Re: FreeRADIUS Client 1.1.6 + CHAP support
Hi Alan Isnt CHAP more secure than PAP? Can you please explain why one should not use CHAP for anything ? -Vinay On Sun, Jan 18, 2009 at 9:58 PM, Alan DeKok wrote: > Vinay wrote: >> Can we use the FreeRADIUS client code with CHAP configuration? >> In the code I see an #if 0 for the CHAP code. > > I wouldn't recommend using CHAP for anything at this point. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Client 1.1.6 + CHAP support
Hi there Can we use the FreeRADIUS client code with CHAP configuration? In the code I see an #if 0 for the CHAP code. Thanks Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free RADIUS client + CHAP + PAM
Hi there There are a lot of places on the net which talk about how PAM cannot work with CHAP on the RADIUS server. Will an implementation of freeRADIUS client with CHAP and PAM(pam_radius_auth) module work? Please point me to the appropriate link. Thanks -Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free RADIUS client + CHAP + PAM
Hi there There are a lot of places on the net which talk about how PAM cannot work with CHAP on the RADIUS server. Will an implementation of freeRADIUS client with CHAP and PAM(pam_radius_auth) module work? Please point me to the appropriate link. Thanks -Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free RADIUS server + return class attribute
hi there, I want to configure the freeRADIUS server to return the CLASS attribute in the ACCESS-ACCEPT message,. I tried adding the attribute for a user in users file : vinay Auth-type:=CHAP,User-Password="vinay",Class="Admin" The attribute is parsed. But when i try to connect with a RADIUS client, the freeRADIUS server crashes. What is the correct method of passing attributes from RADIUS server to the RADIUS Client? Thanks Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS client + PAM integration
hi there, We are planning to use FreeRadius Client with PAM. Could you please give me the document/Links/FAQ explaining the integration of FreeRADIUS client with PAM? Thanks Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions on Acct-Interim-Interval
Hi, A couple of questions on Acct-Interim-Interval 1. I wanted to know if the Acct-Interim update that comes from the NAS has any relevance as far as the user session maintained in the radius server is concerned. Meaning that is it treated like a keep-alive of some sort. If the Acct-Interim-Interval is configured to be 100 seconds and the NAS sends the Interim-Update after 200 seconds does the freeradius server care ? 2. What is the typical value of this attribute, I ask because if this value is configured to be small then it will generate a lot of interim updates from a NAS that supports large number of subscribers. At the same time I am not sure how the service providers who deploy the server use this Attribute and how often do they want the updates. Thanks, Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generate_state() in rlm_eap module generates duplicate state ?
inline ..
On 9/25/07, Alan DeKok <[EMAIL PROTECTED] > wrote:
>
> Vinay Wagh wrote:
> > On looking deeper in to the problem I saw that the reason the
> > rbtree_insert in eaplist_add() fails is because there is already a node
> > in the tree with the same state (PW_STATE), this node is for a different
>
> > request altogether and so the insert in to the tree fails. Since I send
> > multiple requests from the same gateway and the radius client on the
> > gateway opens up 4 source ports to the radius server we have can send 4
> > requests in the same second that have the same ID and source IP address.
>
> Hmm... that may be allowed by the spec, but it seems broken to me.
> The code in rlm_eap does NOT use the source port to distinguish
> requests, because some NASes send EAP requests for one session via
> multiple source ports. It just depends on how busy the NAS is.
We need to use more than one source port on the client because the client
supports only 255 requests per instance of radius client and we need about
1000 requests per second. Each EAP session will always use the same port
while it is being authenticated but a new request can pick up a different Id
on a different source port.
> The eap_handler_cmp() function uses the STATE to distinguish requests if
> > the id and source IP address are the same, but in my case the state is
> > also the same. Here is the relevant debug log for it
>
> If the state is the same, then something is going seriously wrong
> inside of the server. The state that is generated SHOULD be random, and
> unique per request.
Which is why it took me some time to figure this out. What I did was added
debug code in rbtree_insert to print out contents of the node if a duplicate
node existed. In the logs I saw that the node had the same state but a
different identity.
> Wed Sep 19 22:36:37 2007 : Info: STATE: Added state 82 f1 8b 49 6f bf b9
> > a4 ee 2a d3 d5 ef f8 ec 3b for {am= [EMAIL PROTECTED]<[EMAIL PROTECTED]>
>
> Can you instrument the code to see when the state is generated? My
> suspicion is that a new State attribute is NOT being generated. i.e.
> the server sees the "same" request, and re-uses the same State.
>
> That shouldn't be happening, though. On a new EAP-Identity packet, a
> new State is allocated, and added to the list. Since the State is
> generated from random numbers, it SHOULD be unique every time.
I have already added debug code to print out the state every time the radius
server generates it. Out of a thousand requests you see atleast 4-5 requests
with duplicate state info, the others have unique states. The debug above
'Added state ..." gets printed after a call to generate_state().
> I am guessing this can cause other problems, not sure if this can result
> > in sending Access-Accept to users who should not be authenticated but it
> > definitely rejects users who should be authenticated. Another problem I
> > see which seems related to this is that I receive Access-Accept on the
> > gateway for a valid user but the reply has an invalid message
> > authenticator. I think this is probably because it finds a different
> > handler instead, but not sure about that.
>
> The calculation of the Message-Authenticator has nothing to do with
> EAP, or with the State. If the Message-Authenticator is invalid, then
> something is seriously wrong.
The reason I started debugging this problem is because I started getting
Access-Reject without RADIUS_ATTR_MESSAGE_AUTHENTICATOR which is a seperate
attribute in the radius message. I also observed that some reply's from the
radius server had this field but it did not match the authenticator in the
original request. Then I tried to link this to the problem I found and I
think it is possible if we generate the same state. Assume that after the
server sends the access challenge the radius server fails to insert the
handler because there is already a duplicate and then before it gets rid of
the duplicate handler the client replies. In this case the radius server
will try to look for the handler and actually find it since the id, ip addr
and state is the same but the identity is different. It can then use that
context to reply to this request in which case the fields may not match. If
the radius server had already replied to the duplicate handler then it will
not find the handler that for our current request and send an Access-Reject.
So whether we get an Access-Reject or a reply with invalid message
authenticator depends on the timing of whether the radius server still has
the duplicate context or not. Is that possible though ?
> Is this a known bug ? If yes, is it fixed and in what release ? For now,
> > I am changing the eap_handler_cmp() function to compare th
generate_state() in rlm_eap module generates duplicate state ?
Hi,
I am using version freeradius ver 1.1.6 and I am observing a problem for
which I could not find an existing bug report. Here is the description
Problem description
I am testing a gateway appliance for large number of subscribers. I am
sending around 100 EAP-authentication requests (EAP-MD5) per second (or
more) to the freeradius server. Before starting my request I changed the
max_requests configuration from 1024 to 8192. What I observed was that every
so often I would get an Access-Reject for a request which should have
succeeded and does succeed on subsequent attempts. I added debugs in the
free radius server and found out that in eap_authenticate the handler for
this request never gets inserted in the session tree. So the radius server
sends the Access-Challenge but when the gateway replies to the
Access-Challenge the radius server cannot find the EAP request handler in
the session tree and so the authentication fails.
On looking deeper in to the problem I saw that the reason the rbtree_insert
in eaplist_add() fails is because there is already a node in the tree with
the same state (PW_STATE), this node is for a different request altogether
and so the insert in to the tree fails. Since I send multiple requests from
the same gateway and the radius client on the gateway opens up 4 source
ports to the radius server we have can send 4 requests in the same second
that have the same ID and source IP address. The eap_handler_cmp() function
uses the STATE to distinguish requests if the id and source IP address are
the same, but in my case the state is also the same. Here is the relevant
debug log for it
Wed Sep 19 22:36:37 2007 : Info: STATE: Added state 82 f1 8b 49 6f bf b9 a4
ee 2a d3 d5 ef f8 ec 3b for {am= [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Sending Access-Challenge to {am= [EMAIL PROTECTED] <[EMAIL PROTECTED]>
...
...
rad_recv: Access-Request packet from host 1.1.1.1:57979, id=8,
length=160User-Name = "{am= [EMAIL PROTECTED]
<[EMAIL PROTECTED]>"
...
Wed Sep 19 22:36:37 2007 : Info: STATE: Added state 82 f1 8b 49 6f bf b9 a4
ee 2a d3 d5 ef f8 ec 3b for {am= [EMAIL PROTECTED]<[EMAIL PROTECTED]>
Wed Sep 19 22:36:37 2007 : Error: Found duplicate data, Id = {am=
[EMAIL PROTECTED] <[EMAIL PROTECTED]>, State = 82 f1 8b 49 6f bf b9 a4
ee 2a d3 d5 ef f8 ec 3b
Wed Sep 19 22:36:37 2007 : Error: rlm_eap: Failed to remember handler!
I am guessing this can cause other problems, not sure if this can result in
sending Access-Accept to users who should not be authenticated but it
definitely rejects users who should be authenticated. Another problem I see
which seems related to this is that I receive Access-Accept on the gateway
for a valid user but the reply has an invalid message authenticator. I think
this is probably because it finds a different handler instead, but not sure
about that.
Is this a known bug ? If yes, is it fixed and in what release ? For now, I
am changing the eap_handler_cmp() function to compare the identity if the
state is the same, since in our lab setup we also have a unique identity for
each user, do you see a problem with doing this.
Thanks,
Vinay
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius for cisco network device login authentication
I am trying to move my network device authentication from Microsoft IAS and Active directory. To Freeradius and AD. I have followed the freeradius AD integration document. Is anybody using freeradius and AD combination for login authentication into cisco network devices ? Can they share there freeradius configuration, or any tips to make this work ? thanks /vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
