Re: Proxy configuration question

[Phil Mayers]

On 27/02/13 17:23, bpa...@ovi.com wrote:

Thanks Phil.
Just a quick add-on question.

In radiusd.conf there is :

#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE proxy.conf

Would switching off proxy, be sufficient? Or will I end up with other
issues?


TBH I can't remember the various effects. Try it and see.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy configuration question

[Phil Mayers]

On 27/02/13 14:46, bpa...@ovi.com wrote:



The RADIUS server gets the Access request and then tries to proxy it
to example.com. I dont want the request or authentication to be proxied
elsewhere. The authentication needs to happen on the local RADIUS server
itself. What am I missing in the config?


If you don't want to proxy the request, don't configure the server to proxy.

In you case, you should remove the "suffix" module from "authorize" 
and/or remove the "example.com" realm from the "proxy.conf"

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: read value of host-ip in perl-module (freeRADIUS 2.2.0)

[Phil Mayers]

On 27/02/13 12:02, Wolfgang Burger wrote:

Dear people,

as you can see in this Access-Request:

rad_recv: Access-Request packet from host 10.1.4.82 port 65201, id=37,
length=79
User-Name = "test"
User-Password = "testpass"
NAS-IP-Address = 10.0.2.15
NAS-Port-Type = Virtual
NAS-Port = 1228
Calling-Station-Id = "10.0.2.15"
Service-Type = Login-User


the client is entering incorrect data into the field "Calling-Station-Id".
In the setup used, it should not differ from the host.
But "10.0.2.15" != "10.1.4.82"

Authentication is handled by a perl-module.
The outcome of the module depends on the host sending the packet.

How (if at all) can I access the value of "host" (10.1.4.82 in the
example above) from within the perl-module?


There is a "virtual" attribute Client-IP-Address, that you can copy to a 
temporary attribute before calling the perl module e.g.


authorize {
  ...
  update request {
Tmp-IP-Address-0 := "%{Client-IP-Address}"
  }
  myperl
  ...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: returning error code of script to module

[Phil Mayers]

On 26/02/13 10:18, Chitrang Srivastava wrote:

Thanks this may solve the issue but one doubt ,
 > if (Module-Failure-Message =~ /.*logon fail.*/i) {
How is Module-failure-Message is handled , I guess its a string ?


Yes. It is set by some/most modules, but in particular "mschap" sets it 
to the error output of ntlm_auth



What kind of comparision are you doing ?


The example above is a case-insensitive regexp. See "man unlang"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-fast on freeradius 2

[Phil Mayers]

On 02/26/2013 06:23 AM, John wrote:

Hi,

I found freeRADIUS support eap-fast. Can I use eap-fast in eap2,


Not easily, AIUI.

Bear in mind that "eap2" is experimental and unmaintained.


meanwhile use other eap types in eap?  Does EAP fragmentation issue
fixed in eap2?


What issue is that?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: returning error code of script to module

[Phil Mayers]

On 02/26/2013 08:54 AM, Chitrang Srivastava wrote:

Hi,

Is their a way to return status code of an external script to the module.

Let me explain the problem:
PEAP-MSCHAPv2 with ldap and fallback is also there i.e. if ldap  server
is not reachable do local auth.
Now mschapv2 authentication with ldap is to be done using ntlm_auth  ,
So basically I want to know what ntlm_auth has returned ?
it actually returns "*Reading winbind reply failed! (0xc001) *" when
ldap is not reachable (net join has failed winbindd hasn't started)
ldap is reachable but userid/password incorrect *Logon failure
(0xc06d) *
*
*
For both cases Exec is return reject=1 as module return code, radius
should only do local authentication ldap is not-reachable and not when
ldap reject , but because exec output is always reject I cant
distinguish the real cause of failure.


That's not actually the "exec" module; that's the mschap module 
generating the return code.



Only way I can know what actually *ntlm_auth returns* ? if I know that I
can take decision in radiusd.conf.


You can't get the return code from an ntlm_auth exec, but you can get 
the output - like this:


  mschap
  if (ok) {
...
  }
  else {
if (Module-Failure-Message =~ /.*logon fail.*/i) {
  reject
}
else {
  something_else
}
  }






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with quoting (Version 2.2.0)

[Phil Mayers]

On 02/25/2013 03:46 PM, Sven Anders wrote:


If we remove the single quotes (and we tested double quotes too) and we have a 
path with
spaces in it, the call fails, because now we get 3 parameters.

What should we do?
Is this a bug in FreeRadius itself?


It's not a bug, in that it is "designed" to work that way, but it's 
certainly a deficiency that was discussed on the -devel list recently.


The only thing you can do at the moment is not use a CA path with spaces 
in it - sorry!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 277 realms to maintain

[Phil Mayers]

On 02/25/2013 11:32 AM, Bertalan Voros wrote:

Hello All,

In order to be able to use the home server pools and fail-over I had to
create a list of 277 realms.

There are now 277 entires similar to this:

realm domain.com  {
 auth_pool = my_auth_failover
 nostrip
}


Do all the realms point to the same or a few servers/pools?



Could I use an $INCLUDE statement here to maintain the list of realms in
a separate file?
That way it would be easier to automate the creation of the realms list.

Is there a better way of doing this?


If they all point to the same (or a small number of) server pool(s), 
then yes - don't use the suffix/realm module, and instead set Realm / 
Proxy-To-Realm manually, like so:


authorize {
  if (User-Name =~ /some regexp/) {
update request {
  Realm := "BLAH.BLAH"
}
update control {
  Proxy-To-Realm := "UPSTREAM"
}
  }
  ...
}

Only realms from "Proxy-To-Realm" need to be defined in proxy.conf - in 
this case, UPSTREAM.


If they all point to different home server/pool(s) then you just 
continue what you're doing, using $INCLUDE.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server exits without warning on radtest‏

[Phil Mayers]

On 22/02/13 15:10, Adrien Morvan wrote:

Thanks

So i ran it with gdb.
There is a seg fault but i don't understand what is happening.
I just noticed the 0xdeadbeef value.

Program received signal SIGSEGV, Segmentation fault.
rad_mangle (request=0x82ba520, data=) at rlm_preprocess.c:217
217request_pairs = request->packet->vps;
(gdb) p request
$6 = (REQUEST *) 0x82ba520
(gdb) p request->packet
$7 = (RADIUS_PACKET *) 0xdeadbeef
(gdb) p request->packet->vps
Cannot access memory at address 0xdeadbf4f
(gdb) p request_pairs
$8 = 

My system is a Ubuntu 12.04 LTS and the version is FreeRADIUS Version
2.1.10.


Upgrade. There were a few bugs in 2.1.10, including a security-related 
issue. You should be running 2.2.0

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap over lan simulation

[Phil Mayers]

On 02/22/2013 02:56 AM, tabibel sami wrote:


between supplicant and nas, i can't find a way to simulate a NAS (Point
ACCESS) with 802.1x supplicant thant can controle ethernet and not
wireless access from supplicant, because i use linux bridge to connect
my virtuel machines to each others (so no wireless or can we simulate
wireless connexion too ?)


hostapd, from the same people that make wpa_supplicant.

Never used it, but I'm pretty sure it can be made to do this.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WARNING! for check item

[Phil Mayers]

On 02/21/2013 09:56 PM, a.l.m.bu...@lboro.ac.uk wrote:


what exactly is wrong here that is triggering this WARNING ?


Presumably that, since it's an internal attribute (>255) it'll never be 
send on the wire anyway, so filtering it makes no sense.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius server failed to respond

[Phil Mayers]

On 20/02/13 13:08, ahmed.sa...@stfc.ac.uk wrote:

Hi Phil,

That could be the problem.

I am using LDAP to get user information. getent passwd works okay
everytime I have system to use LDAP for accounting. Do I have to
set it up in FreeRadius as well? Or shall I do either or?



I don't understand any of that, I'm afraid.

The log you posted shows pam_radius failing because getservbyname() 
failed. getservbyname() uses NSS. Fix NSS to be reliable and this error 
will go away. This is not a RADIUS problem.


You should just remove "ldap" from "services" in /etc/nsswitch.conf - 
it's pointless and unhelpful. But it's not a RADIUS problem, and thus OT 
for this list.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-proxy with Rlm_cache

[Phil Mayers]

On 20/02/13 13:31, Dominique Frise wrote:

Hi Phil,

Here below a debug output :

==
rad_recv: Access-Request packet from host 127.0.0.1 port 11148, id=74,
length=94
 User-Name = "dfrise"
 User-Password = "276988"


Ok, so the PIN is appended to the password. In which case your "key" is 
just "User-Name" and "User-Password".


Anyway - the recipe in my other email should cover what you need. What 
you're doing now - single calls to "cache" - probably won't cover it. 
You will need more logic, as per my example.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius server failed to respond

[Phil Mayers]

On 20/02/13 11:53, ahmed.sa...@stfc.ac.uk wrote:

Hi,

I can authenticate using Kerberos, by running radius in debugging mode.
I can see that I get Access-Accept packet but SSH doesn’t gets logged in.

I get following in /var/log/messages

pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -562132672.


You have underlying problems with NSS, which means get*() libc calls are 
sporadically failing.


This is not a RADIUS problem; ensure your system can reliably make 
name/service resolution calls. If you are using nss_ldap, perhaps ensure 
it's not enabled for "services"; there's no value in doing these over 
the network.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-proxy with Rlm_cache

[Phil Mayers]

On 20/02/13 12:47, Phil Mayers wrote:


...and then:

authorize {


Damn, sorry this is not right. The 2nd "update" will squash the return 
values.


You'll need:

authorize {
  # first, just check the cache, don't
  # create entries or set reply attrs
  update control {
Cache-Status-Only = yes
  }
  otpcache

  if (ok) {
# entry found in cache; set auth type to accept
# and call cache again to get reply attrs
update control {
  Auth-Type := Accept
  Cache-Status-Only !* ANY
}
otpcache
ok
  }
  else {
# future cache lookups here, and in post-auth,
# should be normal ones
update control {
  Cache-Status-Only !* ANY
}
  }

  ...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-proxy with Rlm_cache

[Phil Mayers]

On 20/02/13 08:38, Dominique Frise wrote:

Hi,

We would like to configure a freeradius proxy-server v. 2.2.0 under
RHEL6 with users caching.

The scenario we would like to achieve is the following:

1. client sends username/OTP to freeradius-proxy that relays to central
radius server.
Central radius server accepts and replies to freeradius-proxy that
relays to client.

2. client sends same username/OTP within TTL to freeradius-proxy that
accepts and replies to client.

This should be possible using Rlm_cache module but we did not find a
proper how-to for configuring this.


Can you show a debug ("radiusd -X") of an auth request? This will make 
it more obvious what attributes you need to have as key/value.


Also, this will probably only work if your OTP is simple PAP-like i.e. 
request/accept. It probably won't work if Access-Challenge or any 
challenge/response is involved.


But, for example, if your request looked like this:

User-Name = foo
User-Password = bar
OTP-Password = 123456

...then you'd want an rlm_cache config like this:

cache otpcache {
  # note - we need to escape the key values
  # otherwise the client can perform injection/overlap
  # attacks by modifying their username
  key = 
"%{urlquote:%{User-Name}}/%{urlquote:%{User-Password}}/%{urlquote:%{OTP-Password}}"

  ttl = 60
}

...and then:

authorize {
  # first, just check the cache, don't
  # create entries or set reply attrs
  update control {
Cache-Status-Only = yes
  }
  otpcache

  # future cache lookups here, and in post-auth,
  # should be normal ones
  update control {
Cache-Status-Only !* ANY
  }

  if (ok) {
# entry found in cache; set auth type to accept
# and call cache again to get reply attrs
update control {
  Auth-Type := Accept
}
otpcache
ok
  }

  ...
}
post-auth {
  # first, delete any existing cache entries
  update control {
Cache-TTL = 0
  }
  otpcache

  # clear that variable
  update control {
Cache-TTL !* ANY
  }

  # now cache the reply
  otpcache
}

It's a bit awkward TBH; I kind of wish modules could have "named 
methods" e.g. "cache.{check,get,set,expire}" but you can wrap it all in 
a policy.conf if you want readability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Phil Mayers]

On 19/02/13 16:09, Russell Mike wrote:


*A.) *Enable interim accounting


Yes


*B.)* Enable
post-auth {
   update reply {
 Acct-Interim-Interval = 900
   }
}


Yes



C.) *You Said:* You also need to ensure the
"accounting_update_query{,___alt}" are configured in your sql.conf; this
is the default.

C1.) Unclear to this, i have nothing like this in my sql.conf

 $INCLUDE sql/${database}/dialup.conf


See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf


*D.) * *You Said:* I also found that sometimes removing the last
accounting record for the locked user in the radacct table won't work
and you need to set "/var/log/freeradius/radutmp" to null, to unlock
that user.


No, I didn't say that. Someone else did.



*D1.)* I use "radutmp" For Simultaneous-Use tracking. Do you mean it
should be disable ?


radutmp is inferior to SQL. There is no point in using both, and radutmp 
has problems.



I am clear with A&B. I need more help to tell us more about *"C"* what
exactly should be added in "sql.conf"  and *"D"* how to set null


The default SQL schema and queries that come with the server support 
interim accounting. If you haven't changed them, you don't need to do 
thing for "C". Just tell the NAS to send interim accounting, and then 
check using debug/tcpdump/radsniff/whatever that it's actually doing that.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Phil Mayers]

On 19/02/13 13:28, Mobin Yazarlou wrote:


  The more I read about this, the more complicated it gets!


It's quite simple in principle.


  Dear Phil, the first and third solutions you provided will work great
but their implementation is not that easy. As you said above, following
the first approach needs packet monitoring as well, which is not easy to
implement unless there be a log file/table in freeradius for this


I don't know what this means, I'm afraid.


packets. And the value for "acctsessiontime" is 0 until the user
disconnects and freeradius sets the correct value for this field and
some other fields in radacct table.


As I said, you need to enable interim accounting. If you do this, the 
NAS should send accounting packets at frequent intervals that update 
acctsessiontime, amongst other things.


If your NAS doesn't support interim accounting, you're stuck.

If it does, you should just need to set the interim interval, either 
statically on the NAS  or dynamically in the Access-Accept, like so:


post-auth {
  ...
  update reply {
# accounting packets every 15 minutes
Acct-Interim-Interval = 900
  }
  ...
}

You also need to ensure the "accounting_update_query{,_alt}" are 
configured in your sql.conf; this is the default.




  I also found that sometimes removing the last accounting record for
the locked user in the radacct table won't work and you need to set
"/var/log/freeradius/radutmp" to null, to unlock that user.


Don't use utmp; disable the module if you are using SQL, it's 
unnecessary and bug prone.




  I wish there was a table for online users in NAS and we could compare
online user in NAS and online users in RADIUS and decide what to do.


Some devices do have this. It's vendor-specific, and often accessible 
via SNMP. Consult the docs for your NAS. Since this isn't a RADIUS 
question, it's best to look elsewhere for this.



  I am still looking forward for your helpful comments and suggestion on
this topic.


As above: enable interim accounting. The effects should be obvious if it 
works, and the next steps clear.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[Phil Mayers]

On 19/02/13 14:16, Muhammad Nadeem wrote:


[eap] EAP NAK
[eap] NAK asked for bad type 0


You've mis-configured the client. Go back and look at it again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Phil Mayers]

On 19/02/13 11:23, Mobin Yazarlou wrote:


Hi Mike,
  Now it is an hour that I am looking for a built-in solution or a
ready-to-use script. The only thing I found was Idle-Timeout
 attribute. This
problem could be solved if RADIUS was responsible for handling this
attribute but from what I read, it's the NAS's responsibility.


I think you're confused.

Idle-Timeout serves a specific purpose; it tells the NAS to disconnect 
the client if the client is idle for a certain amount of time.


It's nothing to do with stale/dead accounting sessions.

I've already spelt out the options there, and they revolve entirely 
around trying to make your accounting robust, and dealing with the edge 
cases where it is not.


To repeat:

1. Have two RADIUS servers, and have each NAS talk to both
2. Setup robust accounting->SQL on both RADIUS servers - see the example 
configs that come with the server for this

3. Use interim accounting
4. Use a script to expire sessions without an update in X*interim-interval

That should get you pretty much all the way there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[Phil Mayers]

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send "Access-Accept" packet, but at client, following
error occurs.
" No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet"

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Phil Mayers]

On 19/02/13 06:53, Russell Mike wrote:

Hi Phil & Moby,

I am also interested in this solution since experiencing the same
problem.  I liked the solution no1.

But I have no idea where I can get that script but I can modify if I
have one.


It's a pretty simple script. Depending on your SQL database, you just do 
a "select from radacct where acctstarttime + acctsessiontime < 'now - 2 
hours'" or whatever.


It should be a 1-line SQL query.

However - I should emphasise that interim accounting and expiring dead 
SQL sessions is no substitute for a resilient RADIUS service; you should 
really have two servers, and look to use robust accounting *as well* as 
interim acct.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Phil Mayers]

On 18/02/13 18:02, Mobin Yazarlou wrote:

Hi,
  I am using freeradius v2.1.12 with MySQL support and noticed if a user
disconnect when radius server is down, NAS can not inform radius about
user being disconnected and radius assume user is still online after
coming up again. This restricts user from connecting again when you set
simultaneous-use to 1.
  Is there any solution for this? My NAS is pptpd on Debian 6.


RADIUS uses UDP, and NASes don't "save" accounting packets which don't 
get a reply; they usually send 1-5 attempts over a few seconds, then 
give up (or move to the 2nd RADIUS server).


You need to take this into account.

Possible solutions include some combination of:

 1. Use interim accounting. Then, use a script to expire any sessions 
which have not seen accounting packets in X*interim-interval; X==3 for 
example


 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both 
servers configured. Use one of several configs to write the accounting 
data to a robust, replicated database. One way to do this is with the 
"robust" accounting that comes with FreeRADIUS.


 3. Use a script to check your NASes active sessions and compare to 
accounting data at a certain interval.


...and so on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Clients connecting without group

[Phil Mayers]

On 18/02/13 16:43, Michell wrote:

Hello all,

what would be the best way to not allow the user connection that does
not have a group or have a group that does not exist?


What does "have a group that does not exist" mean? How can you be in a 
group that doesn't exist?




Should I create a policy or a check attributes. Does anyone have an example?


Since you didn't specify where your groups are stored, it's difficult to 
help you.




I have the problem of authenticating customers without being group and
navigating without bandwidth control, as this is defined by the groups
in radius.


Well, you control the group. You could change your data generation 
procedures to ensure that someone is *always* in a group.




This issue has already been addressed here, but still not getting success.


It's too vague. Be more specific.

You can easily exclude people not in any group. Presumably, since you 
will be setting attributes for each group, you just have a final "deny 
all" policy.


Or you create a group that contains everyone, with low precedence, and 
set a "reject" on that.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Phil Mayers]

On 18/02/13 10:57, Muhammad Nadeem wrote:


ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/client.pem"
private_kry="/usr/local/etc/raddb/certs/server.key"


^^^ typo - should be "client.key"

This is basic stuff; please read the docs for wpa_supplicant/eapol_test 
more carefully, and your own configs, before posting questions, 
particularly as others have pointed out, this is not the eapol_test 
support list...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Phil Mayers]

On 02/18/2013 06:31 AM, Tobias Hachmer wrote:

Hello Muhammad,

On 18.02.2013 07:17, Muhammad Nadeem wrote:

Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can authenticate the
user using TLS (with digital certificate).
Can anyone help me, thanks in advance..


You will need a RADIUS Client, e.g.
   - wireless access point
   - lan switch

which acts as the RADIUS Client (Authenticator in 802.1X terminology).
Both have to support 802.1X and RADIUS.
Without you won't be able to test EAP-TLS. I am not aware of a simulator
client program.


Thankfully, this isn't correct. You can use "eapol_test" which comes 
with the "wpa_supplicant" source to test pretty much every EAP type 
there is, including EAP-TLS.


To the OP - download wpa_supplicant sources and build eapol_test.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP howto

[Phil Mayers]

On 15/02/13 10:52, Igor Smitran wrote:

What would need to be done in dhcp setup in order to have
radusergroup/radcheck/radreply/radacct-alike behavior?


As far as I can tell:

 1. Figure our the SQL queries that return the "check/reply" and group 
items you want for the values in the DHCP packet

 2. Configure those queries on an instance of the SQL module
 3. Use the config:

dhcp ... {
  ...
  # do radcheck/radreply
  sql.authorize
  ...
  # do radacct-like behaviour
  sql.accounting
}

The latter is necessary because "dhcp" blocks are post-auth blocks 
internally, so you need to specify that you want "authorize" not 
post-auth behaviour.




I am trying to make it work with cable equipment (CM,MTA,CPE) but i am
not sure how to start. CM and MTA would have static IP addresses (sql
prefered because of additional replies: boot-file,dns,gateway etc.) and
CPE's would have dynamic IP address assigned.


Dynamic IP assignment might require the sqlippool module; the server 
comes with examples for this.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Complie error

[Phil Mayers]

That might be your /etc/ld.so.conf - see the man pages for ld.so and check 
/usr/local/lib is there or in rpath (ldd radiusd)

Alternatively

./configure --prefix /usr


David Peterson  wrote:

>It compiles properly but when I run the daemon it can't find the
>freeradius
>libs.

-- 
Sent from my mobile device, please excuse brevity and typos.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Complie error

[Phil Mayers]

On 14/02/13 16:57, David Peterson wrote:

It looks like it was my flawed git skills hard at work.


So now I am fighting libtool.  What is the best method for a successful
compile and install for Ubuntu where the libtool gets in your way.


Take off and nuke the entire site from orbit. It's the only way to be sure.

[Bloody libtool...]

Why are you using --with-system-libtool? What happens if you just:

./configure
make
make install

?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AVP EAP-KEY name support in FR

[Phil Mayers]

On 14/02/13 14:01, Alan DeKok wrote:

Srinu Bandari wrote:

EAP key identifier must be sent as a part of Access-Accept message in EAP 
Key-Name AVP (Radius Attribute Type 102).


   Sure.  But it's been hard to find out what is put *into* it.  That
link has been missing.


This what Cisco Documentation states:

"The switch has no visibility into the details of the EAP session between the 
supplicant and the authentication server, so it cannot derive the MSK or the CAK 
directly. Instead, the switch receives the CAK from the authentication server in the 
Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered 
in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. 
Along with the CAK, the authentication server sends an EAP key identifier that is derived 
from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute 
of the Access-Accept message."

 From 802.1X:
The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247 
and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to 
convey the EAP Session-Id


   OK.


So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type 
102) part of Access-Accept message.


   That's not clear to me from the above description.  But if it works...


Yeah, I got super-confused about all the EAP-Key-Name stuff when I 
looked a couple of months ago.


Does anyone know if there's known-good test data we can compare against, 
or a client/application that validates it? Does eapol_test 
implement/check it?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: git question

[Phil Mayers]

On 14/02/13 13:26, David Peterson wrote:

Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2?


No. v2.x.x is the branch name now.

git clone ...
git checkout v2.x.x
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP question

[Phil Mayers]

On 14/02/13 13:13, David Peterson wrote:

I am trying to design a system with full redundancy.  I know I can use
FreeRadius proxy and/or multiple front ends with a MySQL master-master
for the data.  For IP redundancy I can install heartbeat so all of that
is fine.  My biggest unknown is DHCP.  How does the new FreeRadius DHCP
server store lease information?  Will the design I am creating allow for
DHCP failover from one machine to the next.




It stores leases however you configure it to. Unlike ISC dhcpd, there's 
no built-in lease database. The server comes with examples using the 
sqlippool module.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: anonymous user when proxying

[Phil Mayers]

On 13/02/13 14:46, Hocine M wrote:

Hi,

Some user who are proxied (eduroam) are acconted with username =
anonymous@realm


Yes


I don't want to have  anonymous user in my database, do i have to reject
anonymous users in post-proxy section or there is something to do to
force user to use inner identity?


No. Anonymous or empty outer ID is perfectly legal, and IIRC you'll be 
in contravention of the eduroam spec if you block this. If fact, empty 
outer ID is best-practice, and you'll drop a lot of people if you block it.


What are you trying to achieve?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dialup Admin

[Phil Mayers]

On 02/12/2013 09:52 PM, Shawky Skaff wrote:

Hi Guys,

Could I please get a response to this?


Have you considered the possibility that no-one knows?

dialupadmin is largely abandonware; it's been removed from the GIT repo 
in master as no-one maintains it, or wants to. So, expertise on it is 
minimal, and interest in it even less so.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AVP EAP-KEY name support in FR

[Phil Mayers]

On 02/13/2013 09:59 AM, Srinu Bandari wrote:

Hi,

We are trying to bring up MACsec with Cisco and FR, and we are stuck
because of Radius unable to send EAP-Key-Name AVP.


That's not supported in FreeRADIUS, I believe. It's been a while since I 
looked at it, but the whole extended EAP key management stuff was quite 
complex, and not widely used, so it hasn't been implemented.


Patches welcome, I'm sure.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Understanding the IP Pool module

[Phil Mayers]

On 02/13/2013 07:23 AM, Бен Томпсон wrote:


One thing I still don't understand though is how best to use ippool
for DHCP. I don't understand where and how I should call the module
during a DHCP transaction. For example I can call it during
DHCP-Discover, but it seems that if I call it again during
DHCP-Request I might get different address even when the key is the
same. I will continue to to study the code to see why this happens and
if I figure it out I will report back with my findings.


With difficulty, in short.

The ippool module is old, and predates the DHCP functionality. You would 
need to "fake up" some RADIUS attributes in the DHCP packet, then ensure 
that ippool is called in a manner that hands out IPs correctly. This may 
prove to be impossible.


There is an example of doing this with the sqlippool module, which is 
rather better suited to this; by customising the queries you can ensure 
that different IPs in DISCOVER/REQUEST are not a problem. See the GIT 
repo for details:


https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/policy.d/dhcp

https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/dhcp_sqlippool
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Degradation of service when authentication fails with Windows AD

[Phil Mayers]

On 11/02/13 11:23, Antonio Alberola wrote:


When we monitored the network and one of the Windows AD we could confirm
that requests from Radius don't reach the AD, because they don't leave
Radius. We believe that connectivity between Radius and AD is correct, they
are on the same LAN and the AD continues to validate correctly even when
Radius is failing.


Let me put this as simply as possible, but I'm getting tired of 
repeating myself:


Do not use PAM. PAM APIs are blocking. If PAM or an underlying module 
hangs, the thread in FreeRADIUS will hang. If you keep receiving 
authentication requests, eventually the entire thread pool will be blocked.


Do not use PAM.

Is this clear?



 From my point of view, for any reason, Radius receives requests that it can
not manage, because of the AD, the network or whatever. These requests keep
waiting and the buffer fills completly. I don't know why these requests are
not removed from the queue and the buffer is cleared in order to allow new
request. In this way we could avoid that request to the rest of the AD fail
because of a particular AD.


Because FreeRADIUS doesn't work that way. It uses a thread pool (of 
finite size) to process requests in a blocking fashion. If the API or 
intermediate system it calls blocks forever, FreeRADIUS blocks forever, 
and if you keep receiving requests, eventually your entire thread pool 
will be exhausted.


FreeRADIUS cannot timeout synchronous C API calls. This is impossible to 
do safely in POSIX.


Is this clear?

Only a few FreeRADIUS modules can "timeout" requests. The "exec" module 
(and functionality built on top of it) is one of them.


Therefore, you should be using "exec" wrapping "ntlm_auth" from Samba.

Unfortunately, the "exec" timeout is hard-coded in the source at 10 
seconds. Therefore, depending on your load, you might still suffer 
thread pool exhaustion. But it will self-correct, because the requests 
will eventually time out.


I hope I had made myself clear.

Regards,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql_mysql driver issue

[Phil Mayers]

On 11/02/13 11:44, QASIM RAO wrote:


checking for mysql_init in -lmysqlclient_r (using mysql_config)... no
checking for mysql_init in -lmysqlclient_r... no
*configure: WARNING: mysql libraries not found. Use
--with-mysql-lib-dir=.*


What about this is unclear?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not working in normal mode but working in debug mode

[Phil Mayers]

On 11/02/13 10:43, Nandkumar Palkar wrote:

Hello,

Please see the debug log: (log output from command >> freeradius  -fxx
-l stdout) and with "freeradius -X" it works fine.

My issue is that debug mode "freeradius -X" the authentication works
great but once I try with normal mode it doesn't. I have checked all the
permissions all are correct.


Well, permissions are almost certainly the problem; check again.

Try using a tool like "strace" to watch the server and look for errors e.g.

strace -o rad.log -f /usr/sbin/radiusd

...then inspect "rad.log" for a an error.

I note that you're using rlm_perl - check that - and EAP, so check the 
cert/key/etc.


If you are on an SELinux-enabled distro, check for deny AVCs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not working in normal mode but working in debug mode

[Phil Mayers]

On 02/11/2013 10:11 AM, Nandkumar Palkar wrote:

version 2.1.10


You should upgrade; that version has a known security bug.



Module - LDAP

In this case debug log shows the username, but while i debug to stdout
it shows no username.

freeradius  -fxx -l stdout


Just to be clear - when you say it "works in debug mode" what *exactly* 
do you mean? In usual use, "debug mode" means:


radiusd -X

...but you list a different command line. Which command line works, and 
which command line doesn't?


When it doesn't work, what are the symptoms?

Please show the debug output when it *does* work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not working in normal mode but working in debug mode

[Phil Mayers]

On 02/11/2013 08:49 AM, Nandkumar Palkar wrote:

Hi

freeradius not working in normal mode but working in debug mode.

Please suggest.


Which version of FreeRADIUS?

Which modules (SQL, LDAP, etc.) are you using?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not working in normal mode but working in debug mode

[Phil Mayers]

On 02/11/2013 08:57 AM, Nandkumar Palkar wrote:

Hello,

freeradius not working in normal mode but working in debug mode



Stop that. That's the 3rd time you've posted, and this time you've 
hijacked someone elses thread. That's rude.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM authentication not working

[Phil Mayers]

On 02/08/2013 11:42 PM, Jaap Winius wrote:

Quoting Alan DeKok :


No.  You can't turn off EAP.  The client is sending EAP to the server.
You need to change the client.  And likely you can't, because it
*needs* to do EAP.


Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to
WPA-EAP and it looks like that's my only option. But, if you're correct,
then how is this supposed to work? You make it sound like a catch-22.


The choice of authentication algorithm (EAP) and any EAP-type are made 
client side.


Different EAP types have different requirements, in terms of what data 
you need to successfully authenticate a user - see here:


http://deployingradius.com/documents/protocols/compatibility.html
http://deployingradius.com/documents/protocols/oracles.html

PAM, as noted at the 2nd link, s an "oracle" that can *only* be used to 
authenticate PAP, and therefore EAP-TTLS/PAP.


Your client is doing EAP-TTLS/EAP-MD5.

You have two choices:

 1. Reconfigure the client to do EAP-TTLS/PAP, which PAM will be able 
to authenticate
 2. Stop using PAM, and provide the server with the client credentials 
in a form compatible with your EAP-type (see 1st URL above)


These are your only options.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any interoperability issues with Aruba and Freeradius

[Phil Mayers]

On 08/02/13 17:14, Alex Sharaz wrote:

Aruba now say they only support eap-tls and eap-peap when you offload
eap onto their mobility controllers.


Well, don't do offload - it's a pretty bad idea anyway, and vendors have 
a history of mangling it.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Any interoperability issues with Aruba and Freeradius

[Phil Mayers]

On 08/02/13 16:19, Alan DeKok wrote:


   If it requires tweaking for Aruba, then Aruba has failed to implement
the standards correctly.


Was it Aruba who we had all the issues with terminating PEAP/TTLS 
locally on the controller, then transforming the inner EAP-MSCHAPv2 to 
plain MSCHAPv2 and mangling it? I seem to recall a flurry of posts to 
the list that were solved by turning all that off, but this was a couple 
of years ago.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAc-Auth with EAP

[Phil Mayers]

On 08/02/13 16:09, Tunde Ogedengbe wrote:

Ok. Can you pls help with procedure for configuring pre-login on Windows
for 802.1x? Windows is sending packets to RADIUS as
host/machine-name.domain. I would like to have a dedicated
userid/password configured on windows for pre-login machine authentication.


Windows doesn't support that.

Your options are:

1. Use the machine account
2. Use the user/password typed into the login box

That's it - that's all windows supports.

As for configuring it - right-click on the network adapter settings, 
select the "authentication" tab, click the "additional settings" button. 
The options should be self explanatory. If not, consult the microsoft docs:


http://technet.microsoft.com/en-gb/magazine/2007.11.cableguy.aspx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAc-Auth with EAP

[Phil Mayers]

On 08/02/13 12:52, Tunde Ogedengbe wrote:


see from the log that the MAC addresses is checked and OK.  But there is
an [eap] returns reject just after the mac address was successfully
checked.  I guess I need a way to get radius to force an EAP accept
after successful checking of the MAC addresses.


This doesn't work. You can't "force accept" of an EAP session. The 
protocol is challenge/response and must complete correctly at both ends.


Your approach won't work.

Instead, you must configure pre-login 802.1x authentication correct on 
the Windows side, either using machine credentials or user creds.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: few accounting records with same radacctid

[Phil Mayers]

On 02/08/2013 09:04 AM, Hocine M wrote:

nobody?


The only thing that stands out is the Called-Station-Id is different. 
This suggests to me that something about the accounting packets changes 
as the client moves around (associates to different APs) and that the 
accounting SQL queries you are using don't handle that.


Which version of the server are you using, which SQL database, are you 
using the standard SQL query config and schema that comes with the 
server, and can you show a debug "radiusd -X" of an accounting packet 
(ideally a duplicate, but anything if not).

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_detail and locking

[Phil Mayers]

On 07/02/13 15:10, Brian Candler wrote:

I have an application where I would like to read and process rlm_detail
records in near-real-time (specifically to turn them into JSON and stuff
them into a local database).

I'm familiar with rlm_sql_log + radsqlrelay, and I know this is robust.

So I was hoping to modify radsqlrelay to work with files being appended to
by rlm_detail, but I turned up a wrinkle when checking the file locking in
2.2.x code.

rlm_sql_log uses fcntl() locking only; but rlm_detail is different. It calls
rad_lockfd_nonblock(), which uses lockf if available, else flock, and only
uses fcntl if the other two are not available.


Yes. This was changed in "master".



It looks like fcntl and flock locks are independent of each other:
http://www.mjmwired.net/kernel/Documentation/filesystems/locks.txt


Yes. But also be aware that lockf and fcntl are not guaranteed to be 
equivalent either - POSIX in general specifies no relationship. They 
happen to be the same under Linux, right now.




Question: what's the safe way to process detail files? Is there a Perl
implementation of radrelay I can hack from?  Looks like the original C
implementation of radrelay was removed in 2005 (acd40e2e)


Personally, I would just backport the "fcntl-only" commit - that way you 
know you're getting fcntl locking:


https://github.com/FreeRADIUS/freeradius-server/commit/582852042b4aa6810a683383809de234c7bd98a3
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Degradation of service when authentication fails with Windows AD

[Phil Mayers]

On 07/02/13 09:51, Antonio Alberola wrote:

The PAM APIs are synchronous, and don't offer timeout options.
It's not possible to timeout a PAM call; FreeRADIUS is entirely
at the mercy of PAM.

Don't use PAM, it's not suitable for your needs. Use "ntlm_auth",
and FreeRADIUS can timeout the call.


We migrated to PAM when the problems started. Previously we used "ntlm_auth"
and the problem appeared more frequently. I also recommended using
PAM-Kerberos because they said it was better integrated with Windows.
Is "ntlm_auth" the best way to authenticate with Windows AD? We have several
domains to authenticate and need stability in case one of them does not
respond.


The problem is, you're being way too vague and imprecise.

If you can describe the problem you're having, in correct terminology, 
people might be able to make a suggestion. Be specific, about the 
issues, the architecture you have, what you're trying to achieve, and so on.


From what you've described so far, it sounds like you are losing 
connectivity to one or more AD controllers, which is causing PAM to hang 
(waiting for a Kerberos reply) or Samba/ntlm_auth to hang (waiting for 
an RPC reply).


It should be obvious what the solution is - reliable connectivity to a 
reliable AD controller.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Degradation of service when authentication fails with Windows AD

[Phil Mayers]

On 06/02/13 12:19, Antonio Alberola wrote:


I understand that the PAM mechanism is slow, some domains more than others.
But, I don't understand why RADIUS doesn't clean this request with some
timeout mechanisms. It's very simple to create a script for crashing the
server with a DoS attack. I need a configuration parameter to deny the
request if PAM module doesn't respond on time.


The PAM APIs are synchronous, and don't offer timeout options. It's not 
possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM.


Don't use PAM, it's not suitable for your needs. Use "ntlm_auth", and 
FreeRADIUS can timeout the call.




Why es RADIUS server accepting duplicate requests for queries that have
already been sent to it? This is the cause of all threads are busy, correct?


No. FreeRADIUS is *logging* that duplicates arrived. It doesn't process 
them, because they're duplicates. But it logs them, because duplicates 
are a symptom of too-slow authentication.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pb with realm

[Phil Mayers]

On 06/02/13 10:03, Hocine M wrote:

Hi ,

I have a problem with some user proxied.

In  the accounting-request the username is stripped and realm is NULL.

Why le realm is lost?


The User-Name in the accounting packets is overridden by the User-Name 
in the Access-Accept. In your case, your upstream proxy is returning a 
bare username in the Accept:



rad_recv: Access-Accept packet from host 193.51.224.109 port 1812,
id=223, length=182
 User-Name = "pierre.dupont\000"


...which you then send back to the NAS:


Sending Access-Accept of id 13 to 192.168.58.5 port 20007
 User-Name = "pierre.dupont\000"


You can (and indeed, should) use a piece of "unlang" to re-insert / 
validate the realm in the case; we have this config:


post-proxy {

# Clean up the reply username
if (proxy-reply:User-Name =~ /^(.*)@.*/) {
# rewrite user@anything to user@theauthrealm
# i.e. we don't trust the reply realm
update proxy-reply {
User-Name := "%{1}@%{Realm}"
}
}
elsif (proxy-reply:User-Name) {
# no @ i.e. realm in the reply username
# append the realm used for forwarding
update proxy-reply {
User-Name := "%{proxy-reply:User-Name}@%{Realm}"
}
}
else {
# no reply username at all. add one
update proxy-reply {
User-Name := "%{request:User-Name}"
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP groups and profiles

[Phil Mayers]

On 05/02/13 15:50, Chris Taylor wrote:


I added this to the users file

DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile

But I get this error when I fire up radius -X


/etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator
Errors reading /etc/raddb/users


Wild guess, but you might try a simpler module name e.g. "ldap2" instead 
of "ldap2.some.dots-and.hyphens".

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Degradation of service when authentication fails with Windows AD

[Phil Mayers]

On 05/02/13 10:20, Antonio Alberola wrote:

Dear All,

I'm having random authentication failures and I think they are due to a
Radius server internal failure. I use Radius for authenticating the email of
users in Windows Active Directory via PAM. Before I used NTLM and Kerberos
together, and now I use PAM.


This is confusing. FreeRADIUS is calling the "pam" module, yes? So what 
is the PAM stack calling?



The problem is as follows. Users authenticate properly during the whole day,
but suddenly authentication begins to fail and user authentication error
appears even if the credentials are right. Since the failure, the service is
exponentially degrade and it only validates 1 of every 20 requests. The
onset of failure seems to coincide with one of these three messages:


Those messages are a symptom; your PAM module is taking too long to 
respond. You need to investigate what the PAM stack is calling, why it 
is hanging, and how to reduce the timeouts or improve the speed of 
failure detection.


This is not a FreeRADIUS problem.



Tue Jan 30 08:27:38 2013 : Error: Received conflicting packet from client
localhost port 14038 - ID: 194 due to unfinished request 161451.  Giving up
on old request.
Tue Jan 30 08:27:52 2013 : Error: Request 161507 has been waiting in the
processing queue for 11 seconds.  Check that all databases are running
properly!
Fri Feb  1 14:55:15 2013 : Info: WARNING: Child is hung for request 3609 in
component  module .

The solution we are applying at the moment is restarting Radius. Sometimes
restarting does not fix the problem and we have to set Radius for allowing
all connections. Few minutes later, we turn it back to the current
configuration and it works again. The biggest drawback, besides annoyance of
users, is Windows AD accounts are blocked because of the failures.

I need help to find the cause of the problem and fix it. I do not know yet
if the problem is in the domain controllers, in the PAM module or in Radius.
But everything seems to point to Radius.


In short: the problem you are experiencing with FreeRADIUS is because 
your authentication mechanism (PAM) is taking too long to respond. This 
is consuming all threads in the pool, which explains the log messages 
you see.


Fix the PAM stack to fail over properly, and this problem will go away.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: stored procedure value for access-reject in free radius

[Phil Mayers]

On 05/02/13 10:44, Lakshmi Narayana Baliah wrote:


Hi all,

   I want to configure the  free radius to return access-reject based on the 
value in stored procedure in oracle database( i have configured oracle database 
to free radius)


   How do i do that ??? please help


There are many ways, it depends on exactly what you want to do. You are 
being too vague.


One option is to use an SQL xlat in unlang, like so:

authorize {
  ...
  update control {
Tmp-String-0 := "%{sql: }"
  }
  if (control:Tmp-String-0 == "reject") {
reject
  }
  ...
}

The SQL inside the XLAT can reference packet values e.g.

 %{sql:select some_proc('%{User-Name}')}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with username renamed in radacct table

[Phil Mayers]

Yes probably buggy nas changing username in logout acct packet. Seen this a lot 
on multiple vendors, seems lightweight wireless controllers often erroneously 
expose internal state to their radius servers :o(

I nobbled our SQL queries to avoid the loss of data.

Alan DeKok  wrote:

>Hocine M wrote:
>> For some reasons i don't understand, somtimes when accounting in
>radacct
>> mysql table the username is renamed in "web-portal-ssid" where ssid
>is
>> the SSID Web-Portal based.
>
>  It's because the NAS is sending "web-portal-ssid" in the
>Accounting-Request.  Or, your local configuration is updating the
>User-Name to be "web-portal-ssid".
>
>  There are no other options.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

--
Sent from my mobile device, please excuse brevity and typos.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

[Phil Mayers]

On 01/25/2013 01:19 PM, Bertalan Voros wrote:

Hello All,

Could someone tell me if it is possible to terminate PEAP on a
freeradius server then proxy the request to an NPS server using MSCHAPv2?


Yes. Simply set "Proxy-To-Realm" in inner-tunnel/authorize, and 
FreeRADIUS will proxy the packets.


server inner-tunnel {
  authorize {
...
update control {
  Proxy-To-Realm := NPS
}
...
  }

However, personally I would strongly recommend you proxy the inner as 
EAP-MSCHAPv2, rather than using the magic "turn into plain mschapv2" 
code i.e. you *should* set in "eap.conf":


eap {
  ...
  peap {
...
proxy_tunneled_request_as_eap = yes
...
  }
}

If you set this option to "no" the proxied packet will be changed into 
plain MSCHAP, but that code path is complex and has had problems in the 
past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do 
this.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Quick question about RFC 3579 2.6.5

[Phil Mayers]

On 01/25/2013 06:56 AM, Olivier Beytrison wrote:


Would this still be illegal and would I end in jail ? ;)


We do it; it works fine. I'll be honest, I have no idea if it's illegal 
per spec, but don't really care - denying Reply-Message in 
Access-Reject/Accept containing EAP-Message doesn't seem useful to me.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Realm

[Phil Mayers]

On 23/01/13 14:47, Miha wrote:

Hi,

my radius client is sending with user-name and password aslo realm. I
can not disable sending realm, is it possible to configure radius that
will not user realm with user-name (user-name@realm)?

[digest] Digest-Attributes look OK.  Converting them to something more
usful.
*Digest-User-Name = "018108500"*
*Digest-Realm = "test1.opensips.softnet.si"*
 Digest-Nonce = "510001fb0006c9cc728438be21e324f917a5ea234380"
 Digest-URI = "sip:+3858...@test1.opensips.test.si"
 Digest-Method = "INVITE"
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
[suffix] Looking up realm "test1.opensips.softnet.si" for User-Name =
*"018108500@test1.opensips.**test.si*"
[suffix] No such realm "test1.opensips.softnet.si"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} -> *018108500@test1.opensips.**test.si*


Radius will need to chack only user-name (*018108500*).


Sure. The easiest option is something like this:

authorize {
  ...
  if (User-Name =~ /^(.+)@(.+)$/) {
update request {
  Stripped-User-Name := "%{1}"
  Realm := "%{2}"
}
  }
  ...
}

...and then ensure your SQL/files/whatever modules use an appropriate 
expansion for their "key" value e.g.


sql {
  ...
  sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
  ...
}

This is the default. So basically, you identify the realm yourself, set 
"Stripped-User-Name", and use that.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log format

[Phil Mayers]

On 22/01/13 09:54, Emmanuel BILLOT wrote:

Hi,

Is there anyway to have log format (radius.log) with any date for eah
line or section ?


Define and use a "linelog" module instances. See raddb/modules/linelog 
for example config.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: accounting question

[Phil Mayers]

On 01/21/2013 06:47 AM, Tzvika Gelber wrote:

i'm looking to focus a problem i have - i think the main issue is not
freeradius but it's a good place to ask.

I have a server that's do both Radius and accounting for Wifi random
users (web redirected system).

now i just discovered that to authenticate the users i have to use the
server "secret" password


It's not a "server secret password". The correct term is "radius shared 
secret".



on the accounting side i can use whatever i want and it will still work.
(if the secret for the server is 12345 i can use abcde for the
accounting and i'll get the accounting files).


No, this doesn't work reliably.



The question is this, if we stick to the AAA protocol do you really need
the "radius secret" to use accounting? or can i just drop it?


No. The secret is required for correct operation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on attributes

[Phil Mayers]

On 17/01/13 12:42, Tiago wrote:

Hello Phil,
Thanks for your answer.

I have these:
ATTRIBUTE   Download78  integer
ATTRIBUTE   Upload  79  integer

On /etc/freeradius/dictionary file that is being included as debug showed.

including dictionary file /etc/freeradius/dictionary on freeradius v2.

Maybe I need to create a separate dictionary file and have a include
on this file? What I'm doing wrong?


These attributes are already allocated; you've "stolen" them from the 
main attribute space, and are probably having problems with dictionary 
precedence - IIRC there were changes in this area in FR2.


The correct thing to do is either use a valid, allocated attribute, or 
assign your own from a valid, allocated enterprise number that you own.


What is processing these attributes? Since you are using rp-pppoe, I 
suspect you are using an "ip-up" script and processing them in shell script?


In that case, find an allocated attribute with similar purpose, and use 
that. Use "grep" to search the dictionaries.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on attributes

[Phil Mayers]

On 17/01/13 11:29, Tiago wrote:

Hello everyone,
I'm struggling with something that should be simple to fix.

I have a rp-pppoe NAS server here that correctly understand a few
attributes (radreply) that come from freeradius 1.x (w/mysql
database). Example:

Download (for download rates) attribute

Simple real example, from pppoe server:
# cat /var/run/radattr.ppp479

Framed-Compression Van-Jacobson-TCP-IP
Framed-Protocol PPP
Framed-MTU 1500
Download 12000
Upload 3072


"Download" and "Upload" aren't standard attributes. Where are these 
defined in "dictionary" files?



Sending Access-Accept of id 192 to NASPPPOE01 port 48956
 Framed-Protocol = PPP
 Framed-Compression = Van-Jacobson-TCP-IP
 Cliente = 
"\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
 Framed-MTU = 1500
 WISPr-Bandwidth-Max-Down = 256000
 WISPr-Bandwidth-Max-Up = 256000
Finished request 0.
Going to the next request

What I'm missing? it seems like the attributes are not being sent to
NAS, but I could be wrong


Correct.

Check the attributes are actually defined in a dictionary on the 2.x 
installation; check raddb/dictionary on the 1.x installation, see if 
they were defined as custom VSAs or similar.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failure with "TLS authentication" and "Freeradius on Fefora-17"

[Phil Mayers]

On 17/01/13 11:52, Ajay Garg wrote:

Hmm.. I am not exactly sure what package contains the gnome "handle" to
edit network-settings (in Fedora-14, it was called "nm-applet").


Ok, then I give up. Maybe someone else is willing to spend time 
deciphering vagueness, but I'm not. Best of luck.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failure with "TLS authentication" and "Freeradius on Fefora-17"

[Phil Mayers]

On 16/01/13 13:34, Ajay Garg wrote:

Ping :)

Anyone managed to get this working on gnome-applet? :)


$ gnome-applet
bash: gnome-applet: command not found...

You're being way too vague, inconsistent and hand-wavy for me to want to 
spend any time on this.


If you can be *specific* about what you want someone to try, I *might* 
be willing to give it a go. No promises.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to call stored procedure with output varaibles in free-radius

[Phil Mayers]

On 15/01/13 12:24, Arran Cudbard-Bell wrote:


On 15 Jan 2013, at 11:48, a.l.m.bu...@lboro.ac.uk wrote:


Hi,


How to call my own stored procedure ,which takes input and
output variable in free-radius server.

How do i do that ??? please help


Guessing you're referring to stored procedures in SQL? Or are you
misusing SQL terminology to refer to something like a subroutine
or function writen in the policy language?


..or do you mean using an external program (C or perl etc) to be
given values and return values?


Jees, we really need to move to a new listserv, this latency is
getting ridiculous. Posts on the educase lists are pretty much
instantaneous, but there seem to get delayed randomly for 30 mins or
more.

Does anyone else experience that?


Received: headers suggest something funny is going on in xs4all-land. 
For example, your first reply to the OP (sorry for the re-wrapping - 
local Exchange 2010 installation mangling RFC 822 headers here I'm 
afraid, am attempting to restore readability manually ;o):


Received: from list5.xs4all.net (list5.xs4all.net [194.109.21.196])
 by smtp-vbr12.xs4all.nl (8.13.8/8.13.8) with ESMTP id r0FB4BUE062954
 ...
 for ;
 Tue, 15 Jan 2013 12:13:24 +0100 (CET)
 ...
Received: from list5.xs4all.net (localhost [127.0.0.1])
 by list5.xs4all.net (8.14.3/8.14.3/Debian-9.4)
 with ESMTP id r0FAkGj3032462
 for ;
 Tue, 15 Jan 2013 11:51:48 +0100
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to call stored procedure in free-radius server

[Phil Mayers]

On 15/01/13 11:30, Lakshmi Narayana Baliah wrote:

Hi Arran,

Thanks for your reply have created stored procedure(myS1Request) in oracle 
database 11g as shown below, procedure takes input and output parameters.
The below procedure should be called in the SQL module in Free-radius for 
Authentication and Authorization purpose.




please help me how can proceed...


Calling a stored procedure is the same as doing any other SQL query. You 
can either force the intput/output to match the radcheck/radreply schema 
using SQL, or use the SQL xlat syntax like so:


authorize {
  ...
  update request {
Tmp-String-0 := "%{sql:select storedproc('%{Arg1}',...)}"
  }
  ...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow Ldap Authorization

[Phil Mayers]

On 01/15/2013 07:45 AM, Phil Mayers wrote:

On 01/11/2013 10:15 PM, Tyler Brady wrote:


 basedn = "DC=company,DC=com"


Try setting a more specific (longer) base DN. As Arran has pointed out,
you're getting LDAP referrals. Active Directory likes to do this if you
query the LDAP tree from a point "above" >1 database, even though
they're all available from the same server.


Sorry, I've just realised another thing you can try - disable referral 
chasing. This is an option on the ldap module - try this:


ldap {
  ...
  chase_referrals = no
}

...this may be more workable than changing base DN, if I'm inferring 
your AD layout correctly ("everything under top-level").

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow Ldap Authorization

[Phil Mayers]

On 01/11/2013 10:15 PM, Tyler Brady wrote:


 basedn = "DC=company,DC=com"


Try setting a more specific (longer) base DN. As Arran has pointed out, 
you're getting LDAP referrals. Active Directory likes to do this if you 
query the LDAP tree from a point "above" >1 database, even though 
they're all available from the same server.


Preferably you'll have an OU below which are only objects, not more AD 
LDAP databases (including ADs own "internal" DBs, "CN=Configuration" and 
the like).


If you're not familiar with the steps involved to get there, you'll need 
some assistance I'm afraid - and this list can't really provide it, that 
being an AD-specific issue.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl changing User-Name and proxy requests

[Phil Mayers]

On 01/11/2013 08:32 PM, Arran Cudbard-Bell wrote:


Have you added nostrip for all the realms? The only way I can see it
clobbering username is if stripping is enabled.


Isn't the problem the special request->username attribute? AFAICT the 
pairmove code handles this specially ("fixup") but I'm not sure rlm_perl 
does the same?


If that is the case, OP may find that putting the new username in an 
interim / temp variable then forcing update via unlang works:


authorize {
  ...
  myperl
  update request {
User-Name := "%{The-Var}"
  }
  ...
}

This is a WAG though...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trying other authentication methods when the first is invalid

[Phil Mayers]

On 11/01/13 13:23, Meyers, Dan wrote:


Anyway, we have got some Juniper EX2200 switches. The problem with
these is that they do mac-auth as a 'fake' 802.1x auth. The request
has the User-Name attribute set to the MAC address correctly, but
also has an EAP-Message present, it just doesn't contain anything we
want to have to care about (It actually contains, once the eap header
has been decoded, the md5 of the mac-address). This causes the eap


Wait, what? Seriously? Can you show a debug of one of these requests?


module, if called in authorize, to think the request should be
handled by itself and set Auth-Type to EAP and expect to do eap-md5
(even if the default-auth-type in eap.conf is set to something else,
like peap). However, as we do not actually want to do an eap-md5 auth
we have no Cleartext-Password anywhere for the tens of thousands of
MAC addresses (with new ones every day, which we auth onto a special
'unregistered' network with limited access instead of rejecting) on
our network.


Hang on; is it EAP-MD5, or some "fake" EAP?

If it's EAP-MD5, what is the switch using as the password? A fixed 
value, or the MAC address?


You might find it's as simple as doing:

authorize {
  ...
  if (EAP-Message) {
if (User-Name =~ /[0-9a-f]{16}/) {
  # mac-based auth as EAP-MD5
  update control {
Cleartext-Password := "%{User-Name}"
  }
}
eap
  }
  else {
my_perl
  }
  ...
}





The eap module in this case returns 'invalid' in authentication,
rather than 'reject'. I was hoping I could detect this and tell it to
move on to perl if this happened. I can't seem to make that work. As
soon as eap returns invalid, all further processing is halted for
that request and FreeRADIUS jumps straight to the Post-Auth REJECT
section. Can anyone suggest a way around this?


Maybe. I'd need to see a debug of one of these horribly broken-sounding 
EAP requests. If it's actually broken, you're hosed. If it's just doing 
EAP-MD5 for mac-auth with some fixed or well-known password, you just 
need to set that password.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization

[Phil Mayers]

On 01/09/2013 08:42 PM, Matthew Ceroni wrote:

It appears that when Windows sends the username it sends it as
DOMAIN\\username.

The \\ causes the 5c to appear in the username. I confirmed this by
using the radtest tool and specifying the username as DOMAIN\\username.
A single \ causes the username to appear as DOMAINusername so that is
why double \\ are required.


No, you're misunderstanding what is going on.

"\" is the string escape character e.g. "\n" is "newline", "\t" is tab, 
etc/. So to put a "\" in a quoted string needs "\\". FreeRADIUS in debug 
mode is printing the same thing you would have to type.


That is, windows is only sending "DOMAIN\username"

"\" is then LDAP-escaped to \5c as per normal LDAP escaping rules.

As to why it's not working - I seriously doubt that you actually have:

sAMAccountNAme: DOMAIN\user

...in Active Directory. Are you sure this is what you have?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failure with "TLS authentication" and "Freeradius on Fefora-17"

[Phil Mayers]

On 09/01/13 13:41, Ajay Garg wrote:


Followed the above, and compared the structures of certs generated on
Fedora-17 and Fedora-14.
The structures were identical.


Then you're doing something wrong on the client I'm afraid.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Instantiation failed for module "sql" Errors initializing modules

[Phil Mayers]

On 01/09/2013 06:29 AM, Elizabeth Fife wrote:

Hi
I am using MAC OSX server. I was checking out the inbuilt freeradius. I
have not altered files related to this service and simply tried

radiusd -X

The following error was received
FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr


This is ancient. Upgrade.




/private/etc/raddb/sqlite_radius_client_database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql_sqlite: sqlite3_prepare() = 1
rlm_sql (sql): failed after re-connect


Your sqlite database is failing. Check it exists, has the schema 
defined, and that permissions allow FreeRADIUS to read it.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization

[Phil Mayers]

On 01/09/2013 12:43 AM, Matthew Ceroni wrote:

Hi:

I am running FreeRadius version 2.1.12 on a CentOS 6 machine.

For authentication I am using AD (ntlm_auth) and this works create. In
the the request the username is sent as just the plain username (ie:
mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.

My problem is on the authorization side in which I am using LDAP to grab
the groups a user is in. In order to authentication against ldap my bind
DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I
modify the User-Name or Stripped user name just for the LDAP


Don't modify the "User-Name" attribute; that can break certain auth types.

It's not really clear what you want to do, but you can either edit the 
LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local 
attribute "Full-User-Name" in raddb/dictionary - see the comments in 
there about attribute numbers - then reference that in your LDAP filters.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Different BaseDN for User/Group Objects in rlm_ldap

[Phil Mayers]

On 01/09/2013 08:29 AM, Rudolph Bott wrote:



However, our groups are stored underneath "ou=groups,dc=example,dc=org"
- so rlm_ldap is not able to find them with the basedn shown above. We


Unsolicited advice: that's not a great schema, and you should look to 
move away from it.



are also not able to change the basedn to something else, since there is
a different user-tree underneath dc=example,dc=org which should not be
taken into account by freeradius.



Define a 2nd copy of the LDAP module with the base DN of the group area.

Run the 1st LDAP module before doing any group checks so that 
"Ldap-UserDN" is populated.


Check the per-instance Ldap-Group attribute of the 2nd instance.

Like so:

ldap {
  # base DN for users
}
ldap ldap2 {
  # base DN for groups
}

...

authorize {
  ...
  ldap
  if (ldap2-Ldap-Group == FOO) {
# will search 2nd base DN using user DN of 1st module
  }
  ...
}

Alternatively, if your users are all in a flat hierarchy, you can 
hard-code Ldap-UserDN and skip calling the 1st module (unless you need 
data from there, of course)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failure with "TLS authentication" and "Freeradius on Fefora-17"

[Phil Mayers]

On 01/09/2013 06:15 AM, Ajay Garg wrote:


However, I get the exact same earlier dreaded logs :(


Sigh. This really is the thread of doom.

Find a working CA/server cert (from another machine, generated with the 
same steps) and your failing ones.


Then compare the output of:

openssl x509 -noout -text -in ca.pem
openssl x509 -noout -text -in server.pem

If the certs differ substantially (applying common sense to fields that 
must differ, like key hashes, dates, serial numbers, etc.) then there 
might be an issue with cert generation.


If no, you're doing something wrong - much more likely IMO.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-SIM configuration on FreeRadius

[Phil Mayers]

On 08/01/13 17:26, Muhammad Usman wrote:

Thanks for your reply..i tried but remained unsuccessful, can you kindly
send me any link or thread where it was discussed. Thanks again


See this thread:

http://lists.freeradius.org/pipermail/freeradius-users/2012-September/062721.html

However, the upshot is - you need a version *after* 2.2.0 was released 
to be sure of having working code. Checkout the the v2.2.x git branch 
and recompile.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Kerberos - Radius does not get password

[Phil Mayers]

On 08/01/13 10:31, Khapare Joshi wrote:


I am running on:
CENTOS6
samba-winbind-3.5.10-125.el6.x86_64
samba-3.5.10-125.el6.x86_64
samba-common-3.5.10-125.el6.x86_64




Ok. Unfortunately this isn't nearly enough data to speculate about what 
your problems might be. To be honest, I don't even know what data 
*would* tell us that - but it would certainly include your AD server OS 
version and domain functional level.


But this is really off-topic - if you have Samba problems, the Samba 
list is the place to discuss them.





and DEFAULT AUTH-Type = kerberos in users file.


No, this is wrong. Don't do this. It may stop you doing mschap.

If you *must* set Auth-Type, you need to ensure it's done correctly - 
only set if unset, and if it's PAP - which can be done in unlang like so:


authorize {
  ...
  eap
  mschap

  # if Auth-Type isn't set yet
  if (!control:Auth-Type) {
# AND if it's a PAP request (contains User-Password)
if (User-Password) {
  # use Kerberos
  update control {
Auth-Type := kerberos
  }
   }
 }
 ...
}


To make this work, I still have to configure samba, join radius server
to AD and so on for the AD authentication right ?


Yes.


but, kerberos only works with PAP, is there a security risk - what is
your view on this?


View on what?

Vague questions like "is there a security risk" don't really mean anything.

Let me answer a different question:

In my opinion, given current state-of-the-art in cryptography, TTLS/PAP 
is not appreciably more or less secure than PEAP/MSCHAP. They both have 
very similar security properties, and are close to identical at the 
protocol level.


The use of TTLS/PAP provides more options in backend password storage / 
authentication server, but that's separate from the security of the 
protocol.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Memory leak in FR 2.1.10 and 2.2.0 ?

[Phil Mayers]

On 08/01/13 08:37, Philippe MARASSE wrote:


  - valgrind log on my production server


What did the valgrind log show? It's normally pretty good at catching 
actual leaks.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius2-2.1.12-4 crashes everyday

[Phil Mayers]

On 01/08/2013 12:22 AM, Faisal M.A wrote:

Hi,
My radius server is crashing almost everyday and I'm not sure what
is the issue.


That's pretty vague.

First, upgrade to 2.2.0 to see if it's a bug that's already fixed.

If that doesn't help and it's actually "crashing", see "doc/bugs" in the 
source; this describes the process for running the server under GDB and 
obtaining a traceback.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: default Fall-Through = Yes for groups

[Phil Mayers]

On 01/07/2013 11:30 PM, Strong, Mark wrote:

Guys, Is there an option to set Fall-Through = Yes for groups as
default, just wanted to avoid having Fall-Through = Yes in every
group I have in radgroupreply.


Nope. You could modify the SQL queries to do this, depending on your SQL 
database e.g.


select ... from radgroupreply and groupname=...
union all
select 'Fall-Through','=','yes' where not exists (
  select 1 from radgroupreply
  where
  attr='Fall-Through'
  and
  groupname=...
)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius2-2.1.12-4 crashes everyday

[Phil Mayers]

On 01/08/2013 02:15 AM, Faisal M.A wrote:

I've check /var/log/radius but one of them is binary and other one is
capturing the login details.

Its hard to tell when it was crashed.


How can you *not* know when it crashed? Aren't you monitoring it?

Is it roughly the same time every day?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: attribute type error

[Phil Mayers]

On 01/08/2013 03:48 AM, Yashaswini Sathyanarayana wrote:

Hi ,
By default all standard attribute like user-name, user-password are of 
type 1 and length 1.


This is wrong. I don't know what you think you mean, but standard 
attributes each have a different type, and different lengths.



But kineto attributes are of type 2 and length 2.


Again, I don't know what you mean.


So is there a way to make "RFC-2865" dictionary that is added in free 
radius to type 2.


Are you referring to the "encryption type", as specified in the 
dictionaries like this:


ATTRIBUTE   namenumber  typeencrypt=2

Help us out here - give us a reference or example so we can understand 
what you are saying.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Kerberos - Radius does not get password

[Phil Mayers]

On 07/01/13 16:49, Khapare Joshi wrote:

Hello

I been having problem as listed in this bug list:

https://bugzilla.samba.org/show_bug.cgi?id=6563#c59

I know at least few university having similar issue and ended up with
restarting winbind - that resolve the issue. I am not sure which version
of samba+winbind are you using?


We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows 
2008R2, domain functional level is 2008R2 native.




Also, I am just thinking, is there a way to configure both kerberos
(which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is
possible I can support both TTLS via kerberos and PEAP - MCHAP with
Active directory (winbind and samba). This way I can continue support
older $$$client xp, win7 and for rest those are supported I can enforce
to use TTLS-PAP with kerberos. It would be great if you direct me in
right road.


Yes you can do this. I'm not sure what you're asking. You just configure 
each component correct and let it work.


This is only very slightly tricky because rlm_krb5 doesn't contain any 
Auth-Type handling; you need to run krb5 if it's a PAP request, see 
below. But you must already be doing this if you're using Kerberos, so 
just... keep doing it.



sites-enabled/inner-tunnel:

authorize {
  ...
  eap
  mschap
  pap
  ...
}

authenticate {
  Auth-Type PAP {
krb5
  }
  Auth-Type MSCHAP {
mschap
  }
  eap
}

...then configure "eap {}" appropriately for TTLS and PEAP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql_null not building

[Phil Mayers]

On 07/01/13 16:28, Phil Mayers wrote:

I don't have the time to try and decipher the build system shenanigans,
so I don't know why; this is from a tarball (NOT a git checkout) of
"master" as of a few minutes ago.

Maybe the empty "TARGET="?



Yeah that was it; pull request #161 opened
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_sql_null not building

[Phil Mayers]

I don't have the time to try and decipher the build system shenanigans, 
so I don't know why; this is from a tarball (NOT a git checkout) of 
"master" as of a few minutes ago.


Maybe the empty "TARGET="?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql_null not building

[Phil Mayers]

On 07/01/13 16:28, Phil Mayers wrote:

I don't have the time to try and decipher the build system shenanigans,
so I don't know why; this is from a tarball (NOT a git checkout) of
"master" as of a few minutes ago.

Maybe the empty "TARGET="?



Sorry all, meant to send to -devel - I blame autocomplete...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failure with "TLS authentication" and "Freeradius on Fefora-17"

[Phil Mayers]

On 07/01/13 13:18, Ajay Garg wrote:

I tried attaching the debug log-file, but the mail-message was rejected
by the mailing list for exceeding 100KB

How am I supposed to attach the complete logs?


You're supposed to *look* at them first; I'd give strong odds the answer 
you seek is in there.


Is a debug log for 1 EAP session really >100kb these days?

Maybe stick them on a pastebin somewhere.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-SIM configuration on FreeRadius

[Phil Mayers]

On 01/07/2013 10:10 AM, Muhammad Usman wrote:

Dear All, Any thoughts on this??


Various eap-sim issues have been discussed on the lists in the last few 
months. Read the archives for more details.


IIRC the fixes are in 2.x.x branch - not all were in the release version 
of 2.2.0. Download 2.x.x from git and compile locally, and try again.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Different reply attributes for same username in rlm_sql

[Phil Mayers]

On 04/01/13 14:18, Joe Rogers wrote:


I am having difficulties implementing the following users file
configuration in sql using freeradius 2.2.0:

user1 Calling-Station-Id == "xx-xx-xx-xx-xx-xx"
 Tunnel-Private-Group-ID = VLAN1,
 Tunnel-Medium-Type = IEEE-802,
 Tunnel-Type = VLAN

user1 Calling-Station-Id == "yy-yy-yy-yy-yy-yy"
 Tunnel-Private-Group-ID = VLAN2,
 Tunnel-Medium-Type = IEEE-802,
 Tunnel-Type = VLAN

I'm attempting to send different reply attributes for the same username
based on different check attributes.  But, I'm having a hard time seeing
how this is possible with rlm_sql using the default
authorize_check_query and authorize_reply_query settings.  I can
certainly re-write those queries, but I'm hoping that I'm simply
overlooking the proper way to configure this.


I think you need to rewrite the queries. IIRC there is no way to have >1 
set of radcheck/radreply users for a single user; the check/reply 
entries are merged.


You can probably (ab)use the groups functionality to do this.

Or, don't use the radcheck/radreply stuff at all; instead use an SQL 
xlat in "unlang":


post-auth {
  update reply {
Tunnel-Private-Group-ID = "%{sql:select vlan ... where ...}"
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
  }
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: getting additional functionality, snmp or external program

[Phil Mayers]

On 12/29/2012 04:00 AM, Duane Cox wrote:

I think this is possible, but wanted to make sure and ask what would be
the best way to do this…

ie. Execute an external program or create a module.

I’m authenticating cable modems using freeradius with a sql database
backend.

What I want to do, is after the authentication process, query the cable
modem using snmp (retrieving data) and store this data back into the
already connected database.

Is anyone doing such a thing?


If I've understood what you want correctly, you don't need to query 
within the auth - "post" post-auth would be fine i.e. after the 
Access-Accept was sent?


If so, my suggestion would be to do this externally to FreeRADIUS. After 
auth, write a log entry or SQL row with the auth info; then have an 
external work process (daemon or cron job) execute those queries and 
update the "connected" row.


If you do it within FreeRADIUS, you risk blocking the server if an SNMP 
query is slow or suffers packet loss / retransmit.


If you must do it within FreeRADIUS, there's a bunch of ways e.g. write 
a perl script and run it with rlm_perl. Alternatively use rlm_exec to 
run an external script, possibly with "wait = no" to avoid blocking the 
server - but the fork/exec cycle will limit your performance significantly.


Writing a module is almost certainly not the right solution.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Kerberos - Radius does not get password

[Phil Mayers]

On 12/28/2012 10:41 PM, Alan Buxey wrote:

Hmm, having run FR with AD authentication using winbindd and samba for
many many years I am interested in what problems with those daemons you
were having ... why need the frequent restarts etc.  eduroam certainly
wouldn't have had the high take-up we've seen in eg Europe if all sites
had to reengineer their backend authentication and couldn't use
PEAP/MSCHAPv2


In fairness, we've seen the occasional problem, though very rarely, that 
has required a restart of winbind.


I have the impression that winbind is extremely (and I do mean 
extremely) sensitive to certain aspects of an AD configuration, such as 
your domain "level", version of domain controllers, group policy 
mandating SMB sign/seal, and so forth. So there are a lot of variables 
in there. Maybe academic sites trend towards a config that's more forgiving?


Winbind also only ever talks to one domain controller at a time, and 
takes an age to failover (90+ seconds) if that DC goes away. On a couple 
of occasions, the problems we've had have followed a DC being taken out 
of service, and have necessitated a restart of both smbd and winbindd - 
winbind just seems to hang. But on other occasions, it hasn't been a 
problem - weird.


I also suspect it's *highly* dependent on the Samba version. Many people 
just run the packaged OS version, and these are often older 3.x releases 
that don't play well with their combination of features.


Just to repeat: the problems we've had are rare. But software is usually 
fairly deterministic and I guess if other people experience the triggers 
more often, they'll have the problems more often.


If I had the time, I'd engage in some serious resilience testing of a 
samba/winbind config as used for MSCHAP and try and identify the cause 
(and open some bugs) and any mitigations. But I don't :o(


Unfortunately, if you run AD and have significant numbers of Windows 
clients, you don't really have any choice but to use MSCHAP, and thus 
samba/winbind, IMO.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: AP> FR> LDAP authentication reject

[Phil Mayers]

Sigh. No. There are no packets in that debug. How do you expect people to read 
a debug unless it contains an authentication attempt?

> ... adding new socket proxy address * port 51195
>Listening on authentication address * port 1812
>Listening on accounting address * port 1813
>Listening on command file /var/run/radiusd/radiusd.sock
>Listening on authentication address 127.0.0.1 port 18120 as server
>inner-tunnel
>Listening on proxy address * port 1814
>Ready to process requests.
>.
>.
>.
-- 
Sent from my mobile device, please excuse brevity and typos.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x computer authentication config issue/question

[Phil Mayers]

On 12/27/2012 03:19 PM, spartan1...@hushmail.com wrote:


...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication against
FreeRADIUS in a manner similar to how "simple" user authentication
appears to be done (via the users file). From your response, it
appears that the answer is "NO" and that an LDAP configuration /
LDAP groups will be required.


Not so - that's not what Alan said. You mentioned LDAP - he naturally 
assumed you were looking in that direction.


You can use the "users" file; but you need to alter the config slightly, 
and due to the way EAP-TLS runs in 2.x, you need to use it in a 
particular way.


Try this:

/etc/raddb/modules/tls_clients:

files tls_clients {
  key = "%{TLS-Client-Cert-Common-Name}"
  usersfile = "/etc/raddb/tls_clients"
}

/etc/raddb/sites-enabled/default

post-auth {
  ...
  if (TLS-Client-Cert-Common-Name) {
tls_clients.authorize
if (notfound) {
  # reject unknown users
  reject
}
  }
  ...
}

Modify as appropriate for your needs.



I'll look into that as time allows...and while I appreciate your
quick response, I think that your comment below is a bit
unwarranted - one of the points of user groups is to be able to ask
the question "I don't know how...at least this has been the case
for the last 15 years that I have been doing this stuff."


Unfortunately, the FreeRADIUS community does not have the depth and 
breadth to provide the level of support and documentation that something 
like Apache or Samba does. This means there is more onus on you to be 
specific.


I have my theories about *why* this difference exists - specifically, 
that FR is a complex infrastructure daemon, which people set up and 
forget, as opposed to a framework that they constantly use. You see 
similar issues on other projects (ISC bind, for example) that have these 
attributes. But whatever the reason, most people post to this list a few 
times, then vanish - they don't answer questions to people who follow 
them, write docs or wiki articles, or contribute code.


This leads to a relatively small pool of people who can answer, and to 
the expectation that you be specific so those people can use their time 
efficiently. Don't take it personally - it's just a function of the 
community size.


Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x computer authentication config issue/question

[Phil Mayers]

On 12/27/2012 02:32 PM, spartan1...@hushmail.com wrote:


I played around with the users file in FreeRADIUS but it didn't
seem to have any effect unless I put a DEFAULT Auth-Type Reject in
the file which blocked everyone regardless of what else I had in
the users file. I've Googled around a bit but haven't found any
definitive guides on how I would do a FreeRADIUS analog to Windows
IAS/NPS policies other than having to include ldap servers and/or
other types of external authentication systems which I'm not really
interested (at this point) in doing.


LDAP is not an authentication system (not really). It's a directory, 
which is a form of database.


You are, obviously, going to need some form of "database" in which your 
policy "memberships" are stored; FreeRADIUS provides several built-in 
modules (LDAP, SQL, files, passwd-style) that can do this.


However - you're going to run into the fact that EAP-TLS as implemented 
in the 2.x branch doesn't offer very much in the way of authorization - 
the only place you can run a database lookup and be sure you have the 
TLS cert details is post-auth (a virtual server step was added in 
master/3.x).


Basically:

 1. Define a local attribute in raddb/dictionary to hold your groups. 
Note carefully the stuff in the default dictionary file about local 
attribute numbers.


 2. Configure one of the various data lookup modules (passwd and files 
are the simplest but least flexible) to lookup the groups based on the 
TLS cert attributes (see below)


 3. Run this module in the post-auth section, and act on the result.

raddb/sites-available/default contains comments to this effect in 
post-auth - search for "TLS-Client" in that file, which also tells you 
the various TLS cert attributes you can use.


About the only difficult bit is step 2; I thought I'd written something 
in the wiki about this, but I can't find it (and I can't log in anymore).


If you've got a more specific question, I'll try to reply, but you'll 
need to do a bit of research into the various "database" modules and 
decide which one you want to use first.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Wiki requires email?

[Phil Mayers]

I can no longer log into the wiki with my github account - seems the 
wiki now requires that I expose an email publicly in my github profile 
(something I am not going to do). Is this intentional? What's the rationale?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about the behavior of sql.conf

[Phil Mayers]

On 12/27/2012 06:00 AM, ichiro tanaka wrote:

Hello

I'm using freeradius 2.1.12. I'm trying to set up sql.conf.
But there is one question.
I made a set of 'safe-character' connection config of the sql.conf.
However,the safe-character's being used in connection is the last(B)
(When I use the A.but B will be used in this case)

Do you think there is a reason what is this?


This is a limitation of 2.x

It is fixed in the "master" branch, which will become 3.0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about the behavior of sql.conf

[Phil Mayers]

On 12/27/2012 06:20 AM, Fajar A. Nugraha wrote:

On Thu, Dec 27, 2012 at 1:00 PM, ichiro tanaka  wrote:


I made a set of 'safe-character' connection config of the sql.conf.
However,the safe-character's being used in connection is the last(B)
(When I use the A.but B will be used in this case)

Do you think there is a reason what is this?


Short version: known problem, hard to fix.

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg72933.html



Actually - not any more! Fixed in HEAD/3.0. We re-worked the xlat stuff 
to pass "context" arguments to xlat functions. So, safe-characters is 
now per-instance.


I need to add SQL driver-based escaping next.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRadius 2.x

[Phil Mayers]

On 12/20/2012 05:14 PM, rosect...@yahoo.com wrote:

It is noticed that some VSAs are sent with Access-Challenge but not with
Access-Accept when PEAP is used.

Is there a way to configure the server such that those attributes are
sent with Access-Accept?


"use_tunneled_reply = yes" under the "peap {}" section in "eap.conf".

In addition, if you're seeing the VSAs in Access-Challenge, it's most 
likely because you're returning them in the "authorize" second. Instead, 
consider returning them in the "post-auth" section of the "inner-tunnel" 
server, combined with the config above.


There are other options, depending on your needs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html