Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited)
Gary, You're looking for 'iptables -nvL | grep 3306' to produce something like this: 0 0 ACCEPT tcp -- * * 192.168.21.2230.0.0.0/0 tcp dpt:3306 -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com I have not failed, I've just found 10,000 ways that won't work. Thomas Edison - Original Message - ping isn't the same as a open udp port. run the command: /sbin/iptables-save and past the output. If it's not the firewall then it's probably ACLs as those are really the only two things that are going to return a admin-prohib icmp packet. Cheers, Harry On 07/27/2011 09:06 AM, gary wrote: Hi Harry radius server and nas ping no problem each other. checking firewall no problem. the OS is Fedora 12. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Harry Hoffman hhoff...@ip-solutions.net To: gary gary.y...@browan.com; freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 7:19 PM Subject: Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited) Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server | community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL | RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL | RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute | op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test | User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is 192.168.21.30. I am using wireshark to capture the packets and it shows destination unreachable(host administratively prohibited). see screenshot as below. Can anyone help me? Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited)
Sorry, I meant 'iptables -nvL | grep 1812' should yield something like THIS: 0 0 ACCEPT udp -- * * 192.168.21.223 0.0.0.0/0 udp dpt:1812 -sth You're looking for 'iptables -nvL | grep 3306' to produce something like this: 0 0 ACCEPT tcp -- * * 192.168.21.223 0.0.0.0/0 tcp dpt:3306 -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com I have not failed, I've just found 10,000 ways that won't work. Thomas Edison - Original Message - ping isn't the same as a open udp port. run the command: /sbin/iptables-save and past the output. If it's not the firewall then it's probably ACLs as those are really the only two things that are going to return a admin-prohib icmp packet. Cheers, Harry On 07/27/2011 09:06 AM, gary wrote: Hi Harry radius server and nas ping no problem each other. checking firewall no problem. the OS is Fedora 12. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Harry Hoffman hhoff...@ip-solutions.net To: gary gary.y...@browan.com; freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 7:19 PM Subject: Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited) Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server | community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL | RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL | RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute | op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test | User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is 192.168.21.30. I am using wireshark to capture the packets and it shows destination unreachable(host administratively prohibited). see screenshot as below. Can anyone help me? Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
returning an arbitrary attribute from LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, I'm trying to ascertain how to have radiusd return an arbitrary attribute with each successful authentication. My radiusds are doing PEAP/MS-CHAPv2 against Kerberos for authn, and it seems like activating rlm_ldap for authz will cause Auth-Type = LDAP to enter my world, which I'm betting will break things. Also, I'm fuzzy as to where I'd do this sort of thing anyway; it seems that post-auth would be the place to start, but am uncertain. Any guidance you could offer (including pointers to existing mailing list threads or other docs) would be much appreciated. Cheers, - -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com I have not failed, I've just found 10,000 ways that won't work. Thomas Edison -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.9) iEYEARECAAYFAkrTglwACgkQX8KByLv3aQ2jdgCgpmoEskDoJGeoN2+ySzKRUqK9 /RUAoMGhPZ651eOj3oXGBtSf8ihwcHWO =e5Qa -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting with 802.1X: some clients trigger multiple starts at a time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: My $0.02 is that the NAS is broken (big surprise). It's likely doing DHCP snooping to determine session IP address. Interesting. I suppose this would be the least of several evils, if they can't be guaranteed to be in the same Ethernet broadcast domain as the supplicant stations. Is there a better way? Remember: The NAS sends accounting packets whenever it wants. The contents of the accounting packets are determined SOLELY by the NAS. I hadn't consciously recognized it was that arbitrary; makes sense, though. The clients MAY be requesting those IPs. e.g. The user takes a laptop home, it gets a private IP. When he shows back up at work, the OS may try to first renew that IP... and when it gets no response, ask for a different IP. Yeah, that was one of my early theories, when I started noticing this (and before realizing the preponderance of *ahem* unofficial networks). So the big question is: what NAS is causing the problem? Cisco LWAPP controllers. The detail module doesn't care about the contents of the packet. The SQL module does. If it doesn't like the contents, it won't log it. Important safety tip: thanks, Egon. ;-) Maybe suppress multiple accounting starts in the same second? This sounds promising: How would you recommend doing it? I'm still new to the manipulation of RADIUS conversations, so hints are most welcome. Tell the rogue department to buy an AP that works. Well, they're using a client bridge (and must be NATting), so no rogue AP...at least not in this particular case. Although there are plenty of those, too. Thanks, Alan! Cheers, - -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com Are you satisfied? ([y]/n): -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.5) iEYEARECAAYFAkoWqjgACgkQX8KByLv3aQ0MWwCfaK3kcKJDj+OeQ/3wi/mIzlxf y9kAnjjXCNMPguX3bJkkK67WDaCt5AdI =yJVA -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - jon jon free9...@gmail.com wrote: hello, I am new to Freeradius, I am trying to use NTRadPing testing tool to send packets to my Freeradius server. I keep getting Ignoring request to authentication address * port 1812 from unknow client error message. So, the question you will ask me is did I add the client to the client.conf file. I thought I did but maybe not corectly. this is what I added to my client.conf file client ip address { secretname = testing123 shortname = private-network } is this correct? Do you literally have the keyword as secretname? Because it should be simply secret. For instance: client 10.1.8.9 { secret = testing123 shortname = foo-server } Cheers, - -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com Are you satisfied? ([y]/n): -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.5) iEYEARECAAYFAkoWy2YACgkQX8KByLv3aQ1pkACgwUPfqycv4JNxszT1ZWrFpS9s 4YYAnR4wV1e0HEw659Uzd83BTgy0FPLD =bWrB -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting with 802.1X: some clients trigger multiple starts at a time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, We're running SQL accounting for the FR servers authenticating our 802.1X users, now. I'm seeing some annoying duplicate entries, and am wondering if anyone else has had this experience: mysql SELECT acctsessionid, username, nasipaddress, acctstarttime, callingstationid FROM radacct WHERE acctstoptime IS NULL ORDER BY acctstarttime; +---++-+-+--+ | acctsessionid | username | nasipaddress| acctstarttime | callingstationid | +---++-+-+--+ ... | 4a15bfef/00:23:12:07:e9:c4/74507 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | 192.168.2.17 | | 4a15bfef/00:23:12:07:e9:c4/74505 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | w.x.38.213 | | 4a15bfef/00:23:12:07:e9:c4/74514 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | 10.250.61.133| | 4a15bfef/00:23:12:07:e9:c4/74516 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | 192.168.1.25 | | 4a15bfef/00:23:12:07:e9:c4/74513 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | w.x.38.213 | ... I would think this to be pretty normal-looking, except: 1) in this particular group, all the usernames and MAC components of the acctsessionid are the same (i.e., this is one node causing multiple accounting starts to be sent); and 2) our 802.1X wireless clients would not have IP addresses in RFC1918 space. Ever. Most of the time, a group like this will include an address in our real wireless address range (that's what I've replaced with w.x.38.213), but sometimes not. If the callingstationid weren't different for each entry, I'd think retries or EAP-FAST. (I think I see EAP-FAST activity going on elsewhere; or, at least, that's what I assume it is.) As far as I can tell, this occurs pretty infrequently, given the number of users we have, but it does occur consistently for a given set of users in a given day, which makes me think it's something about their location on the network. Reducing all the accounting detail to a spreadsheet, I see that this is a flurry of start and stop messages (and one Interim-Update!), and will comb through that closely tomorrow morning. Seems odd, though, that there would be a stop logged to the detail, but not to SQL, in this case. I have little- to no visibility into the networking configuration (our systems and network groups bristle at each other; a situation I'm trying to remedy), but I do know this: One department is located across the street from our main campus. It connects to the Internet by way of a commodity ISP. It is, however, close enough to pick up one of our APs, and the enterprising IT guy for that department has set up a Windows box as a wireless client, and bridged that into their LAN for access to institutional resources. (He has been duly chastised for this.) In at least that case, I've seen their LAN IPs (in a reasonably-unusual RFC1918 subnet) as the callingstationid. (Oddly, though, this is sometimes the LAN IP of their print server, or default gateway -- some artifact of bridging?) This makes me think that there are more clients out there that can see more than one subnet at a time, and just report in with whatever IP they feel like. I suppose my real question is this: Is there anything I can do, from the FR server end, to winnow out one reliable accounting entry per event? Sure, I can make my reports (like 'radwho') filter WHERE callingstationid LIKE 'w.x.%', but that runs the risk of missing entries where the group fails to include one of our legit addresses. Alternatively, has anyone else faced this and addressed it on the client side? (Tell the rogue departments to comply with your network policies, is a valid answer and, frankly, my favorite.) As ever, pointers to pre-existing threads answering this are welcome; I couldn't come up with the right combination of search terms to find them myself... Cheers, - -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com Are you satisfied? ([y]/n): -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.5) iEYEARECAAYFAkoVzbIACgkQX8KByLv3aQ3tVQCdEOfZCztHLnmvCvfiuax1Y6Qu pA0AoLhQLZCIP/0DwXWje1PY41suMq8o =JDqP -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html