Re: Eduroam FreeRadius not working so well
On Sun, 9 Dec 2012, Alan Buxey wrote:
Hi,
This looks like something I should be doing but I have no idea where
to insert this section. Is it in proxy.conf or somewhere else? And
in the authorize section of your virtual server, straight after the
preprocess/suffix/realm
module calls (ie before any real authorization action)
With this configuration, I guess I don't need realm's LOCAL or NULL?
correct - you will deal with your LOCAL realm by handling your defined realm,
with eduroam you dont want to EVER authenticate a user you hasnt provided
a realm - because , for your own users, they may work finewhen they are at
your
sitethey then think/believe their configuration works...and then find it
doesnt work when they go to another eduroam site...and then they'll blame
that site, your site or eduroam. best policy for eduroam is ALWAYS ensure
a realm is defined on the client
ok, both the default and inner-tunnel, I assume?
I added the section to authorize, but the DEBUG output indicates the
regular expression is rejecting a valid user. Is there someone that could
confirm the RE?
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
...
[suffix] Looking up realm domain.ca for User-Name = mdigg...@domain.ca
[suffix] Found realm DEFAULT
[suffix] Adding Realm = DEFAULT
[suffix] Proxying request from user mdiggins to realm DEFAULT
[suffix] Preparing to proxy authentication request to realm DEFAULT
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/)
? Evaluating (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) -
FALSE
++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) - FALSE
++- entering else else {...}
+++[reply] returns noop
+++[reject] returns reject
++- else else returns reject
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
On Thu, 6 Dec 2012, Phil Mayers wrote:
On 12/06/2012 10:16 AM, Alan Buxey wrote:
Hi,
home_server_pool EDUROAM-FTLR {
type= fail-over
home_server = proxy1
home_server = proxy2
}
I would use:
type = client-port-balance
to balance between the 2. (that method ensures the EAP goes to one remote
server)
realm DEFAULT {
pool = EDUROAM-FTLR
nostrip
}
h, this isnt best practice if thats all you have for throwing stuff
upstream. woulf
strongly recommend using unlang to validate that the user has valid realm
etc and then
update the request to use a realm identifier (eg eduroam) and use that in
proxy.conf instead -
thus you are only sending valid users upstream (and not all the random
typos and junk)
as the upstream servers will like you more for that - and wont be dropping
requests and messing
you up.
To expand on Alan's statement a bit here - it's possible that users are
associating with your eduroam SSID and sending all kinds of nonsense (I think
the best I've seen is:
spaceuser@domainnewlinespaceuser@domain/newlinerepeat 3 times
...and that the upstream RADIUS servers are not replying, which is causing
you to get these dropouts.
You probably want something like this:
authorize {
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
# user has a valid-looking realm
update request {
Stripped-User-Name := %{1}
Realm = %{toupper:%{2}}
}
}
else {
# malformed NAI
update reply {
Reply-Message := malformed username
}
reject
}
if (Realm == MY.REALM) {
...
}
else {
update control {
Proxy-To-Realm := DEFAULT
}
}
This looks like something I should be doing but I have no idea where to
insert this section. Is it in proxy.conf or somewhere else? And that last
section for my own realm, would it look like this (you're converting the
Realm to upper case, right?)
if (Realm == MY.REALM) {
update control {
Proxy-To-Realm := MY.REALM
}
}
else {
update control {
Proxy-To-Realm := DEFAULT
}
}
With this configuration, I guess I don't need realm's LOCAL or NULL?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
On Wed, 5 Dec 2012, Alan Buxey wrote: In the first instance, upgrade. There is a major security problem with 2.1.x release. Get 2.2.x onto your system asap. This is the RedHat RPM which I believe are maintained by RedHat. Hopefully they've back ported any major security issues! What are your NAS (cisco controllers) timeouts? Is this box a pure proxy or does it do authentication too? Have you enabled ciscos status-check system so it knows the RADIUS server isn't dead but just hasn't had a remote response yet? It does both autentication and proxy and I do have status-check enabled. On the contraller I increased the default timeout from 2 seconds up to 8 seconds. At the same time I lowered the response_window for the two Home Servers from 20 seconds to 5 seconds, thinking the proxy would give up trying and respond to the controller before it timed out. That hasn't helped though. Perhaps I need to increase the controller timeout further. Around 67% of eduroam sites in the UK use freeradius I assumed it should work better than it is. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
On Wed, 5 Dec 2012, John Dennis wrote: On 12/05/2012 12:02 PM, Mike Diggins wrote: On Wed, 5 Dec 2012, Alan Buxey wrote: In the first instance, upgrade. There is a major security problem with 2.1.x release. Get 2.2.x onto your system asap. This is the RedHat RPM which I believe are maintained by RedHat. Hopefully they've back ported any major security issues! Red Hat takes security issues very seriously and we immediately addressed this issue, as we do all security issues. However simply stating it's a Red Hat RPM does not answer the question as to whether you've been updated. For RHEL customers security fixes are one of the benefits of having a valid current subscription. I have a valid current subscription and yum reports no updates for my freeradius install, so I'm assuming it's okay. I didn't want to dwell on the version though as I just upgraded from a much older release which didn't help with my problem. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
This is my proxy.conf. The only value I've adjusted so far is response
window (from 20 down to 5). Otherwise, I believe it's configured correctly
to failover between the two home servers. I'll have to work on the debugs.
proxy server {
default_fallback= yes
}
home_server proxy1 {
type= auth+acct
ipaddr = x.x.x.x
port= 1812
secret = xx
response_window = 5
zombie_period = 40
revive_interval = 60
status_check= status-server
check_interval = 30
num_answers_to_alive= 3
}
home_server proxy2 {
type= auth+acct
ipaddr = x.x.x.x
port= 1812
secret =
response_window = 5
zombie_period = 40
revive_interval = 60
status_check= status-server
check_interval = 30
num_answers_to_alive= 3
}
home_server_pool EDUROAM-FTLR {
type= fail-over
home_server = proxy1
home_server = proxy2
}
realm mydomain.ca {
strip
}
realm LOCAL {
nostrip
}
realm NULL {
nostrip
}
realm DEFAULT {
pool = EDUROAM-FTLR
nostrip
}
-Mike
On Wed, 5 Dec 2012, Alan Buxey wrote:
Hi,
This is the RedHat RPM which I believe are maintained by RedHat.
Hopefully they've back ported any major security issues!
got the changelog for the 2.1.12 RPM release you are running?
It does both autentication and proxy and I do have status-check
enabled. On the contraller I increased the default timeout from 2
seconds up to 8 seconds. At the same time I lowered the
2 seconds is very low for international RADIUS proxying...the traffic
needs to get to the end site...and then be dealt with by the end site
(which may take 1 - many seconds to actually authenticate the user
once the tunnel is created). somewhere around 10 seconds is the maximum
I would expect for global roaming authentication via multple proxy peers
the RADIUS server is at the mercy of the controller and the remote sites...
who might not be answering at all...they could just reject.
I havent seen a sanity error message like that since the troublesome 2.1.7 -
2.1.9
days when the proxy code got some rewrites in places.
I wonder if your proxy.conf for the home server stuff is correct and not
flipping requests between remote proxys?
what does the server show/say in full debug mode with a test remote account?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eduroam FreeRadius not working so well
I'm running FreeRadius 2.1.12 on RedHat 6 as an Eduroam proxy server and having problems. My cisco wireless controllers are constantly failing back and forth between the primary and secondary systems. My logs show these errors when it happens: Dec 4 19:12:18 server radiusd[32588]: Internal sanity check failed for child state Dec 4 19:12:18 server radiusd[32588]: Reply from home server x.x.x.x port 1812 - ID: 210 arrived too late for request 76479. Try increasing 'retry_delay' or 'max_request_time' Dec 4 19:13:18 server radiusd[32588]: Discarding duplicate request from client ct5508 port 32770 - ID: 148 due to unfinished request 76495 Dec 4 19:13:26 server radiusd[32588]: Discarding duplicate request from client ct5508 port 32770 - ID: 148 due to unfinished request 76495 Dec 4 19:13:34 server radiusd[32588]: Discarding duplicate request from client ct5508 port 32770 - ID: 148 due to unfinished request 76495 Dec 4 19:13:41 server radiusd[32588]: Internal sanity check failed for child state Dec 4 19:13:41 server radiusd[32588]: Reply from home server x.x.x.x port 1812 - ID: 102 arrived too late for request 76495. Try increasing 'retry_delay' or 'max_request_time' Dec 4 19:13:42 server radiusd[32588]: Discarding duplicate request from client ct5508 port 32770 - ID: 148 due to unfinished request 76495 I'm look for some advice as to what timeouts to adjust that might help with the errors. I didn't want to start changing retry_delay or max_request_time without some advice first. Any suggestions? I have no control over the Home Servers or how long a request takes to complete and I don't know what's causing the sanity check failure!? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreedRadius mysql Redhat 6.3 missing?
On 13/10/2012 3:50 AM, Eero Volotinen wrote: 2012/10/12 Francois Gaudreault fgaudrea...@inverse.ca: On 2012-10-12 1:22 PM, Mike Diggins wrote: Unable to read consumer identity Because your RHN stuff appears to be broken. note that some of freeradius stull are located in rhn-optional channel, that you must speficy in management portal for that machine. That was it! Enabled the rhn-optional channel and now I see the other FreeRadius rpms. (Fixed my RHN stuff too. Didn't work but thanks for the suggestion) -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreedRadius mysql Redhat 6.3 missing?
I installed the RedHat 6.3 freeradius-2.1.12-4.el6_3.x86_64 rpm earlier, not realizing it didn't include mysql. However, I don't see a mysql version available. Is there one that is updated by RedHat? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreedRadius mysql Redhat 6.3 missing?
That's odd, why am I only seeing freeradius? # yum info freeradius\* | grep Name Unable to read consumer identity Name: freeradius -Mike On 12/10/2012 12:22 PM, John Dennis wrote: On 10/12/2012 11:37 AM, Mike Diggins wrote: I installed the RedHat 6.3 freeradius-2.1.12-4.el6_3.x86_64 rpm earlier, not realizing it didn't include mysql. However, I don't see a mysql version available. Is there one that is updated by RedHat? $ yum info freeradius\* | grep Name Name: freeradius Name: freeradius-debuginfo Name: freeradius-krb5 Name: freeradius-ldap Name: freeradius-mysql Name: freeradius-perl Name: freeradius-postgresql Name: freeradius-python Name: freeradius-unixODBC Name: freeradius-utils - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RedHat FreeRadius reload or restart?
I've been running the RedHat version of FreeRADIUS Version 2.1.3 for a few years. Each morning I update the users authorization file and run service radius reload for the changes to take affect. I recently patched the system, which updated FreeRADIUS to version 2.1.12. I find now that after reloading, using the same script, it appears to reload successfully but my authentications (through ntlm_auth to an MS AD) begin failing. If I instead use service radiusd restart, it's fine. Did anything change between versions that would explain this? Oct 5 07:30:02 radserv radiusd[3825]: Login OK: [] (from client wlc-7 port 0 via TLS tunnel) Oct 5 07:30:02 radserv radiusd[3825]: Login OK: [x] (from client wlc-7 port 13 cli 6c-c2-6b-98-06-52) Oct 5 07:30:02 radserv radiusd[15741]: Loaded virtual server default Oct 5 07:30:02 radserv radiusd[15741]: Loaded virtual server inner-tunnel Oct 5 07:30:02 radserv radiusd[15741]: ... adding new socket proxy address * port 0 Oct 5 07:30:02 radserv radiusd[3825]: Received HUP signal. Oct 5 07:30:02 radserv radiusd[3825]: HUP - Re-reading configuration files Oct 5 07:30:02 radserv radiusd[3825]: HUP - loading modules Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module radutmp Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module suffix Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module attr_filter.access_reject Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module attr_filter.accounting_response Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module detail Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module mschap Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module pap Oct 5 07:30:02 radserv radiusd[3825]: Module: Reloaded module files Oct 5 07:30:02 radserv radiusd[3825]: Loaded virtual server default Oct 5 07:30:02 radserv radiusd[3825]: Loaded virtual server inner-tunnel Oct 5 07:30:04 radserv radiusd[3825]: Login incorrect (mschap: External script says ): [x] (from client wlc-6 port 0 via TLS tunnel) Oct 5 07:30:04 radserv radiusd[3825]: Login incorrect: [x] (from client wlc-6 port 13 cli 00-26-08-e6-13-90) Oct 5 07:30:04 radserv radiusd[3825]: Login incorrect (mschap: External script says ): [x] (from client wlc-7 port 0 via TLS tunnel) Oct 5 07:30:04 radserv radiusd[3825]: Login incorrect: [] (from client wlc-7 port 13 cli 7c-11-be-c3-20-72) Oct 5 07:30:05 radserv radiusd[3825]: Login incorrect (mschap: External script says ): [x] (from client wlc-6 port 0 via TLS tunnel) Oct 5 07:30:05 radserv radiusd[3825]: Login incorrect: [x] (from client wlc-6 port 13 cli 48-60-bc-f4-1d-31) Oct 5 07:30:07 radserv radiusd[3825]: Login incorrect (mschap: External script says ): [x] (from client wlc-7 port 0 via TLS tunnel) Oct 5 07:30:07 radserv radiusd[3825]: Login incorrect (mschap: External script says ): [xx] (from client wlc-6 port 0 via TLS tunnel) Oct 5 07:30:07 radserv radiusd[3825]: Login incorrect: [] (from client wlc-6 port 13 cli 48-60-bc-f4-1d-31) -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA Enterprise Certificate renewal for FreeRadius
I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
authentication certificate currently. My eap.conf 'certificate file'
contains the certificate only, not the root and/or intermediates. That
seems to be ok, since most clients already have the Thawte Root
certificate installed.
I renewed the new certificate just recently and discovered that Thawte is
no longer issuing certificates under the old root so my clients will
likely be asked to trust the new certificate when I install it. All my
documentation changes as well but that's another story.
My question is, what is the value of adding the roots/intermediates to the
certificate file i.e certificate_file = ${certdir}/certificate.crt? Does
it really allow a client without the Root already installed to verify this
certificate?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Enterprise Certificate renewal for FreeRadius
On Mon, 9 Jan 2012, Phil Mayers wrote:
On 09/01/12 17:42, Mike Diggins wrote:
I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
authentication certificate currently. My eap.conf 'certificate file'
contains the certificate only, not the root and/or intermediates. That
seems to be ok, since most clients already have the Thawte Root
certificate installed.
I renewed the new certificate just recently and discovered that Thawte
is no longer issuing certificates under the old root so my clients will
likely be asked to trust the new certificate when I install it. All my
documentation changes as well but that's another story.
My question is, what is the value of adding the roots/intermediates to
the certificate file i.e certificate_file = ${certdir}/certificate.crt?
Does it really allow a client without the Root already installed to
verify this certificate?
Most clients:
1. Have all the common top-level CAs installed
2. May or may not have the intermediate CAs
We put the server intermediate certs (NOT the top-level) into the cert
file, and in our experience this lets all clients (Windows, MacOS, iOS,
Android) connect without errors.
I believe that, if the client really does lack the top-level CA, you're
screwed. You will have to manually install at least the top-level cert,
except on MacOS (and possibly iOS, but not sure).
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Do the certificates need to be listed in any particular order in the
certificate_file?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On Fri, 14 Oct 2011, Alan DeKok wrote: Mike Diggins wrote: Accounting feature on the WLAN controllers (for now), I noticed that a similar failure is a happening on the Authentication side. Some authentication requests proxied to other radius servers (via Eduroam) are either failing or taking a long time to respond, which also causes my FreeRadius to mark the Home Server as DOWN. That also seems to cause a chain reaction of backed up requests, causing my WLAN controllers to failover the radius server. There's really very little you can do about that in RADIUS. FreeRADIUS figures out that a home server is down because it stops responding to requests. So if it stops responding... it looks like it's dead. Does FreeRadius work synchronously only, so a slow response from one remote server stops any other pending authentications from completing until that first one is finished? So, similar to my Accounting problem, is there anyway to prevent a single Authentication failure from backing up the works!? Does FR answer queries in sequence only? I don't really understand why this sort of failure has such a nasty consequence. What, exactly, is the server supposed to do when the next hop isn't responding to packets? Is the next hop up? Is it down? How can you tell? I'm not sure. If my assumption above is correct, then I don't see a good solution. I'm thinking of a method like Squid proxy server, where a number of authenticators are used, so one that's slow or fails doesn't affect the others. The only suggestion I can think of right now is to send the server-status message to the next hop first before marking it dead. I think that would be a safer assumption when proxying anyway. It's this kind of thing that makes me think keep-alives should become standard for eduroam. The extra few packets every couple of seconds are a small cost to pay for ensuring that authentication works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On Wed, 5 Oct 2011, Arran Cudbard-Bell wrote:
Thanks for your suggestion. Do I drop this into my existing
..sites-available/default file? Does this add to what's there already, or do I
replace what's there with this (and does the order matter)? Sorry, I have a
very basic configuration and haven't had to delve into this.
Add it to sites-available/default in the existing sections (put replicate in
the accounting {} section, put the other stuff in the preacct section...
Tried this today but got an error. I'm running 2.1.3.
Module: Checking accounting {...} for more modules to load
/usr/local/freeradius/etc/raddb/sites-enabled/default[339]: Failed to find
module replicate.
/usr/local/freeradius/etc/raddb/sites-enabled/default[336]: Errors parsing
accounting section.
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On Tue, 4 Oct 2011, Mike Diggins wrote: I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly failing over the Accounting Servers, due to lack of response from the Home Servers, or so says the log. However, I believe the issue is that some remote institutions Radius Servers are ignoring the Accounting packets, and timing out my end, making it believe the Home Servers have failed to respond. FreeRadius responds by marking the Home server dead. It then sends a status-server query, to which is gets a reply, and enables the Dead Home server. I believe that's the sequence of events anyway. I captured some of that in debug mode: Rejecting request 288 due to lack of any response from home server x.x.x.x port 1813 Finished request 288. Cleaning up request 288 ID 205 with timestamp +1161 PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is dead). Sending Status-Server of id 55 to x.x.x.x port 1813 Message-Authenticator := 0x NAS-Identifier := Status Check. Are you alive? Waking up in 3.9 seconds. rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806 I don't have any control over Accounting Packets being accepted, or not, by other Eduroam members. Some do, some don't I imagine. Is there a configuration for FreeRadius that handles this situation cleanly? Seems to me that FR should check the Home server first, before marking it dead (at least). Accounting feature on the WLAN controllers (for now), I noticed that a similar failure is a happening on the Authentication side. Some authentication requests proxied to other radius servers (via Eduroam) are either failing or taking a long time to respond, which also causes my FreeRadius to mark the Home Server as DOWN. That also seems to cause a chain reaction of backed up requests, causing my WLAN controllers to failover the radius server. So, similar to my Accounting problem, is there anyway to prevent a single Authentication failure from backing up the works!? Does FR answer queries in sequence only? I don't really understand why this sort of failure has such a nasty consequence. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On Wed, 5 Oct 2011, Arran Cudbard-Bell wrote:
On 5 Oct 2011, at 02:20, Mike Diggins wrote:
I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an
Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly
failing over the Accounting Servers, due to lack of response from the Home
Servers, or so says the log. However, I believe the issue is that some remote
institutions Radius Servers are ignoring the Accounting packets, and timing out
my end, making it believe the Home Servers have failed to respond. FreeRadius
responds by marking the Home server dead. It then sends a status-server query,
to which is gets a reply, and enables the Dead Home server. I believe that's
the sequence of events anyway. I captured some of that in debug mode:
Rejecting request 288 due to lack of any response from home server x.x.x.x port
1813
Finished request 288.
Cleaning up request 288 ID 205 with timestamp +1161
PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is
dead).
Sending Status-Server of id 55 to x.x.x.x port 1813
Message-Authenticator := 0x
NAS-Identifier := Status Check. Are you alive?
Waking up in 3.9 seconds.
rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806
I don't have any control over Accounting Packets being accepted, or not, by
other Eduroam members. Some do, some don't I imagine. Is there a configuration
for FreeRadius that handles this situation cleanly? Seems to me that FR should
check the Home server first, before marking it dead (at least).
No i've talked about this with Alan. The proposed solution is an enhancement to
the detail writer/reader functionality where the server automagically spawns
new reader instances to listen on per domain detail files.
For now i'd recommend using rlm_replicate, this allows you to send an entirely
new request to the homeserver, whilst sending an Accounting-Response to the
NAS. FR does not track the new request and so won't be able to retransmit.
Just use something like:
preacct {
if(Realm Realm != 'local'){
update control {
Proxy-To-Realm := 'local'
Replicate-To-Realm = 'eduroam'
}
}
}
accounting {
replicate
}
Thanks for your suggestion. Do I drop this into my existing
..sites-available/default file? Does this add to what's there already, or
do I replace what's there with this (and does the order matter)? Sorry, I
have a very basic configuration and haven't had to delve into this.
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with Eduroam - Accounting
I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly failing over the Accounting Servers, due to lack of response from the Home Servers, or so says the log. However, I believe the issue is that some remote institutions Radius Servers are ignoring the Accounting packets, and timing out my end, making it believe the Home Servers have failed to respond. FreeRadius responds by marking the Home server dead. It then sends a status-server query, to which is gets a reply, and enables the Dead Home server. I believe that's the sequence of events anyway. I captured some of that in debug mode: Rejecting request 288 due to lack of any response from home server x.x.x.x port 1813 Finished request 288. Cleaning up request 288 ID 205 with timestamp +1161 PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is dead). Sending Status-Server of id 55 to x.x.x.x port 1813 Message-Authenticator := 0x NAS-Identifier := Status Check. Are you alive? Waking up in 3.9 seconds. rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806 I don't have any control over Accounting Packets being accepted, or not, by other Eduroam members. Some do, some don't I imagine. Is there a configuration for FreeRadius that handles this situation cleanly? Seems to me that FR should check the Home server first, before marking it dead (at least). -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Discarding duplicate request...
I am running NTLM_AUTH for mschap authentication with an MS AD at the back end. I suppose that could be the culprit. If so, is upgrading FreeRadius likely to resolve that (not knowing exactly what the problem is). Anything I could configure at the FreeRadius end to make that work a bit better? -Mike On Wed, 15 Sep 2010, Alan Buxey wrote: 2.1.3 is very old now , 2.1.9 is current and has many fixes over that - check its changelog .. this error message suggests that you've got a slow backend somewhere - be that ldap, sql or even a bit of perl - Reply message - From: Mike Diggins mike.digg...@mcmaster.ca Date: Wed, Sep 15, 2010 16:22 Subject: Error: Discarding duplicate request... To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Our students have returned this week, and I've noticed a couple new messages logged to my FreeRadius 2.1.3 server. When it happens, my controllers fail over to the secondary Radius server. This has happened a few times. My Radius servers are only lightly loaded, and only configured to do authentication. No databases. Any idea what might be causing this? Sep 15 10:06:44 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 218 due to unfinished request 35236 Sep 15 10:07:01 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 219 due to unfinished request 35237 Sep 15 10:07:24 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:41 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35239, in module component Sep 15 10:07:52 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35240, in module component Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client FHSWLC-1 port 32768 - ID: 205 due to unfinished request 35245 -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Discarding duplicate request...
Our students have returned this week, and I've noticed a couple new messages logged to my FreeRadius 2.1.3 server. When it happens, my controllers fail over to the secondary Radius server. This has happened a few times. My Radius servers are only lightly loaded, and only configured to do authentication. No databases. Any idea what might be causing this? Sep 15 10:06:44 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 218 due to unfinished request 35236 Sep 15 10:07:01 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 219 due to unfinished request 35237 Sep 15 10:07:24 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:41 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35239, in module component Sep 15 10:07:52 prad02 radiusd[10632]: WARNING: Unresponsive child for request 35240, in module component Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-7 port 32769 - ID: 173 due to unfinished request 35240 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 220 due to unfinished request 35239 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client wlc-8 port 32769 - ID: 221 due to unfinished request 35244 Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from client FHSWLC-1 port 32768 - ID: 205 due to unfinished request 35245 -Mike attachment: mike_diggins.vcf- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS/SSL Error?
I just recently enabled a WPA SSID on our wireless network. PEAP with MSCHAP V2 is the EAP method. As far as I know it's working correctly (from all my test clients anyway), but I have seen a number of these messages logged (FreeRadius 2.1.3) and I don't know where they're coming from. My Free radius server has a Thawte Certificate installed. I'm not sure what the message means? Mar 18 15:01:01 rad01 radiusd[8452]: TLS Alert read:fatal:unknown CA Mar 18 15:01:01 rad01 radiusd[8452]: TLS_accept:failed in SSLv3 read client certificate A Mar 18 15:01:01 rad01 radiusd[8452]: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -Mike attachment: mike_diggins.vcf- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting users without a realm
I couldn't find an answer to this question in the Archives. I have a FreeRadius Server (2.1.3) and would like it to reject *any* user that attempts login with a realm (u...@realm.com for example). I thought I could do something like this in the user file: DEFAULT Realm == NULL, Auth-Type := Reject But it doesn't work. What's the best way to do this? -Mike attachment: mike_diggins.vcf- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 2.1.3 SQL error
First question, is the only way to get Accounting data from FreeRadius
by using one of the supported databases (like msql)? Is there no way to
just cut records to a text file or, ideally, syslog?
Second question: I inserted the following sql configuration (supplied to
me) into sql.conf but when I start FR, it errors out with this message.
Can someone tell me what is wrong?
including configuration file /usr/local/freeradius/etc/raddb/sql.conf
/usr/local/freeradius/etc/raddb/sql.conf[13]: Invalid expansion:
'%{User-Name}',\
Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf
# MySQL settings for accounting
sql {
driver = rlm_sql_mysql
server = localhost
login = user_for_mysql
password = password_for_mysql
radius_db = radius
accounting_start_query = INSERT into ACCOUNTING SET\
`User-Name` = '%{User-Name}',\
`Calling-Station-Id` = '%{Calling-Station-Id}',\
`Called-Station-Id` = '%{Called-Station-Id}',\
`NAS-IP-Address` = '%{NAS-IP-Address}',\
`NAS-Port` = %{NAS-Port},\
`Timestamp Start` = NOW(),\
`Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'
accounting_update_query = UPDATE ACCOUNTING SET\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{Acct-Input-Octets}',\
`Acct-Output-Octets` = '%{Acct-Output-Octets}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1
accounting_stop_query = UPDATE ACCOUNTING SET\
`Timestamp Stop` = NOW(),\
`Acct-Session-Time` = '%{Acct-Session-Time}',\
`Acct-Input-Octets` = '%{Acct-Input-Octets}',\
`Acct-Output-Octets` = '%{Acct-Output-Octets}',\
`Acct-Input-Packets` = '%{Acct-Input-Packets}',\
`Acct-Output-Packets` = '%{Acct-Output-Packets}',\
`Acct-Terminate-Cause` = '%{Acct-Terminate-Cause}'\
WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\
LIMIT 1
}
-Mike
attachment: mike_diggins.vcf-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Parse error
Could someone tell me what the syntax error on the Proxy-To-Realm line is
please?
preacct {
detail
suffix
if ((Proxy-To-Realm = DEFAULT) (User-Name =~
/@.*.domain.tld$/))
update control {
Proxy-To-Realm := NULL
}
}
/usr/local/freeradius/sbin/radiusd -X:
/usr/local/freeradius/etc/raddb/sites-enabled/eduroam[23]: Parse error in
condition at: (Proxy-To-Realm = DEFAULT) (User-Name =~
/@.*.domain.tld$/))
Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Certificate Question
On Sun, 31 Jan 2010, Alan Buxey wrote: Hi, to these servers client field, just enter the 'common name' entered on the certificate? I wonder if a wildcard cert would work for this. As in *.myorg.ca, then entering *.myorg.ca for client servers field. Just asking because I have one of those. depends on supplicant - some understand wildcards...some just need the domain name to be specified In the README file there is this warning: You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients. But I can't find any further information about it. How do I ensure my certificate has these extensions? Would a CA signed cert have this? check the FreeRADIUS certificate makefile - you can see the xpextensions file and the required attributes. you can use the openssl tool to view the certificate in text mode - whethr the CA will sign it - you may have to request this functionality I generated a server certificate using the provided documentation in the certs/README file. I took the generated server.csr and got it signed by Thawte (just a 20 day trial cert for now). They provided my certificate and I replaced the contents of server.crt with it. Now when I start up FreeRadius in debug, I get: rlm_eap: SSL error error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch rlm_eap_tls: Error reading private key file /usr/local/freeradius/etc/raddb/certs/server.key rlm_eap: Failed to initialize type tls /usr/local/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module eap /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } I did update the private key password in eap.conf, to match the one I used in the original signing request. So what did I do wrong? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Certificate Question
On Tue, 2 Feb 2010, Alan Buxey wrote: Hi, I did update the private key password in eap.conf, to match the one I used in the original signing request. So what did I do wrong? did you also update/put the right .key file into place? It would be the same server.key file that was generated with the make scripts, no? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Certificate Question
On Sun, 31 Jan 2010, Fajar A. Nugraha wrote: On Sun, Jan 31, 2010 at 12:09 PM, Mike Diggins mike.digg...@mcmaster.ca wrote: Why self signed versus CA signed? Ideally I would like my clients to not be questioned about the certificate at all. Is that even possible with WPA? If I purchase a CA signed cert, would that eliminate the requirement on the client to acknowledge the certificate or import it? It would also mean that anyone could go to the same CA, get a client certificate and would be able to login to your wireless network. Not really ideal IMHO ;) But I don't plan on distributing client certificates for authentication. I intend for them to login with a username and password checked against my Radius server, so I'm not sure what role the certificate plays in that process? I think the recommendation made perfect sense when you require client certificate, like when deploying EAP/TLS. If you intend to use EAP as a secure tunnel only, and login with user/password (like with PEAPv1/EAP-GTC), using a CA-signed cert might make more sense. In the Windows WPA setup screen, Protected EAP Properties, there are options to Validate server certificate, and Connect to these servers. Do I specify my two Radius servers there? My clients don't have direct access to my Radius servers, so what actually happens when I enter them here? Does it just compare the FQDN to the one on the certificate that is presented during the login? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Certificate Question
On Sun, 31 Jan 2010, Alan Buxey wrote: Hi, In the Windows WPA setup screen, Protected EAP Properties, there are options to Validate server certificate, and Connect to these servers. Do I specify my two Radius servers there? My clients don't have direct access to my Radius servers, so what actually happens when I enter them here? Does it just compare the FQDN to the one on the certificate that is presented during the login? your 2 radius servers can have the same cert, there is no issue there (eg radius.my.org) - dont forget, this is all pre-network stuff so no DNS is involved. and yes, the value entered in that part is a string match to the name in the certificate sent via the RADIUS server. some supplicants easily let you enter more than one RADIUS server name, use multiple certs etc Ok, so I could just establish a certificate for a single host name, apply that same certificate to all my FreeRadius servers, and in that Connect to these servers client field, just enter the 'common name' entered on the certificate? I wonder if a wildcard cert would work for this. As in *.myorg.ca, then entering *.myorg.ca for client servers field. Just asking because I have one of those. In the README file there is this warning: You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients. But I can't find any further information about it. How do I ensure my certificate has these extensions? Would a CA signed cert have this? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA Certificate Question
I was able to get freeradius 2.1.3 and wireless WPA working, likely due to the fact that FreeRadius was mostly configured for me (thanks ;) ). I’m a little confused about the certificate that is required in the process, and what the relationship is with the client, the Wireless Controller and the FreeRadius server. The README file states: “ In general, you should use self-signed certificates for 802.1x (EAP) authentication.” Why self signed versus CA signed? Ideally I would like my clients to not be questioned about the certificate at all. Is that even possible with WPA? If I purchase a CA signed cert, would that eliminate the requirement on the client to acknowledge the certificate or import it? -Mike- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Certificate Question
On Sun, 31 Jan 2010, Peter Lambrechtsen wrote: On 31/01/2010, at 11:59 AM, Mike Diggins mike.digg...@mcmaster.ca wrote: I was able to get freeradius 2.1.3 and wireless WPA working, likely due to the fact that FreeRadius was mostly configured for me (thanks ;) ). I’m a little confused about the certificate that is re quired in the process, and what the relationship is with the client, the Wireless Controller and the FreeRadius server. The README file states: “ In general, you should use self-signed certificates for 802.1x (EA P) authentication.” Why self signed versus CA signed? Ideally I would like my clients to not be questioned about the certificate at all. Is that even possible with WPA? If I purchase a CA signed cert, would that eliminate the requirement on the client to acknowledge the certificate or import it? It would also mean that anyone could go to the same CA, get a client certificate and would be able to login to your wireless network. Not really ideal IMHO ;) Hence why controlling your own CA, and managing the CRL or OCSP is the only way to go if you want to properly maintain control over your wireless or 802.1x wired network. Minting certificates is pretty trvial depending on the CA software you are using and importing a CA into every workstation is also easy using the numerous tools available. My preference is to use the rootsupd package and extract that out and update the p7b with your own ca. Then get everyone to run that, or use software distribution to get it out enterprise wide. But I don't plan on distributing client certificates for authentication. I intend for them to login with a username and password checked against my Radius server, so I'm not sure what role the certificate plays in that process? -Mike- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble with PPTP FreeRadius
On Sun, 29 Mar 2009, t...@kalik.net wrote: I used wireshark to capture the working and non-working PPTP authentication. There is a difference, but I don't know how to interpret what's missing on the failed reply. Anyone want to have a look? Files are attached (I hope). That's the conversation between NAS and the client, not NAS and radius server. So I have attached the correct captures this time, and can see that my CiscoSecure Radius server is supplying some PPTP MPPE Encryption policy and keys in the reply. I didn't know it was doing that! Is this something I can duplicated with FreeRadius? -Mike mon-pptp-NOT-working.pcap Description: Binary data mon-pptp-working.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble with PPTP FreeRadius
On Sun, 29 Mar 2009, t...@kalik.net wrote: I used wireshark to capture the working and non-working PPTP authentication. There is a difference, but I don't know how to interpret what's missing on the failed reply. Anyone want to have a look? Files are attached (I hope). That's the conversation between NAS and the client, not NAS and radius server. So I have attached the correct captures this time, and can see that my CiscoSecure Radius server is supplying some PPTP MPPE Encryption policy and keys in the reply. I didn't know it was doing that! Is this something I can duplicated with FreeRadius? -Mike mon-pptp-NOT-working.pcap Description: Binary data mon-pptp-working.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble with PPTP FreeRadius
On Mon, 30 Mar 2009, t...@kalik.net wrote: I used wireshark to capture the working and non-working PPTP authentication. There is a difference, but I don't know how to interpret what's missing on the failed reply. Anyone want to have a look? Files are attached (I hope). That's the conversation between NAS and the client, not NAS and radius server. So I have attached the correct captures this time, and can see that my CiscoSecure Radius server is supplying some PPTP MPPE Encryption policy and keys in the reply. I didn't know it was doing that! Is this something I can duplicated with FreeRadius? It works in freeradius by default. You have disabled mppe in mschap module (raddb/modules/mschap). Doh! That was it. Thanks once again. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble with PPTP FreeRadius
On Sat, 28 Mar 2009, Alan DeKok wrote: Mike Diggins wrote: I have a cisco vpn3030 concentrator with both IPSec and PPTP clients. IPSec clients can successfully connect using my FreeRadius 2.1.3 server. They use PAP, I believe. My PPTP clients are failing to connect. Every indication on the Radius server is they have authenticated successfully, although the client says no (both Macintosh and Windows XP clients). When I point my cisco vpn3030 back to the CiscoSecure Radius server they use now (what I'm migrating from), the clients work again. There must be something different about the reply from each server. Any idea what might be happening? The replies are different, and the VPN3030 doesn't like the replies. So... run tcpdump, or radsniff on the packets from your old server. See what is in the packets, and then make FreeRADIUS respond with the same content. That's it. I used wireshark to capture the working and non-working PPTP authentication. There is a difference, but I don't know how to interpret what's missing on the failed reply. Anyone want to have a look? Files are attached (I hope). -Mike pptp.working.pcap Description: Binary data pptp.notworking.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble with PPTP FreeRadius
On Sun, 29 Mar 2009, t...@kalik.net wrote: I used wireshark to capture the working and non-working PPTP authentication. There is a difference, but I don't know how to interpret what's missing on the failed reply. Anyone want to have a look? Files are attached (I hope). That's the conversation between NAS and the client, not NAS and radius server. Right. I guess I captured the wrong end of the conversation. I'll have to capture that tomorrow, and hope that wireshark can provide the full radius response as Alan mentioned. Thanks. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble with PPTP FreeRadius
I have a cisco vpn3030 concentrator with both IPSec and PPTP clients.
IPSec clients can successfully connect using my FreeRadius 2.1.3 server.
They use PAP, I believe. My PPTP clients are failing to connect. Every
indication on the Radius server is they have authenticated successfully,
although the client says no (both Macintosh and Windows XP clients). When
I point my cisco vpn3030 back to the CiscoSecure Radius server they use
now (what I'm migrating from), the clients work again. There must be
something different about the reply from each server. Any idea what might
be happening?
VPN logs from my failing PPTP connection:
Mar 27 15:03:30 macvpn-inside 13885796 03/27/2009 15:03:30.520 SEV=4
PPTP/47 RPT=37605 76.64.100.68 Tunnel to peer 76.64.100.68 established
Mar 27 15:03:30 macvpn-inside 13885797 03/27/2009 15:03:30.590 SEV=4
PPTP/42 RPT=37421 76.64.100.68 Session started on tunnel 76.64.100.68
Mar 27 15:03:33 macvpn-inside 13885798 03/27/2009 15:03:33.800 SEV=5 PPP/8
RPT=33514 76.64.100.68 User [test26] Authenticated successfully with
MSCHAP-V1
Mar 27 15:03:33 macvpn-inside 13885799 03/27/2009 15:03:33.890 SEV=4
PPTP/35 RPT=37406 76.64.100.68 Session closed on tunnel 76.64.100.68
(peer 0, local 61694, serial 44796), reason: User request (No additional
info)
FreeRadius debug log of failed connection:
Ready to process requests.
rad_recv: Access-Request packet from host 172.26.69.8 port 1479, id=77,
length=146
User-Name = test26
NAS-Port = 8057
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = 76.64.100.68
MS-CHAP-Response =
0x02012f97e1c84fea6fedbd12aa551c2d84282f6d2089f5e9d345
MS-CHAP-Challenge = 0x5e0b3b68c24784e0
NAS-IP-Address = 172.26.69.8
NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = test26, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} -
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: --domain=%{mschap:NT-Domain:-ap1} - --domain=ap1
[mschap] mschap1: 5e
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=5e0b3b68c24784e0
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=2f97e1c84fea6fedbd12aa551c2d84282f6d2089f5e9d345
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] returns ok
Login OK: [test26] (from client macvpn port 8057)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 77 to 172.26.69.8 port 1479
Finished request 5.
Going to the next request
And my VPN logs from a working connection (ciscosecure radius):
Mar 27 15:08:11 macvpn-inside 13886204 03/27/2009 15:08:11.640 SEV=4
PPTP/47 RPT=37606 76.64.100.68 Tunnel to peer 76.64.100.68 established
Mar 27 15:08:11 macvpn-inside 13886205 03/27/2009 15:08:11.710 SEV=4
PPTP/42 RPT=37422 76.64.100.68 Session started on tunnel 76.64.100.68
Mar 27 15:08:14 macvpn-inside 13886215 03/27/2009 15:08:14.920 SEV=5 PPP/8
RPT=33515 76.64.100.68 User [test26] Authenticated successfully with
MSCHAP-V1
Mar 27 15:08:17 macvpn-inside 13886216 03/27/2009 15:08:17.790 SEV=5
PPP/49 RPT=33002 76.64.100.68 User [test26] IPCP assigned IP Address
172.26.94.7
Mar 27 15:08:17 macvpn-inside 13886217 03/27/2009 15:08:17.790 SEV=4
AUTH/22 RPT=354231 76.64.100.68 User [test26] Group [Base Group]
connected, Session Type: PPTP
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
On Wed, 18 Mar 2009, Alan DeKok wrote: Mike Diggins wrote: I've made no progress in finding a solution to my MSCHAP problem. To summarize, Winbind and FreeRadius authenticate via PAP fine on both servers (RedHat V5), but MSCHAP fails on one of the two (see below). I tried tar'ing up the entire /etc/raddb directory and copied it to the other machine, but it still fails. I also rejoined the Windows domain, but nothing is working. Does MSCHAP have any other dependency on the system, that PAP doesn't? No. The mschap module configuration is pretty simple. The debug output you showed leads me to conclude that the ntlm_auth configuration is commented out in the mschap module configuration. Or, the module configuration is in a different file than the one you're looking at. Run the server in debugging mode, and look for the mschap module startup. It will print out its configuration. If this doesn't match what you expect, see which file it's reading. It will print that out, too. Bingo! Sure enough the mschap section was different. I normally make backup copies of any file I change, and append it with a .ORIG. I left those backup files in the original directories, not realizing the program was reading both files. For some reason the working server was picking up the right configuration, whereas the failing one wasn't, possibly due to the order it was reading them!? Anyway, I will move out all my backup files from both servers. Thanks everyone for your help! -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire /etc/raddb directory and copied it to the
other machine, but it still fails. I also rejoined the Windows domain, but
nothing is working. Does MSCHAP have any other dependency on the system,
that PAP doesn't? I don't know where else to look.
-Mike
On Mon, 16 Mar 2009, Mike Diggins wrote:
I configured what I thought were two identical FreeRadus 2.1.3 servers. I'm
attempting to do MS-CHAP2 authentication on both, one is working, the other
is not. For the life of me I can't find any difference in their
configuration.
On my client, I switch the host name between the two servers, everything else
stays the same. One works, one fails, and I don't know why. Below is the
debug output for both the failure and success. PAP authentication works fine
on both with the same id. What the heck have I missed?
This is the one that fails:
rad_recv: Access-Request packet from host 192.168.2.15 port 2357, id=26,
length=127
NAS-Identifier = test-cam1
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xbd4261d677c0d793ee781d7a032218df
MS-CHAP2-Response =
0xa300ac9567587df3e83b3799dc49a53f43307e0e6320a093349fbd0afc94436ed32e1258e26c5463147b
User-Name = test26
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = test26, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test26] (from client 192.168.2.15 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test26
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 26 to 192.168.2.15 port 2357
Waking up in 4.9 seconds.
Cleaning up request 7 ID 26 with timestamp +1885
Ready to process requests.
This one works:
rad_recv: Access-Request packet from host 192.168.2.15 port 2358, id=115,
length=127
NAS-Identifier = test-cam1
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xfdd0ccd7059225f80093cea2929eb415
MS-CHAP2-Response =
0x780017ff811e7761fc6bd332fb45f4f6b3f5b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
User-Name = test26
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = test26, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} -
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: --domain=%{mschap:NT-Domain:-ap1} - --domain=ap1
[mschap] mschap2: fd
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=cc26ba941d6d9678
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] returns ok
Login OK
Re: MS-CHAP2 Failure
On Tue, 17 Mar 2009, t...@kalik.net wrote: I've made no progress in finding a solution to my MSCHAP problem. To summarize, Winbind and FreeRadius authenticate via PAP fine on both servers (RedHat V5), but MSCHAP fails on one of the two (see below). I tried tar'ing up the entire /etc/raddb directory and copied it to the other machine, but it still fails. I also rejoined the Windows domain, but nothing is working. Does MSCHAP have any other dependency on the system, that PAP doesn't? I don't know where else to look. In raddb/modules/mschap on the first system. ntlm_auth line is still commented out there. It's enabled on the second server. No, it's there and uncommented on both. In fact I blew away the entire /etc/raddb directory on the failing server, and replaced it with the contents of /etc/raddb from the working one, so the configs have to be identical, right? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
On Tue, 17 Mar 2009, a.l.m.bu...@lboro.ac.uk wrote: Hi, I've made no progress in finding a solution to my MSCHAP problem. To summarize, Winbind and FreeRadius authenticate via PAP fine on both servers (RedHat V5), but MSCHAP fails on one of the two (see below). I tried tar'ing up the entire /etc/raddb directory and copied it to the other machine, but it still fails. I also rejoined the Windows domain, but nothing is working. Does MSCHAP have any other dependency on the system, that PAP doesn't? I don't know where else to look. /etc/krb5.conf ? I didn't change the configuration on this file on either system, and both are identical. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP2 Failure
I configured what I thought were two identical FreeRadus 2.1.3 servers.
I'm attempting to do MS-CHAP2 authentication on both, one is working, the
other is not. For the life of me I can't find any difference in their
configuration.
On my client, I switch the host name between the two servers, everything
else stays the same. One works, one fails, and I don't know why. Below is
the debug output for both the failure and success. PAP authentication
works fine on both with the same id. What the heck have I missed?
This is the one that fails:
rad_recv: Access-Request packet from host 192.168.2.15 port 2357, id=26,
length=127
NAS-Identifier = test-cam1
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xbd4261d677c0d793ee781d7a032218df
MS-CHAP2-Response =
0xa300ac9567587df3e83b3799dc49a53f43307e0e6320a093349fbd0afc94436ed32e1258e26c5463147b
User-Name = test26
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = test26, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test26] (from client 192.168.2.15 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test26
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 26 to 192.168.2.15 port 2357
Waking up in 4.9 seconds.
Cleaning up request 7 ID 26 with timestamp +1885
Ready to process requests.
This one works:
rad_recv: Access-Request packet from host 192.168.2.15 port 2358, id=115,
length=127
NAS-Identifier = test-cam1
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xfdd0ccd7059225f80093cea2929eb415
MS-CHAP2-Response =
0x780017ff811e7761fc6bd332fb45f4f6b3f5b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
User-Name = test26
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = test26, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} -
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: --domain=%{mschap:NT-Domain:-ap1} - --domain=ap1
[mschap] mschap2: fd
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=cc26ba941d6d9678
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] returns ok
Login OK: [test26] (from client 192.168.2.15 port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 115 to 192.168.2.15 port 2358
MS-CHAP2-Success =
0x78533d4145363132463539313034453537313236413341423437433946383541453538384142453943
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 5 ID 115 with timestamp +1773
Ready to process requests.
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Winbind errors
Freeradius 2.1.3 winbindd version 3.0.33-3.7.el5 RedHat Linux 5, release 2 fully patched I know this isn't a FreeRadius issue, but is related. Has anyone running FreeRadius with Winbindd for windows authentication, found a solution to these error messages in the samba.log? [r...@prad01 log]# tail samba.log [2009/03/12 09:28:33, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2009/03/12 09:33:33, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2009/03/12 09:33:33, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2009/03/12 09:38:35, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. I get several a minute. I've found many posts with the same complaint, but no solution. Is upgrading (or downgrading) likely to stop it? It seems to be a purely cosmetic issue, but I'd still like to find a solution. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing Reply-Message on failed authentication, was Re: NLTM_AUTH (PAP) and MS-CHAP2 together?
On Sun, 4 Jan 2009, Alan DeKok wrote: Mike Diggins wrote: How do I stop it from sending the same Reply message when the user enters a incorrect password. Right now the Reject responds like this: Sending Access-Reject of id 22 to 192.168.2.2 port 1025 Reply-Message = Group=NetWorkers Use attr_filter to delete it. Or, update the rules to add the Reply-Message in the post-auth section. I'm just getting back to this problem. I'm lost as to how to implement either of these solutions. To summarise, I want to either remove, or just not send, any Reply-Message when the user fails authentication. Where would I put this attr_filter to delete it, and what does the attr_filer look like? I imagine this is documented, but I can't find the relevant bits. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing Reply-Message on failed authentication, was Re: NLTM_AUTH(PAP) and MS-CHAP2 together?
On Tue, 10 Mar 2009, t...@kalik.net wrote:
I'm just getting back to this problem. I'm lost as to how to implement
either of these solutions. To summarise, I want to either remove, or just
not send, any Reply-Message when the user fails authentication. Where
would I put this attr_filter to delete it, and what does the attr_filer
look like? I imagine this is documented, but I can't find the relevant
bits.
Use attr_filter to delete it.
You don't have to put it - it's already there in Post-Auth-Type REJECT.
Just remove Reply-Message from attrs.access_reject file.
Or, update the rules to add the Reply-Message in the post-auth section.
Use unlang in Post-Auth-Type REJECT.
update reply {
Reply-Message := whatever
}
That was easy ;)
Thanks,
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does 'radius -C' do? (2.1.3)
According to the documentation, radiusd -C is supposed to Check configuration and exit. I was assuming that would catch errors in the configuration that might prevent it from restarting. However, if I intentionally mangle the configuration to the point it won't start, the -C check still returns nothing. What am I missing? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
Just as a quick example, I added this line to radius.conf: $INCLUDE dsdfsdf/ # bogus line radiusd -C doesn't complain: [r...@rad01 raddb]# /usr/local/freeradius/sbin/radiusd -C [r...@rad01 raddb]# But: Radius -XC does: including files in directory /usr/local/freeradius/etc/raddb/dsdfsdf/ /usr/local/freeradius/etc/raddb/radiusd.conf[96]: Error reading directory /usr/local/freeradius/etc/raddb/dsdfsdf/: No such file or directory Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf [r...@prad01 raddb]# Basically I just wanted to do a quick syntax check to ensure radius will start, in case I mangle something in the config. -Mike On Mon, 9 Mar 2009, Alan DeKok wrote: a.l.m.bu...@lboro.ac.uk wrote: much as thought. is it also the case that it only checks stuff that can be 'HUP'd' ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
On Mon, 9 Mar 2009, Alan DeKok wrote: Mike Diggins wrote: Just as a quick example, I added this line to radius.conf: $INCLUDE dsdfsdf/# bogus line radiusd -C doesn't complain: [r...@rad01 raddb]# /usr/local/freeradius/sbin/radiusd -C [r...@rad01 raddb]# Err.. try echo $? after that. It doesn't print out log messages to stdout unless you also do -X. But: Radius -XC does: including files in directory /usr/local/freeradius/etc/raddb/dsdfsdf/ /usr/local/freeradius/etc/raddb/radiusd.conf[96]: Error reading directory /usr/local/freeradius/etc/raddb/dsdfsdf/: No such file or directory Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf [r...@prad01 raddb]# Basically I just wanted to do a quick syntax check to ensure radius will start, in case I mangle something in the config. radiusd -C if [ $? eq 0 ]; then echo OK else echo FAILED something fi Alan DeKok. Ah, ok, So it just returns an error level. That will do. Thanks. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NLTM_AUTH (PAP) and MS-CHAP2 together?
On Sat, 3 Jan 2009, Alan DeKok wrote: Mike Diggins wrote: After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2 as well and that appears to work, but I had to remove the line DEFAULT Auth-Type := ntlm_auth from my users file. Use =, not :=. I updated the howto on my web site a few weeks ago to reflect this. When I do that MS-CHAP2 works, but PAP doesn't. I will have various radius clients, some of which support MS-CHAP2, but some do not. How can I use both together? My users will be connecting to both services, so defining a specific AUTH-TYPE for each user won't work. The above change should work. Thanks, that worked. I was following your web page too, not sure how I missed that. If my user file looks like this: diggins Auth-Type = ntlm_auth Reply-Message = Group=NetWorkers, DEFAULT Auth-Type = ntlm_auth How do I stop it from sending the same Reply message when the user enters a incorrect password. Right now the Reject responds like this: Sending Access-Reject of id 22 to 192.168.2.2 port 1025 Reply-Message = Group=NetWorkers Also, my client (a cisco ASA5500 VPN Server) has an authorization check box. When I check it, it sends a Radius request with the username and password both filled in with the username. FreeRadius seems to treat it as another authentication request. What is its purpose? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NLTM_AUTH (PAP) and MS-CHAP2 together?
After getting NTLM_AUTH working using PAP, I decided to try the MS-CHAP2 as well and that appears to work, but I had to remove the line DEFAULT Auth-Type := ntlm_auth from my users file. When I do that MS-CHAP2 works, but PAP doesn't. I will have various radius clients, some of which support MS-CHAP2, but some do not. How can I use both together? My users will be connecting to both services, so defining a specific AUTH-TYPE for each user won't work. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Authorization Question
On Fri, 2 Jan 2009, Alok Vimawala wrote: Hi Mike, Are you trying to have the radius server send an access-reject when the user is not in the group? Or are you trying to send a list of groups to the VPN device? I couldn't figure out how to have the client (in this case a cisco ASA5500 VPN) send the group profile id or name along with the request, so I ended up doing it the other way, where the Radius server sends back a list of authorized groups, and my appliance makes the decision on authorization. I don't know if that's the best way or not. -Mike On Jan 1, 2009, at 3:21 PM, Alan DeKok wrote: Mike Diggins wrote: On a related note, should the rlm_dbm_parse program be able to convert the users file (assuming it is the correct syntax) directly? It complains about the ntlm_auth type. I wouldn't suggest using rlm_dbm. It's not really maintained, and it's not necessary. As of 2.x, the server puts the users file entries into a hash when it loads the file. I've tested 100K users being loaded in a second or two on a reasonable machine. On top of that, 2.x supports HUP better than 1.x. So... rlm_dbm is almost never necessary any more. If you have less than 10K entries in the users file, I would suggest that rlm_dbm is not for you. If you have more than 10K users, I would suggest using an SQL database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Authorization Question
On Thu, 1 Jan 2009, t...@kalik.net wrote: I made a little progress since my last email. I discovered how to return a group name in the Reply-Message attribute, and then parse that on my appliance. I'm wondering though, if I have users with multiple group membership, should I create a string of group names such as group1,group2, group3 for each user, and return that as the Reply-Message? Is that a sensible way to do it, or is there a better way? You can also return multiple attributes (with different values) using += operator. Thanks. I'll try that as well. On a related note, should the rlm_dbm_parse program be able to convert the users file (assuming it is the correct syntax) directly? It complains about the ntlm_auth type. [r...@dradius1 rlm_dbm]# ./rlm_dbm_parser -c -i users -o userdb /usr/local/src/freeradius-server-2.1.1/src/modules/rlm_dbm/.libs/lt-rlm_dbm_parser: users[50]: syntax error Error: Unknown value ntlm_auth for attribute Auth-Type Record loaded: 0 Lines parsed: 50 Record skiped: 0 Warnings: 0 Errors: 1 My users file contains: [r...@dradius1 rlm_dbm]# cat users | grep -v ^# diggins Auth-Type := ntlm_auth Reply-Message = Group=Staff, Reply-Message += Group=Network DEFAULT Auth-Type := ntlm_auth DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group Authorization Question
I have authentication working from my cisco ASA550 VPN appliance to a FreeRadius 2.1.1 server, using NTLM_AUTH for backend authentication. That all works. Now I need to add authorization into the mix. 1. On the Radius server, I want to add a group X with a list of authorized usernames. 2. On the VPN side, the user selects a profile, and logs in, but I only want members of group X to be able to connect to that profile, even if the authentication is correct. I have no idea how to make the connection between the group profile I select on the VPN side, with the group X on the radius side. I'm not even sure how (or where) to create such a group with freeRadius. Can anyone point me in the right direction? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group Authorization with FreeRadius
I would like to not only authenticate my users via FreeRadius, but also authorize them by creating some local groups, and running a program to do the authorization check, then pass that back to radius as an attribute (I think). I would have to write the program myself obviously, but is this even possible using the latest FreeRadius software? I'm not sure where to start looking. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Authorization with FreeRadius
I'm using the NTLM_AUTH authenticator currently, if that helps. -Mike On Wed, 26 Nov 2008, Mike Diggins wrote: I would like to not only authenticate my users via FreeRadius, but also authorize them by creating some local groups, and running a program to do the authorization check, then pass that back to radius as an attribute (I think). I would have to write the program myself obviously, but is this even possible using the latest FreeRadius software? I'm not sure where to start looking. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating to an Windows AD
Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to an Windows AD
I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
Thanks very much for the pointer. That looks like what I want, however, after following those instructions, when I run radiusd -X, I get this error: /usr/local/etc/raddb/users[50]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. I added this to the top of the users file: userAuth-Type := ntlm_auth Any idea what is causing that? I think I followed the instructions correctly. -Mike On Tue, 18 Nov 2008, [EMAIL PROTECTED] wrote: Updated manual: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Danner, Mearl [EMAIL PROTECTED] piše: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
