Equivalent of post_proxy_authorize in FR 2.0.5?
Hi, We are having an issue with inserting dynamic VLAN information in to proxied Access-Accept packets with FR V2.0.5. Local authentications do have VLAN info inserted into the accept packet. In V1.1.7 we use the post_proxy_authorize directive in proxy.conf to re-run authorize to obtain the VLAN information, however this is depreciated in V2. Can someone tell me what method I should use to achieve this for proxied requests in FR V2? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Equivalent of post_proxy_authorize in FR 2.0.5?
Thanks Alan. :) Was sql.authorize in our case. Cheers, Jezz. > -Original Message- > From: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of > Alan DeKok > Sent: 29 August 2008 14:07 > To: FreeRadius users mailing list > Subject: Re: Equivalent of post_proxy_authorize in FR 2.0.5? > > Palmer J.D.F. wrote: > > In V1.1.7 we use the post_proxy_authorize directive in proxy.conf to > > re-run authorize to obtain the VLAN information, however this is > > depreciated in V2. > > Can someone tell me what method I should use to achieve this for > proxied > > requests in FR V2? > > If you have "users" in the "authorize" section, edit the "post-auth" > section, and add an entry "users.authorize". > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SoH - FR 2.1.11
Hi, We've started to look at SoH with the intention to implement it for the new academic session in September, but are having an issue. The server is setup using the example soh-server, but find that the condition in the example (below) isn't being satisfied when a client with no AV returns it's SoH status. (SoH Reply below) It appears after some trial that only the first of the "SoH-MS-Windows-Health-Status =" attributes is considered, if I manipulate the condition to check the firewall status which is returned first it works. Is this a bug or something I've done wrong? Example condition... if (SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) { SoH Status Reply... SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1 up2date=1 enabled=0" SoH-MS-Windows-Health-Status = "antivirus error not-installed" SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "auto-updates ok action=download" SoH-MS-Windows-Health-Status = "security-updates ok all-installed" Separate to this, an observation from the SoH reply after I'd installed Microsoft Security Essentials; the two hashed lines below show that Microsoft Security Essentials is classed as being non-Microsoft. I presume this the NAP service on the client making this decision, not FreeRADIUS? SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1" ## SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1" (MSE) ## SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1" (MSE) SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1 up2date=1 enabled=0" (Windows Defender) SoH-MS-Windows-Health-Status = "auto-updates ok action=download" SoH-MS-Windows-Health-Status = "security-updates warn some-missing" Thanks, Jezz. Jezz Palmer Information Services and Systems Swansea University Singleton Park Swansea SA2 8PP j.d.f.pal...@swan.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SoH - FR 2.1.11
Thanks Phil & Arran, I keep starting reply emails and another arrives before I get to send them. I've tried array hack, that fails even with 'firewall' as the condition. if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /firewall/), where as if (SoH-MS-Windows-Health-Status =~ /firewall/) is satisfied. Cheers, Jezz. > -Original Message- > From: freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org > [mailto:freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of > Phil Mayers > Sent: 14 July 2011 15:45 > To: freeradius-users@lists.freeradius.org > Subject: Re: SoH - FR 2.1.11 > > On 14/07/11 15:24, Phil Mayers wrote: > > > I thought that the =~ regexp operator tried all attributes on the > > left-hand side; that is, I thought it looped through until it got > > first-match. > > > > If it doesn't, then the idea of squeezing all the SoH data into a > > multiple instances of a single text attribute is going to need > > revisiting (or the "foreach" unlang operator will need backporting!) > > Damn. You're right. It just looks at the first attribute. > > Erm Hmm. That's a problem. It makes checking the attributes really > painful. Blast. Sorry about that. > > > Maybe try this, which is a horrible hack: > > if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /antivirus (warn|error)/) { >... > } > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: SoH - FR 2.1.11
Phil, It would seem I must have made a typo, Gareth has tried this again and due to his golden touch the array is now being evaluated. Sorry for the confusion. Cheers, Jezz. -Original Message- From: Ayres G.J. Sent: 14 July 2011 17:02 To: Palmer J.D.F. Subject: RE: SoH - FR 2.1.11 I just tried this out of curiosity and it worked :S [peap] Processing SoH request SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 6 SoH-MS-Machine-OS-release = 1 SoH-MS-Machine-OS-build = 7600 SoH-MS-Machine-SP-version = 0 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86_64 SoH-MS-Machine-Name = "jezztosh" SoH-MS-Correlation-Id = 0xa381264b0c2d4feeb2ebf9bb7c00b94501cc423e63ba7481 SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1 up2date=1 enabled=0" SoH-MS-Windows-Health-Status = "auto-updates ok action=download" SoH-MS-Windows-Health-Status = "security-updates warn some-missing" FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser" Calling-Station-Id = "4c-ed-de-1c-56-2f" Called-Station-Id = "00-0f-34-46-82-50:devroam" NAS-Port = 29 NAS-IP-Address = 10.10.246.238 NAS-Identifier = "Slot11-Port1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "654" [peap] server soh-server { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/soh-server +- entering group authorize {...} ++? if (SoH-Supported == no) ? Evaluating (SoH-Supported == no) -> FALSE ++? if (SoH-Supported == no) -> FALSE ++- entering else else {...} +++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) expand: %{SoH-MS-Windows-Health-Status[*]} -> firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1 antivirus ok snoozed=0 microsoft=0 up2date=1 enabled =1 antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 antispyware ok snoozed=0 microsoft=1 up2date=1 enabled=0 auto-updates ok action=download security-up dates warn some-missing ? Evaluating ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) -> TRUE +++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) -> TRUE +++- entering if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) {...} [config] returns notfound [reply] returns notfound +++- if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) returns notfound +++ ... skipping else for request 7: Preceding "if" was taken ++- else else returns notfound Found Auth-Type = Reject Auth-Type = Reject, rejecting user So looks like it correctly evaluates it against the whole SoH-MS-Windows-Health-Status array to me: ? Evaluating ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) -> TRUE +++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) -> TRUE +++- entering if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates (warn|error)/) {...} > -Original Message- > From: freeradius-users- > bounces+g.j.ayres=swansea.ac...@lists.freeradius.org > [mailto:freeradius-users- > bounces+g.j.ayres=swansea.ac...@lists.freeradius.org] On Behalf Of > Palmer J.D.F. > Sent: 14 July 2011 15:59 > To: FreeRadius users mailing list > Subject: RE: SoH - FR 2.1.11 > > Thanks Phil & Arran, > > I keep starting reply emails and another arrives before I get to send > them. > > I've tried array hack, that fails even with 'firewall' as the > condition. > if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /firewall/), where as if > (SoH-MS-Windows-Health-Status =~ /firewall/) is satisfied. > > Cheers, > Jezz. > > > -Original Message- > > From: freeradius-users- > > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org > > [mailto:freeradius-users- > > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of > > Phil Mayers > > Sent: 14 July 2011 15:45 > > To: freeradius-users@lists.freeradius.org > > Subject: Re: SoH - FR 2.1.11 &
Implementing SQL Insert/logging for SoH.
Hi, Further to my last foray onto the list regarding SoH, I'm looking to commit the returned SoH info to the radius database using FreeRADIUS' sql connection. I could be well off target here, but please humour me, so far I have... Created a table 'radsoh', and declared this inside sql.conf. Added a query (soh_query) to dialup.conf, at present this simply just inserts User-Name to the table. Declared soh_query in rlm_sql/conf.h Declared soh_query in the 'module_config' section of rlm_sql.c Declared a function, rlm_sql_soh, which is essentially a copy of rlm_sql_postauth into rlm_sql.c. Added rlm_sql_soh to the export section of rlm_sql.c. It compiles and runs, but here is where I run out of ideas. Presuming I'm on the right track, what else is required to enable the query, and how would I make the call to execute the query? Ideally the call should be made from the with SoH virtual server defined in raddb/sites-enabled. Thanks, Jezz. Jezz Palmer Information Services and Systems Swansea University Singleton Park Swansea SA2 8PP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
> Palmer J.D.F. wrote: >> Further to my last foray onto the list regarding SoH, I'm looking to >> commit the returned SoH info to the radius database using FreeRADIUS' >> sql connection. > > It's just attributes. > Read raddb/sites-available/soh. The server runs an "authorize" > section. This is *exactly* like the normal "authorize" section for a > RADIUS packet. Just configure the authorize queries, and go. > > No source code mods are needed. > Thanks Alan, that's far more straight forward. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
> > Palmer J.D.F. wrote: > >> Further to my last foray onto the list regarding SoH, I'm looking to > >> commit the returned SoH info to the radius database using > FreeRADIUS' > >> sql connection. > > > > It's just attributes. > > just use sql xlat... > > update request { > Tmp-String-1 := "%{sql:INSERT INTO ...}" > } > Didn't think xlat could do inserts and updates? Cheers, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
> > Didn't think xlat could do inserts and updates? > > I wrote the patch to add the functionality and its been in the server > code for about the past three years :) Good stuff. :) The source of rlm_sql.c still states only ... "* sql xlat function. Right now only SELECTs are supported." We'd already tried - Tmp-String-5 := "%{sql:INSERT into radsoh (sid,data) VALUES (NULL,'ss');} - but it wasn't encapsulated in an 'update request {.. ..}' statement so failed, schoolboy error. I did some digging on interweb which said INSERTs not possible, then read the above comment in the 2.1.11 source, so gave up on xlat then. All sorted now though. Thanks, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blackberry disabled server certificates query
We have endless amounts of trouble connecting Blackberrys, they are hateful things. Some devices will use the certificate, some won't connect unless cert validation is disabled. Some don't have the option to disable cert checking, and some won't connect at all. For a essentially single vendor device they have the most varied and random configuration idiosyncrasies between devices, even of the same model. Due to this variance we no longer try to offer online support for them, users are asked to bring them in to be looked at (and hacked at) to connect them. But yes, if possible you want to be enforcing cert validation, but in practice it's not always possible. > -Original Message- > From: freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org > [mailto:freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of > Garber, Neal > Sent: 20 January 2012 11:13 > To: 'FreeRadius users mailing list' > Subject: RE: Blackberry disabled server certificates query > > > if you leave the box unchecked "disable server certificate > validation" > > then the blackberry connects fine if you uncheck connection fails > > "failed to connect". > > You wrote, "...if you leave it unchecked... (it)... connects fine if > you uncheck (it the) connection fails"??? > > Did you mean to say "if you leave it *checked* it connects fine"?? If > so, checking the box is telling your Blackberry NOT to validate the > RADIUS server's certificate. If you don't validate the certificate, > there's a risk that you could be passing your credentials to an > untrusted RADIUS server (if someone impersonates your wireless network > name). > > Best practice, for RADIUS, is to use a cert generated from a private CA > that you control, or at least trust. In this case, you would need to > configure your Blackberry's to validate that the certificate is signed > by the CA you expect (which means they would need the CA's cert > installed - I assume this is possible with Blackberry's, but I don't > own one and I don't know how difficult it is to distribute a cert to > the Blackberry's or how many you have). > > You need to decide whether to accept the risk or not. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting Reply Attributes Based on Time of Day?
Hello, Is there a function within FR to schedule certain attributes to be returned in the Access-Accept reply? Essentially we return a QoS VSA along with VLAN information on a successful auth, however between certain times of day there is more available bandwidth so to be kind to our users we'd like to return a different QoS level to during these bandwidth abundant periods. Does such a mechanism exist? Many thanks, Jezz. Jezz Palmer Information Services and Systems Swansea University Singleton Park Swansea SA2 8PP j.d.f.pal...@swan.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting Reply Attributes Based on Time of Day?
> Hi, > > > Is there a function within FR to schedule certain attributes to be > > returned in the Access-Accept reply? > > > > Essentially we return a QoS VSA along with VLAN information on a > > successful auth, however between certain times of day there is more > > available bandwidth so to be kind to our users we'd like to return a > > different QoS level to during these bandwidth abundant periods. > > Does such a mechanism exist? > > > bit of unlang with some checks against internal variablesyou can > check > the hour of the day, for example...and then change the reply.. > > ...hmm, are the variables valid there? > > if ( %H > 20 ){ > 'give them more bandwidth' > } > Excellent, thanks for the point in the right direction, Alan. The %H variable is a string so wouldn't enumerate as above, so have done this... if ( "%H" =~ /(02|03|04|05|06|07|08)/ ){ update reply { Airespace-QOS-Level = "2" } } Not particularly elegant, but is doing the job. Would there be a more efficient way to do that? And finally, is there an internal variable for day of the week? Cheers, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wiki problems...
FWIW it's forbidden here too. All it says is Forbidden, nothing else, the page source has no HTML, just the word 'Forbidden'. > -Original Message- > From: freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org > [mailto:freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of > Arran Cudbard-Bell > Sent: 10 May 2012 14:53 > To: FreeRadius users mailing list > Subject: Re: wiki problems... > > > On 10 May 2012, at 15:41, Alan DeKok wrote: > > > Paolo Barbato wrote: > >> accessing http://wiki.freeradius.org > >> > >> return forbidden > > > > It works for me. > > > > Might be an intermediary cache misbehaving? Is it an nginx forbidden > message or a tiny little non-descript one? > > -Arran > > Arran Cudbard-Bell > a.cudba...@freeradius.org > > Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unreliable Dynamic VLAN Assignment?
Hi, We're having a bit of a problem with FreeRADIUS not always including VLAN information in access-accept packets; I've not been able as yet to establish what the cause is so I thought I'd throw it out to the list if there's something others have come across. Needless to say our testing through the summer had not highlighted this issue, but now we have 3000 students trying to connect it's become apparent. A bit of info, we're seeing this issue in both FR 2.1.1 and 2.1.7, and our NASes are Cisco WiSM. Users' VLAN info is stored in the SQL usergroup table. I have an sql.athorize statement in the Post-Auth section of both the default (outer), and inner-tunnel conf files. Initially I thought it was only clients with an anonymised outer identity that were having this issue, which seemed plausible as the sql.athourize in default would see the outer and fail to find it in sql (though wouldn't explain why it works sometimes); but it appears not to just these users, as we're now seeing users who are not using anon outers having the same issue. Another thought was that fast-reauth could be the issue, in that somehow a fast-reauth request was not doing a Post-Auth sql.authorize and therefore not sending back the VLAN info? I fully expect it's a config issue, but any insight would be gratefully received. Currently I do not have CCKM enabled on the controllers, but for some time I have been considering enabling this to take some load off RADIUS, and also wondered if it would help this current problem. Is there anything to be wary of with CCKM? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy/Realm problem in 2.1.7
Hi, Since upgrading FR to 2.1.7 from 2.1.3 and 2.1.1 on our 2 servers there's been an issue with our proxy pool. There are three servers in the auth and acct pools, but unless I comment two of them out (as below) I receive a 'Request Denied' message back in response to the first access-request packet that is proxied to one of the auth servers. Is this a bug in 2.1.7, or is there a difference in configuration file format between the versions? # POOL Server config... pool_config { test_username = 'test-u...@remote-realm.com' test_password = '***' secret0 = '***' secret1 = '***' secret2 = '***' } realm pool { nostrip auth_pool = pool_auth acct_pool = pool_acct } # Server Pools server_pool pool_auth { type = client-port-balance # home_server = pool0 home_server = pool1 # home_server = pool2 } server_pool pool_acct { type = client-port-balance # home_server = pool0 home_server = pool1 # home_server = pool2 } home_server pool0 { status_check = request username = ${pool_config.test_username} password = ${pool_config.test_password} ipaddr = server0.net secret = ${pool_config.secret0} port = 1812 type = auth+acct } home_server pool1 { status_check = request username = ${pool_config.test_username} password = ${pool_config.test_password} ipaddr = server1.net secret = ${pool_config.secret1} port = 1812 type = auth+acct } home_server pool2 { status_check = request username = ${pool_config.test_username} password = ${pool_config.test_password} ipaddr = server2.net secret = ${pool_config.secret2} port = 1812 type = auth+acct } Thanks, Jezz Palmer. - Jezz Palmer Library & Information Services Swansea University Singleton Park Swansea SA2 8PP - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy/Realm problem in 2.1.7
> hi, > > there does seem to be an issue with 2.1.7 - I've had a couple > of reports stating that the proxy doesnt seem to 'stick' to one > remote proxy during EAP (eg with client-balance or client-ip-balance > methods). not sure what has changed since 2.1.6 - but a rollback to > 2.1.6 > with exactly the same configuration works > Thanks Alan & Alexander. It's Good to know, for once, that it's not my fault. :-D Cheers, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying requests with source port 1815?
Hi, Just experienced a bit of strange behaviour, or at least seems strange to me. One of our FR 2.1.7 boxes has been proxying access-requests with a source port of 1815, to which the authenticating server has replied to with an access-accept on port 1815, only there is no listener for port 1815 running on the box and hence fails. This was happening to ~50% of requests, but once one failed the FR box was marking the authenticator dead. It started yesterday following a FR restart for a small config change (added a client to client.conf), I restarted it about an hour ago and it seems to be behaving now. Is that as odd as it seems, or am I missing something? Thanks, Jezz. - Jezz Palmer Library & Information Services Swansea University Singleton Park Swansea SA2 8PP - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying requests with source port 1815?
Ok, thanks Alan. :) Jezz. > > Palmer J.D.F. wrote: > > One of our FR 2.1.7 boxes has been proxying access-requests with a > > source port of 1815, to which the authenticating server has replied > to > > with an access-accept on port 1815, only there is no listener for > port > > 1815 running on the box and hence fails. > > This was happening to ~50% of requests, but once one failed the FR > box > > was marking the authenticator dead. > > It started yesterday following a FR restart for a small config change > > (added a client to client.conf), I restarted it about an hour ago and > it > > seems to be behaving now. > > > > Is that as odd as it seems, or am I missing something? > > I think it's a bug in 2.1.7. We should be releasing 2.1.8 to address > this, and to have other minor enhancements. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLANing and anonymous identity on re-auth?
Hi all, Is it possible to use anonymous outer identities with dynamic VLANing? We have a problem with reauths when using anonymous outers, the initial login is fine and the VLAN is assigned using sql.authorize, but re-auths only seem to use the outer identity and hence no VLAN information is sent back in the access-accept packet. On a reauth, the only mention I see of the real username is... [peap] Adding cached attributes to the reply: User-Name = "test-user" [eap] Freeing handler ++[eap] returns ok Login OK: [anonym...@swansea.ac.uk] (from client wism port 29 cli 00-26-69-04-a7-f7) Is it possible to capture this brief appearance of the real username to run the sql.authorize to get the correct VLAN info? Fast re-auth is disabled in experimental.conf (FR 2.1.7) Many thanks, Jezz Palmer. - Jezz Palmer Library & Information Services Swansea University Singleton Park Swansea SA2 8PP - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLANing and anonymous identity on re-auth?
> if you are doing the authorise in the main virtual server after the > inner-tunnel has done its business, then you must copy the User-Name > to an internal attribute that can be used in the post-auth section > (for example) Does the inner-tunnel get called on a re-auth? As said the only time I see the real username on a re-auth is when it appears to be produced from the cache. > [peap] Adding cached attributes to the reply: > User-Name = "test-user" At what point can I copy it? I have sql.authorize sections in post-auth on both the inner and default sections, I've tried putting them all over the place. :-D Cheers, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.8 Issue - Unjustified(?) Access-Rejects.
Thanks for the reply Alan. > This means that the session wasn't cached, and they are trying to > resume a session that never was started. The change in 2.1.8 is there > to work around a bug in OpenSSL. Ok > The only other alternative is that they *are* resuming a valid > session, but (a) after the session has timed out, or (b) where no > User-Name was cached from the inner tunnel session. b) is possible due to the point below about cache size. > Try increasing the size of the cache. Try ensuring that there is > always a User-Name in the inner tunnel. This user name is cached, and > is checked on session resumption. I reinstated 2.1.8 this morning after having set the cache size to infinity (was the default 255) but the problem still exists. Caching is enabled in eap.conf, but does fastreauth need to be enabled in experimental.conf? It is currently disabled. Whether this has any bearing on it I'm not sure, but this seems to be affecting users that use wpa_supplicant more, though Windows users have also reported the problem. Thanks, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.8 Issue - Unjustified(?) Access-Rejects.
> > Whether this has any bearing on it I'm not sure, but this seems to be > > affecting users that use wpa_supplicant more, though Windows users > have > > also reported the problem. > > The sessions *also* have a timeout. Read eap.conf. > Do you mean under the cache directive? If so that is set to 48 hours, yet failure occurred within 30 minutes. Our wireless controllers have a 1800 second client session timeout, forcing a reauth every 30 mins. Below is an excerpt of the radpostauth table for an affected user, it shows the user re-authing every 30 mins though the night. I migrated back to 2.1.8 (from 2.1.7) at 08:41 this morning. The client reauthed successfully once after the reload at 08:48, but then fails at the first 30min session timeout after that. 3843824 554...@swansea.ac.ukAccess-Accept 2010-01-13 02:17:26 3845505 554...@swansea.ac.ukAccess-Accept 2010-01-13 02:47:26 3846902 554...@swansea.ac.ukAccess-Accept 2010-01-13 03:17:26 3848181 554...@swansea.ac.ukAccess-Accept 2010-01-13 03:47:26 3849298 554...@swansea.ac.ukAccess-Accept 2010-01-13 04:17:26 3850365 554...@swansea.ac.ukAccess-Accept 2010-01-13 04:47:26 3851351 554...@swansea.ac.ukAccess-Accept 2010-01-13 05:17:51 3852249 554...@swansea.ac.ukAccess-Accept 2010-01-13 05:47:51 3853197 554...@swansea.ac.ukAccess-Accept 2010-01-13 06:17:51 3854151 554...@swansea.ac.ukAccess-Accept 2010-01-13 06:47:51 3855154 554...@swansea.ac.ukAccess-Accept 2010-01-13 07:17:51 3856266 554...@swansea.ac.ukAccess-Accept 2010-01-13 07:47:51 3857449 554...@swansea.ac.ukAccess-Accept 2010-01-13 08:18:16 3858680 554...@swansea.ac.ukAccess-Accept 2010-01-13 08:48:16 3860025 554...@swansea.ac.ukAccess-Reject 2010-01-13 09:18:16 3860091 554...@swansea.ac.ukAccess-Reject 2010-01-13 09:19:37 3860144 554...@swansea.ac.ukAccess-Reject 2010-01-13 09:20:58 3860165 554...@swansea.ac.ukAccess-Reject 2010-01-13 09:21:23 Thanks, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.8 Issue - Unjustified(?) Access-Rejects.
Hi Alan, I've just been perusing the release notes for 2.1.9 and I see a bug fix... " Set EAP-Session-Resumed = Yes, not "No" when session is resumed. " Can you confirm if this is relating to the problem I reported in the conversation below? Many thanks, Jezz. > -Original Message- > From: freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org > [mailto:freeradius-users- > bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of > Alan DeKok > Sent: 12 January 2010 11:33 > To: FreeRadius users mailing list > Subject: Re: FR 2.1.8 Issue - Unjustified(?) Access-Rejects. > > Palmer J.D.F. wrote: > > We migrated to 2.1.8 (from 2.1.7) last week while things were quiet, > as > > the users have re-appeared after the holiday we've started to receive > a > > few reports from users stating that they have been getting lots of > > prompts for credentials. > > The log says: > > ... WARNING: No information in cached session! > > This means that the session wasn't cached, and they are trying to > resume a session that never was started. The change in 2.1.8 is there > to work around a bug in OpenSSL. > > The only other alternative is that they *are* resuming a valid > session, but (a) after the session has timed out, or (b) where no > User-Name was cached from the inner tunnel session. > > > Is this likely to be a configuration error (no changes were made to > the > > 2.1.7 config), or a bug? > > Try increasing the size of the cache. Try ensuring that there is > always a User-Name in the inner tunnel. This user name is cached, and > is checked on session resumption. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.8 Issue - Unjustified(?) Access-Rejects.
> > No, it's not. > > The fix for that issue will be in 2.1.10. If you need it now, see > http://git.freeradius.org, and grab the "v2.1.x" branch. Ok thanks Alan. I'll most likely wait until 2.1.10. Do you have any details on the bug? Thanks, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.8 Issue - Unjustified(?) Access-Rejects.
> > FreeRADIUS requires IDs to uniquely identify each SSL session. At > some point, OpenSSL changed their code to *not* generate or store IDs. > So... many of the assumptions of the server broke. > Ah, that's helpful. :-D Thanks for the info Alan. Cheers, Jezz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP Vlan assignment when proxying EAP-PEAP?
Hi, Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet to an IAS server via FreeRADIUS (I can do this bit), then, set the user's VLAN information within FreeRADIUS in the access-accept packet returned to the AP? Also, is there a way to return an access-accept with a 'dirty' VLAN ID, even if the IAS server rejects the user? The idea being that the user would be put into a dead end VLAN so they could get info on how to register to use the service. Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP Vlan assignment when proxying EAP-PEAP?
Cheers Josh. :) That's pretty much the way we do the Roanmode stuff. Just wasn't sure being EAP whether you could mess around with the return packet. Do you have any cunning solutions to how you might get around the reject issue? I'd imagine it's quite a common scenario, IE wanting to let users know that they are doing something wrong as opposed to just rejecting them. This must be one of the only redeeming features of web redirect. :-D Thanks, Jezz. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: 08 November 2005 16:30 To: FreeRadius users mailing list Subject: Re: Cisco AP Vlan assignment when proxying EAP-PEAP? Hi Jezz, Palmer J.D.F. wrote: > Hi, > > Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet > to an IAS server via FreeRADIUS (I can do this bit), then, set the user's > VLAN information within FreeRADIUS in the access-accept packet returned to > the AP? Yes - write a script that outputs the relevant attributes to stdout, and specify it in an "exec" clause in radiusd.conf, making sure you set packet_type = access-accept. Invoke the exec clause by placing it in post-proxy section. For example (assuming you've got the proxying working): assign-vlan.sh: #!/bin/bash VLAN = "123" # We can also grab the RADIUS username attribute from the environment. # USER = $USER_NAME # This might be useful if you wanted to drop users # into different VLANs. # if ( $USER == "[EMAIL PROTECTED] ); then # VLAN = "666" # fi echo "Tunnel-Medium-Type = 802" echo "Tunnel-Type = VLAN" echo "Tunnel-Private-Group-ID = $VLAN" exit 0 radiusd.conf: exec assign-vlan { program = "/path/to/assign-vlan.sh" input_pairs = proxy-reply output_pairs = proxy-reply wait = yes packet_type = Access-Accept } authorize { ... # Make sure you put this AFTER the clause that invokes proxying assign-vlan ... } > Also, is there a way to return an access-accept with a 'dirty' VLAN ID, even > if the IAS server rejects the user? The idea being that the user would be > put into a dead end VLAN so they could get info on how to register to use > the service. No; only a couple of attributes are permitted in Access-Reject packets. I don't think it would be possible to "catch" Access-Rejects from IAS and cunningly turn them into Access-Accepts, either :-/ (well, it would be possible, but you'd need to hack FR to do this). josh. > Many thanks, > Jezz Palmer. > > > Jezz Palmer. > Internet Systems Officer. > Library and Information Services > University of Wales, Swansea > Singleton Park > Swansea > SA2 8PP > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?
Hi, I am currently trying to create a new auth system for our WPA 802.1x WiFi network. Thus far I have the server authenticating using PEAP(MSCHAPv2) against a users file containing a simple test user/pass pair. What I would now like to do is use MySQL to contain user data such as the VLAN to be assigned to that user and which LDAP server their account exists on, then use LDAP to verify the credentials. The idea being that a PEAP request comes in, tunnel gets built etc, the user gets looked up in the MySQL database, the credentials are then authenticated against the correct LDAP (or RADIUS) server, then on success an access-accept along with the user's VLAN is passed back to the NAS. The question is, is it possible for PEAP(MSCHAPv2) and LDAP with MySQL to interact in this way? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP?
Hi Phil, Many thanks for the reply. I'm sorry the detail was lacking I'll try to explain myself a little better now. Firstly, what we do already and why I want to use MySQL... At the moment we run FR as a RADIUS proxy that proxies requests to a number of RADIUS servers based on the username. Presently we use the 'users' file to do this, the users file is built from our mail tables; amongst other things the users file maps a username to a home RADIUS server and a VLAN; basically I want to use MySQL to replace the users file; I don't want to actually authenticate against details in the MySQL database. The reason we use the mail tables is that it contains every user and the respective server that their mail goes to, we use the SMTP server name to determine which domain a user's RADIUS requests should be sent to. We use the Proxy_To_Realm directive in the users file to forward a user's request to the correct server. The reason I now want to use a database is because it will give us the ability to add more user data fields and a database would be more manageable, as the current users file has 38554 entries and is growing. Why I want to use LDAP... All of our user data is held in various MS ADS or Novell NDS directories, currently we run an IAS machine on each of our AD domains to handle the proxied requests forwarded by the FR server; my thinking was that it seems a little pointless to have these IAS boxes if I could use FR to set up the PEAP tunnels then verify the user's credentials against the appropriate domain's LDAP server. I ideally want to use PEAP(MSCHAPv2) though, mainly from a support, but also from an encryption strength point of view; however it appears that unless something clever can be done to verify MSCHAPv2 against MS or Novell LDAP it looks like I may be stuck with the nasty IAS boxes. I hope that makes some sense. Many thanks, Jezz Palmer. > -Original Message- > From: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Phil > Mayers > Sent: 17 January 2006 21:03 > To: FreeRadius users mailing list > Subject: Re: FreeRADIUS with PEAP(MSCHAPv2), MySQL and LDAP? > > Palmer J.D.F. wrote: > > Hi, > > > > > > > > I am currently trying to create a new auth system for our WPA 802.1x > > WiFi network. > > > > Thus far I have the server authenticating using PEAP(MSCHAPv2) against a > > users file containing a simple test user/pass pair. > > > > What I would now like to do is use MySQL to contain user data such as > > the VLAN to be assigned to that user and which LDAP server their account > > Assuming you know how to make the VLAN assignment work at all, then this > is trivial. > > Assigning a completely dynamic LDAP server might be a little more tricky. > > If you know what set of LDAP server(s) you want to use in advance, then > you could do this: > > modules { >ldap ldap1 { > # config here >} >ldap ldap2 { > # config here >} > } > > authorize { >preprocess >mysql >mschap >eap > >Autz-Type Ldap1 { > ldap1 >} >Autz-Type Ldap2 { > ldap2 >} > } > > The "mysql" module/tables will need to set Autz-Type on the requests, at > which point the authorize stanza will be run *again* executing the > conditional sections. > > ...however making this work correctly in the presence of eap/ms-chapv2 > will not be straightforward, and in any event you have the other issue... > > > exists on, then use LDAP to verify the credentials. > > The only "verification" LDAP can do of credentials is to proxy PAP > requests to LDAP simple binds. You cannot check MS-CHAP "against" an > LDAP server. > > However using LDAP as a database, as it was intendended, then *if* the > LDAP server contains either plaintext password or the NT/LM hashes, the > radius server can read them, and the ldap module is configured to get > them from LDAP, then FreeRadius can perform the MS-CHAP inside itself. > > > > > The idea being that a PEAP request comes in, tunnel gets built etc, the > > user gets looked up in the MySQL database, the credentials are then > > authenticated against the correct LDAP (or RADIUS) server, then on > > success an access-accept along with the user's VLAN is passed back to > > the NAS. > > This seems extremely hard work. Why would you use both MySQL and LDAP? > > > > > > > > > The question is, is it possible for PEAP(MSCHAPv2) and LDAP with MySQL > > to interact in this way? > > Your question is not precise enough for me to be sure exactly what you > want. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPpool & EAP?
Hello, Just a quick question, is it possible to allocate client IP details using ippools within FreeRADIUS when using EAP(PEAP)? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying on Realm and NAS?
Hi, Could someone tell me if it's possible to use Freeradius to proxy radius requests to different radius servers depending on a combination of a user's realm and the originating NAS-IP-Address; or any other distinguishable NAS variable for that matter. I have two types of NAS and what I'm trying to achieve is to send requests from one NAS type to one radius server, and from the other NAS type to another server. The user's realm in both cases is the same. The setup looks a little bit like this... /[RADIUS LOCAL 1] [NAS Type 1]\ / |---[Proxy]--[RADIUS LOCAL 2] [NAS Type 2]/ \ \[RADIUS PROXY REMOTE] The different scenarios I have are... [EMAIL PROTECTED] & NAS Type 1 should be forwarded to RADIUS LOCAL 1 [EMAIL PROTECTED] & NAS Type 2 should be forwarded to RADIUS LOCAL 2 [EMAIL PROTECTED](default) & either NAS type should be forwarded to RADIUS PROXY REMOTE. [EMAIL PROTECTED] requests can also come in from RADIUS PROXY REMOTE and should be forwarded to RADIUS LOCAL 2. The bottom line is, can the NASes identity be used to steer the proxy request? Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying on Realm and NAS?
Hi, Thanks for that Alan. :) I have been looking at this today but it doesn't appear that I can 'pass' the user's realm (from the username [EMAIL PROTECTED]) into the users file as an attribute? Is that the case or am I looking in the wrong place? For example I want to be able to do this but it doesn't work, is there a way that I can achieve this? foo.com and foobar.com are my two local realms, NULL realms are also used locally. 10.0.0.1 and 10.0.0.2 are both local RADIUS servers, 192.168.0.1 is a remote radius proxy server. A Request from NAS 10.0.0.1 should get forwarded to rad1, unless the realm is 'unknown' but not NULL, in which case it should be forwarded to rad3. DEFAULT NAS-IP-Address==10.0.0.1, Realm==NULL, Proxy-To-Realm := rad1 DEFAULT NAS-IP-Address==10.0.0.1, Realm==foo.com, Proxy-To-Realm := rad1 DEFAULT NAS-IP-Address==10.0.0.1, Realm==foobar.com, Proxy-To-Realm := rad1 DEFAULT NAS-IP-Address==10.0.0.1, Realm==unknown, Proxy-To-Realm := rad3 Similarly, A Request from NAS 10.0.0.2 should get forwarded to rad2, unless the realm is 'unknown' but not NULL, in which case it should be forwarded to rad3. DEFAULT NAS-IP-Address==10.0.0.2, Realm==NULL, Proxy-To-Realm := rad2 DEFAULT NAS-IP-Address==10.0.0.2, Realm==foo.com, Proxy-To-Realm := rad2 DEFAULT NAS-IP-Address==10.0.0.2, Realm==foobar.com, Proxy-To-Realm := rad2 DEFAULT NAS-IP-Address==10.0.0.2, Realm==unknown, Proxy-To-Realm := rad3 Finally, all incoming RADIUS requests from the external server (which is actually Rad3) should get forwarded to rad2. DEFAULT NAS-IP-Address==192.168.0.1, Realm==foo.com, Proxy-To-Realm := rad2 DEFAULT NAS-IP-Address==192.168.0.1, Realm==foobar.com, Proxy-To-Realm := rad2 In theory that is what I want to achieve, but unfortunately the Realm attribute doesn't appear to work like that. Any help would be gratefully received. Many thanks, Jezz Palmer. > -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: 19 May 2005 17:47 > To: freeradius-users@lists.freeradius.org > Subject: Re: Proxying on Realm and NAS? > > "Palmer J.D.F." <[EMAIL PROTECTED]> wrote: > > Could someone tell me if it's possible to use Freeradius to proxy radius > > requests to different radius servers depending on a combination of a > user's > > realm and the originating NAS-IP-Address; or any other distinguishable > NAS > > variable for that matter. > > > DEFAULT Attribute-Foo == Value, Attribute-Bar == value, Proxy-To- > Realm := foo.com > > Alan DeKok. > ] > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying on Realm and NAS?
Thanks Alan, Realms are listed before the files, I'll look into using regular expressions. Cheers, Jezz. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 23 May 2005 17:53 To: freeradius-users@lists.freeradius.org Subject: Re: Proxying on Realm and NAS? "Palmer J.D.F." <[EMAIL PROTECTED]> wrote: > I have been looking at this today but it doesn't appear that I can 'pass' > the user's realm (from the username [EMAIL PROTECTED]) into the users file as > an > attribute? The realm module sets it. So you have to list "realms" before "files". an "authorize". Or, use regular expressions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_radius, apache2 and the auth cookie.
Hi, Is it possible to set the timeout for the auth cookie used by the mod_radius authentication module to 0; by Zero I mean no time, not infinite time? Or, is there a way that I can clear the cookie on a failed login? At present, if a user login fails the user has to close the browser and open another in order to be able to re-enter their credentials, I want to try to get round this if possible. It doesn't matter that the login will timeout immediately. Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_radius, apache2 and the auth cookie.
Hi Alan, > > "Palmer J.D.F." <[EMAIL PROTECTED]> wrote: > > Is it possible to set the timeout for the auth cookie used by the > mod_radius > > authentication module to 0; by Zero I mean no time, not infinite time? > > You mean re-authenticate for every request? That would require > source code changes. Effectively yes, see the description of what I'm trying to do below. > > Or, is there a way that I can clear the cookie on a failed login? > > The module doesn't set the cookie on a failed login, so there > shouldn't be any problem. If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. I guess it may not be a cookie if one isn't set, but the credentials are being cached somewhere. > > > At present, if a user login fails the user has to close the browser and > open > > another in order to be able to re-enter their credentials, I want to try > to > > get round this if possible. > > I don't see why that would happen. The module was designed, and > tested to work properly in that situation. > > Can you explain more about what you're doing, how, and what browser > you're using? So far this has only been tested with IE on a patched up but otherwise std XP machine. The reason for the authentication is to log into a web-redirect gateway. An iptables rule redirects any un-authenticated IP/MAC pairs to the login page; on a successful login the page (a php page which resides in a protected folder) adds some iptables rules to allow that particular client (IP/MAC pair) through the gateway. This is why it doesn't matter that there is an instant timeout, as the client will not need to access the page again until his/her connection times out and the 'allowing' iptables rules are removed. The removal of stale connections is handled with a cron job script that compares iptables entries to the arp table on the internal interface, if there are iptables rules for an IP/MAC pair, but no arp entry for them then the iptables rules are removed. Quite crude, but it works. In summary, I have index.php that users are redirected to, this page contains a 'Log In' link to a page in a protected folder /gateway/go.php when they click the link they are challenged for credentials, if they are correct then /gateway/go.php loads setting some iptables rules, if it fails then we are currently loading a page called failed.php that explains to the user that they need to shut down the browser and open a new one and try again. An aside to this, is it possible to have a couple of text boxes on the login page where the user/pass are entered which are then sent to mod_radius, as opposed to having a pop up user/pass dialogue box? Thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_radius, apache2 and the auth cookie.
Hi, > Was was pointed out, you'll get authentication dialogs for every gif > & jpg on the page. This is a BAD idea. The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each? > > > If I get a failed login, then try to login again it just uses cached > > credentials and doesn't prompt for details, if I close and re-open the > > browser it does then allow me to enter details. > > Then your browser is broken. Firefox and Opera are also broken in that case. :-( A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq Thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html