it working without it. > >Also, this command didn't seem to work when my verisign.pem contained > > > >1 cert, even after a c_rehash, it only worked if all the certs were in > >individual files: > > > >jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify - > CApath > >.. jrs-radius02.pem > >jrs-radius02.pem: OK > > > > What? > > openssl verify -CAfile verisign.pem jrs-radius02.pem > > isn't working? Then something is wrong with your chain file. Check that > you are using the correct root certificate and cat certificates again > in > a new bundle. OK, got this bit sorted, which was me being a tool. I was using vim, and hadn't noticed one file was being opened in dos mode and the other in unix. As soon as I catted them together instead of copy-pasting between terminals I saw that the root block was ending lines with ^M. Converted that to unix format, re-catted the two into my ca pem file, and openssl is now happy with a file containing multiple certs and validates the chain. My client is still giving the same behaviour of not getting the certificate chain, however. I did wonder if Windows was being daft, and resaved the ca file so all certs within it were in dos format instead of unix. After another rehash openssl still verified the chain fine, but my client is still not playing ball. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
> Remember when you put your Root CA file (and perhaps the CRL for that
> CA) into your certificate directory, and ran 'c_rehash directory>'?
If you mean when I installed ssl certs for Apache, I never did this. I
simply put the server cert and the chain file on the server, then
configured mod_ssl with 2 required parameters - CertificateFile and
CertificateChainFile. No (re)hashing was required.
> Well - it's just like that. You might have had RootCA.pem with the
> Verisign CA certificate. Personally - I like to have a separate file
> for each intermediate CA certificate in the chain.
What i've got currently can be up to 3 files. Firstly, the server
certificate itself, which has been signed by Verisign's Intermediate CA,
then the cert for said Intermediate CA, and finally the root cert used
to sign the Intermediate CA. My current setup is with the server cert in
a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is
the keyfile), and the intermediate and root certs in the same file
(verisign.pem. Intermediate cert at the top, root cert at the bottom). I
then have the following config lines in the tls section of eap.conf for
FreeRADIUS to reference these files:
private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key
certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem
CA_file = ${certdir}/jrs-radius02/verisign.pem
> When you think you are done - you can test the validity of your new
> certificate like this:
>
> openssl verify -crl_check -CApath
> /path/to/certificate-file/server.pem.cert
I've actually dropped the -crl_check from this test, as i'm not doing
crl checking within FreeRADIUS until i've got it working without it.
Also, this command didn't seem to work when my verisign.pem contained >
1 cert, even after a c_rehash, it only worked if all the certs were in
individual files:
jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath
. jrs-radius02.pem
jrs-radius02.pem: OK
As such, I also tried commenting out CA_file in eap.conf and instead
having:
CA_path = ${certdir}/jrs-radius02/
With all my certs in individual files, but that gave the same behaviour,
i.e. that on my client it shows me the certificate it got passed, for
the jrs-radius02 server, but it doesn't have a certificate chain back to
a known trusted root.
> Hope this helps. Give it a go and let us know if you have any
problems.
This still appears to be failing to pass the certificate chain. The root
cert *definitely* exists on my test client (I extracted it from there
and diffed it with the one on the server). If I install the intermediate
cert on the client, then everything works fine (but I don't want to have
to try and get my users to understand the process of installing a cert
before getting online). However when Windows XP prompts me to accept the
certificate FreeRADIUS is handing out it doesn't have any chain listed
at all, so I assume is still not being handed that Intermediate cert.
Thanks very much for the help so far. Any more would be greatly
appreciated. I can attach full config files if you think that would be
helpful.
Dan
> On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan
> wrote:
> > I'm sure I must just be being thick with our FreeRADIUS config, but
> i've
> > completed failed to find anything online or in the docs explaining
> > *what* i'm doing wrong, so i'm posting here.
> >
> > We've had a FreeRADIUS server set up for some time now, with an SSL
> > certificate directly signed by one of Verisign's root CA's, for the
> > purposes of doing EAP-TLS domain auth. This worked fine on both
> > FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a
> > month, and it would appear no one issues root signed certs any more,
> > they're all cert chains. Obviously with things like apache this is
> fine,
> > as you install the chain bundle file at the same time as your actual
> > cert, and the chain gets passed to the client, who follows it to a
> root
> > CA they do already trust. I'm having trouble working out how to do
> this
> > with FreeRADIUS however. All the info I can find suggests that if I
> edit
> > my certificate file so that it contains multiple certs, from least
> > trusted at the top (my server cert) down the chain and file to the
> one
> > which has been signed by a root CA the user's machine will already
> > trust, then machines will follow the chain as expected and accept
the
> > certificate. However if I do this, and have a chain file of the same
> > format as I use successfully on the web server (i.e. multiple BEGIN
> and
> > END blocks with a single cert between each pair), then my client
> > machines still fail to pick up the chain, and thus can't validate
the
> > certificate.
> >
> > Am I missing something blindingly obvious with regards to how to do
> > certificate chains in FreeRADIUS? If so, please tell me what.
> >
> > Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS EAP-TLS and SSL certificate chains
I'm sure I must just be being thick with our FreeRADIUS config, but i've completed failed to find anything online or in the docs explaining *what* i'm doing wrong, so i'm posting here. We've had a FreeRADIUS server set up for some time now, with an SSL certificate directly signed by one of Verisign's root CA's, for the purposes of doing EAP-TLS domain auth. This worked fine on both FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a month, and it would appear no one issues root signed certs any more, they're all cert chains. Obviously with things like apache this is fine, as you install the chain bundle file at the same time as your actual cert, and the chain gets passed to the client, who follows it to a root CA they do already trust. I'm having trouble working out how to do this with FreeRADIUS however. All the info I can find suggests that if I edit my certificate file so that it contains multiple certs, from least trusted at the top (my server cert) down the chain and file to the one which has been signed by a root CA the user's machine will already trust, then machines will follow the chain as expected and accept the certificate. However if I do this, and have a chain file of the same format as I use successfully on the web server (i.e. multiple BEGIN and END blocks with a single cert between each pair), then my client machines still fail to pick up the chain, and thus can't validate the certificate. Am I missing something blindingly obvious with regards to how to do certificate chains in FreeRADIUS? If so, please tell me what. Thanks -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
