Weird windows issue
Hi, this is a weird one for ya'll. windows clients (xp sp2 and what not) can be configured to pass there credentials along to wireless when they authenticate to the computer(to the AD domain). that seems to work fine. then randomly it seems to stop working and their login seems to be wrong. ideas? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Dynamic VLAN and FreeRadius
HI Joel, I think the issue here is that the D-Link AP's you have are rather limited. Radius can not ever assign an SSID because that step occurs before the user authenticated. Wireless starts with an association from the user to the AP's SSID from there the AP decides what needs to happen. Radius can affect VLAN's (generally at least in the Cisco world with 'Tunnel-Private-Group-ID', like you meantioned) but you'll never be able to force a user to switch SSID's because that is client controlled. AP's map VLAN's to SSID's internally some allow n to 1 and 1 to n relationships, others like your d-links only allow a direct mapping. Basically it sounds like you are limited by the constraints of you NAS. Joe Vieira UNIX Systems Administrator Clark University Joel MBA OYONE wrote: Alan, I possess a device from D-Link (DWS-3024). it is a wireless switch controler, and the documentation says that: - One SSID has to be affect to one VLAN on the profile. - An Access point could be configured with up to 8 ifferent SSIDs and it is possible to affect each SSID on its own network (below is a link which show you the config page) or all SSID on the same network. maybe i didn't read it correctly, so here is the link (see page 89-90 and maybe 91 too.): ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will receive the same profile, and the profile will have 3 differents SSIDS with diffrents security access levels and network from the wireless switch. for example, in the same room, associated to the same AP, students and teachers will connect to diffrent SSIDs coming from that same AP, and some will have to athenticate via EAP-PEAP, other will require EAP-TLS. this other short file explain point to point what is my config and waht i am trying to do: ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf read it and maybe you could understand me. regards Joel MBA OYONE wrote: No. VLAN assignment is after SSID association, and after 802.1x authentication. OK, is it possible to associate in SSID_1 and be assigned to a different VLAN than the we are associated in ? That doesn't make sense. SSID's aren't tied to VLANs, unless you configure them that way. (exemple, when i am associated to SSID_1, which belongs to VLAN100, No... SSID's have nothing to do with VLAN's. RADIUS sends me Tunnel-Private-Group-ID = 200, which belongs to another SSID, what would happen and would authentication process success?) Read your NAS documentation to see how to do VLAN assignment, and how it interacts with SSID's. - if i am assigned to another couple of SSID/VLAN than the one i am connected now by RADIUS, would authentication process restart at the beginning? Stop talking about SSID/VLAN. They are separate things. When you do VLAN assignment with RADIUS, you do NOT need to re-authenticate. - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of 802.1x when RADIUS is the authentication Server for a supplicant? What does that mean? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap lower case usernames
Hi, So, i am using ldap groups to handle my authorization, for wireless (peap) and the uid field in openldap is not case sensitive (caseignorematch) on the other hand memberUID (for the groups) is (caseExactIA5Match). so wicked sucky right? how can i get the user-name lower cased for JUST my ldap authorization section, i don't want to mess with it anywhere else... -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS+samba3.0.1+AD(multiple domains)
But there are multiple domains in active-directory. How to configure freeRADIUS or samba can let it support multiple domains? FreeRADIUS just used Samba to do authentication with AD. The winbind ntlm_auth API used in Samba cannot authenticate to multiple domains. that's not entirely true, you can (and i do) get samba to auth to multiple domains. the domains either need to be in the same forest,and or have full trusts back and forth. (i also found that adding them each to your kerberos config helps) basically you join to one of them and you should be able to enumerate all the users from both thru winbind or getent... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/802.1x AD authentication for network access working, can AD-LDAP group search work for switch management authorization?
Hey, Before I get neck-deep in testing out configs and debugging, I would like to ask if this is a feasible goal. yes totally do able. If it is, I would appreciate any relevant references you know of so that I may start researching the proper configuration changes needed to achieve this. the rlm_ldap docs should be most of what you need... In addition, I'd like to know if anyone out there has this kind of configuration in place, and working. I have it working, I do authorization based on openLDAP ( with groups ) and i do authentication off active directories. Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.2 has been released.
Hey Alan,
is the LDAP_DEPRECATED stuff all fixed in 2.0.2? just wanna double
check before i compile it and don't pass that option myself...
Thanks,
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Norbert Wegener wrote:
With 2.0.2 I tried a performance test with eap authentications.
At one point I get :
Thu Feb 14 15:10:30 2008 : Error: rlm_eap: No EAP session matching the
State variable.
Thu Feb 14 15:10:30 2008 : Error: rlm_eap: Either EAP-request timed out
OR EAP-response to an unknown EAP-request
Is this the normal message when the server is too busy?
Norbert Wegener
Alan T DeKok schrieb:
People using EAP should definitely upgrade.
Feature improvements
* Added notes on how to debug the server in radiusd.conf
* Moved all log_* in radiusd.conf to log{} section.
The old configurations are still accepted, though.
* Added ca.der target in raddb/certs/Makefile. This is
needed for importing CA certs into Windows.
* Added ability send raw attributes via
Raw-Attribute = 0x0102...
This is available only debug builds. It can be used
to create invalid packets! Use it with care.
* Permit unlang policies inside of Auth-Type{} sub-sections
of the authenticate{} section. This makes some policies
easier to implement.
* listen sections can now have type = proxy. This lets you
control which IP is used for sending proxied requests.
* Added note on SSL performance to raddb/certs/README
Bug fixes
* Fixed reading of detail files.
* Allow inner EAP tunneled sessions to be proxied.
* Corrected MySQL schemas
* syslog now works in log{} section.
* Corrected typo in raddb/certs/client.cnf
* Updated raddb/sites-available/proxy-inner-tunnel to
permit authentication to work.
* Ignore zero-length attributes in received packets.
* Correct memcpy when dealing with unknown attributes.
* Corrected debugging messages in attr_rewrite.
* Corrected generation of State attribute in EAP. This
fixes the failed to remember handler issues.
* Fall back to DEFAULT realm if no realm was found.
Based on a patch from Vincent Magnin.
* Updated example raddb/sites-available/proxy-inner-tunnel
* Corrected behavior of attr_filter to match documentation.
This is NOT backwards compatible with previous versions!
See man rlm_attr_filter for details.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
: Debug: rlm_ldap::ldap_groupcmp: Group
cn=Idrisi,ou=groups,dc=clarku,dc=edu not found or user is not a member.
Fri Feb 8 08:55:09 2008 : Debug: users: Matched entry DEFAULT at
line 46
Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 1114
Fri Feb 8 08:55:09 2008 : Debug: ++[files] returns ok
Fri Feb 8 08:55:09 2008 : Debug: Found Autz-Type WIRELESS
Fri Feb 8 08:55:09 2008 : Debug: +- entering group WIRELESS
Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: calling
wirlss_erebus (rlm_ldap) for request 1114
Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: - authorize
Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: performing user
authorization for STUDENTS\kcook
Fri Feb 8 08:55:09 2008 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'User-Name'
Fri Feb 8 08:55:09 2008 : Debug: expand:
(uid=%{mschap:User-Name}) - (uid=kcook)
Fri Feb 8 08:55:09 2008 : Debug: expand: ou=Users, dc=clarku,
dc=edu - ou=Users, dc=clarku, dc=edu
Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: performing search in
ou=Users, dc=clarku, dc=edu , with filter (uid=kcook)
Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: checking if remote access
for STUDENTS\kcook is allowed by clarkuWirelessAccess
Segmentation fault
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1157658944 (LWP 3794)]
0x2c516d85 in ldap_authorize (instance=0x4077b30,
request=0x4202a30) at rlm_ldap.c:1319
1319if (!strncmp(vals[0], FALSE, 5)) {
(gdb) bt
#0 0x2c516d85 in ldap_authorize (instance=0x4077b30,
request=0x4202a30) at rlm_ldap.c:1319
#1 0x00411d13 in modcall (component=value optimized out,
c=value optimized out, request=0x4202a30) at modcall.c:248
#2 0x0040ee59 in indexed_modcall (comp=1, idx=value optimized
out, request=0x4202a30) at modules.c:446
#3 0x0040711b in rad_authenticate (request=0x4202a30) at auth.c:546
#4 0x00418b4b in radius_handle_request (request=0x4202a30,
fun=0x407000 rad_authenticate) at event.c:2707
#5 0x00413f78 in request_handler_thread (arg=value optimized
out) at threads.c:488
#6 0x003da1c062f7 in start_thread () from /lib64/libpthread.so.0
#7 0x003da0cce85d in clone () from /lib64/libc.so.6
(gdb) print vals
$1 = (char **) 0xb00020e0
(gdb) print vals[0]
Cannot access memory at address 0xb00020e0
(gdb) print inst-access_attr
No symbol inst in current context.
(gdb) print instance
$2 = (void *) 0x4077b30
(gdb) print instance-access_attr
Attempt to dereference a generic pointer.
(gdb) print ((ldap_instance *)instance)-access_attr
$3 = 0x4077d90 clarkuWirelessAccess
(gdb) print ((ldap_instance *)instance)-default_allow
$4 = 1
(gdb) print msg
$5 = (LDAPMessage *) 0x2aaab0002710
(gdb) print conn-ld
Cannot access memory at address 0x0
(gdb) print conn
$6 = value optimized out
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Alan DeKok wrote:
Joe Vieira wrote:
So, i just attached gdb to the running server and ended with this seg
fault.
It's likely a side-effect of some other memory issue.
If it's an AMD 64-bit system, then valgrind should work.
You can also run the server with more debugging as:
$ radiusd -f
In which case it won't daemonize itself, but it *will* start multiple
threads. It looks like the issue is related to threading, if it works
when '-X' is used.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
if that's the case, why do you think it seems to work fine single threaded? shrug I dunno... =( i am adding a ton of debugging stuff to the function so hopefully it might give some more insight... joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid memory location. (always 0xb00020e0) Try running it without the LDAP module. If it works, then the ldap module, or the LDAP libraries it uses aren't 64-bit clean. if that's the case, why do you think it seems to work fine single threaded? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
I am consistently getting a segfault (~every 45minutes or so) from line 1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid memory location. (always 0xb00020e0) Try running it without the LDAP module. If it works, then the ldap module, or the LDAP libraries it uses aren't 64-bit clean. i'm linked against redhat's 64bit ldap libraries, which function well in every test i can think to throw at them - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
model name : Intel(R) Celeron(R) CPU 2.40GHz Doesn't sound like a 64-bit machine. Dang... they did make the celeron d line that had a 2.4 that was 64 bitlike around 2006 or so i think... so it could be still.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Norbert Wegener wrote: The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. ... State = 0x00030d00 ... ... All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored... the ISAAC (random number generator) libraries do use registers to hold the numbers while it is generating them. registers on a 64 machines are 64 bit right? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: Joe Vieira wrote: if that's the case, why do you think it seems to work fine single threaded? shrug I dunno... so, even tho LDAP_DEPRECATED was set as a cflag in rlm_ldap/configure.in, it never shows up as a gcc option durring compilation for some reason... so i defined it in rlm_ldap.c because it is ABSOLUTELY required on 64bit systems, because of missing prototypes for ldap libraries .. which basically will ruin your day.. else you can get into a situation where the compiler assumed the function (in this case ldap_get_values) returns an int (32bit), but it actually returns a pointer (64bit on 64 bit systems) which can then get truncated (which is likely why it always looked the same, because the part that stayed after the truncation was the same...) good debian wiki article about implicit pointer conversion http://wiki.debian.org/ImplicitPointerConversions #define LDAP_DEPRECATED 1 added as the first line in rlm_ldap.c ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: if that's the case, why do you think it seems to work fine single threaded? shrug I dunno... So, more or less at this point threading seems to ruin this somehow. which is really weird. this same server was running freeradius 1.1.6, then i installed the new version, which basically goes to shit on the machine...i assume there was a lot of rewriting that occurred between these two versions, was threading re-written? or the rlm_ldap threading functions?? thanks joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
seemingly thus far... Joe Vieira UNIX Systems Administrator Clark University - ITS [EMAIL PROTECTED] wrote: Hi, else you can get into a situation where the compiler assumed the function (in this case ldap_get_values) returns an int (32bit), but it actually returns a pointer (64bit on 64 bit systems) which can then get truncated (which is likely why it always looked the same, because the part that stayed after the truncation was the same...) good debian wiki article about implicit pointer conversion http://wiki.debian.org/ImplicitPointerConversions #define LDAP_DEPRECATED 1 added as the first line in rlm_ldap.c ... fixed the issue? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
weird error
Wed Feb 6 10:43:44 2008 : Error: TLS Alert write:fatal:bad record mac Wed Feb 6 10:43:44 2008 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Wed Feb 6 10:43:44 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. could someone help me figure out what that means exactly? thanks, -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: Wed Feb 6 10:43:44 2008 : Error: TLS Alert write:fatal:bad record mac Wed Feb 6 10:43:44 2008 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Wed Feb 6 10:43:44 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. could someone help me figure out what that means exactly? Something went wrong with the SSL session. It's big magic... im running 2.0.1 and i saw those errors at the end of a string of these errors... Wed Feb 6 10:43:04 2008 : Error: rlm_eap: Failed to remember handler! Wed Feb 6 10:43:07 2008 : Error: rlm_eap: Failed to remember handler! and Wed Feb 6 10:43:07 2008 : Error: rlm_eap_tls: Unexpected ACK received the reason i am looking over these logs right now is because the server segfaulted with error 4, 4 seconds after this happened. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rpmbuld errors 2.0.1
also make sure $_incdir is defined in your .rpmmacros Joe Vieira UNIX Systems Administrator Clark University - ITS Joe Vieira wrote: you'll need to either rename everything in the spec file to be freeradius-server or just open the tar.gz rename the directory INSIDE IT (which is also freeradius-server) to freeradius-2.0.1... then zip it all back up and run your spec again and it will work. Joe Vieira UNIX Systems Administrator Clark University - ITS Andrew Long wrote: Hello: I am trying to build the rpm for 2.0.1 on CentOS 5. The first oddity is that the source now comes as freeradius-server-2.0.1.tar.gz; starting the rpmbuild with $ rpmbuild -bb freeradius.spec yields an error that SOURCES/freeradius-2.0.1.tar.gz does not exist. I tried renaming freeradius-server-2.0.1.tar.gz to freeradius-2.0.1.tar.gz, and now the build starts, but it always ends with the following error: + STATUS=0 + '[' 0 -ne 0 ']' + cd freeradius-2.0.1 /var/tmp/rpm-tmp.71302: line 29: cd: freeradius-2.0.1: No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.71302 (%prep) Here is the block from the rpm-tmp file: set -x umask 022 cd /home/along/rpmbuild/BUILD cd /home/along/rpmbuild/BUILD rm -rf freeradius-2.0.1 /bin/gzip -dc /home/along/rpmbuild/SOURCES/freeradius-2.0.1.tar.gz | tar -xvvf - STATUS=$? if [ $STATUS -ne 0 ]; then exit $STATUS fi cd freeradius-2.0.1 --LINE 29 [ `/usr/bin/id -u` = '0' ] /bin/chown -Rhf root . [ `/usr/bin/id -u` = '0' ] /bin/chgrp -Rhf root . /bin/chmod -Rf a+rX,u+w,g-w,o-w . I am not an expert with rpmbuild, so I apologize if this is a bit off-topic. I preceded the build with $ rpmbuild --clean freeradius.spec as I had previously build 1.1.7 on the same host. - Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rpmbuld errors 2.0.1
Andrew Long wrote: OK, can you give me the explicit code here. Here is the file as it exists: $ cat .rpmmacros %_topdir %(echo $HOME)/rpmbuild yea, add this line. %_incdir /usr/include or whatever directory you want ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rpmbuld errors 2.0.1
you'll need to either rename everything in the spec file to be freeradius-server or just open the tar.gz rename the directory INSIDE IT (which is also freeradius-server) to freeradius-2.0.1... then zip it all back up and run your spec again and it will work. Joe Vieira UNIX Systems Administrator Clark University - ITS Andrew Long wrote: Hello: I am trying to build the rpm for 2.0.1 on CentOS 5. The first oddity is that the source now comes as freeradius-server-2.0.1.tar.gz; starting the rpmbuild with $ rpmbuild -bb freeradius.spec yields an error that SOURCES/freeradius-2.0.1.tar.gz does not exist. I tried renaming freeradius-server-2.0.1.tar.gz to freeradius-2.0.1.tar.gz, and now the build starts, but it always ends with the following error: + STATUS=0 + '[' 0 -ne 0 ']' + cd freeradius-2.0.1 /var/tmp/rpm-tmp.71302: line 29: cd: freeradius-2.0.1: No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.71302 (%prep) Here is the block from the rpm-tmp file: set -x umask 022 cd /home/along/rpmbuild/BUILD cd /home/along/rpmbuild/BUILD rm -rf freeradius-2.0.1 /bin/gzip -dc /home/along/rpmbuild/SOURCES/freeradius-2.0.1.tar.gz | tar -xvvf - STATUS=$? if [ $STATUS -ne 0 ]; then exit $STATUS fi cd freeradius-2.0.1 --LINE 29 [ `/usr/bin/id -u` = '0' ] /bin/chown -Rhf root . [ `/usr/bin/id -u` = '0' ] /bin/chgrp -Rhf root . /bin/chmod -Rf a+rX,u+w,g-w,o-w . I am not an expert with rpmbuild, so I apologize if this is a bit off-topic. I preceded the build with $ rpmbuild --clean freeradius.spec as I had previously build 1.1.7 on the same host. - Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: seg fault
Since we have no idea what the problem is, the answer is likely no. totally fair =) If malloc() is core dumping, then something else is going wrong. i.e. some other part of the server is over-writing memory. when you say the server i assume you mean freeradius not another app.?? I would try 2.0. Large amounts of code have been re-written or updated. It may not be perfect, but there are good odds that this problem won't re-appear. that's what i'll do then. thanks for the help, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
seg fault
I've been trying to pin down a rather elusive segfault for over 2 months now. and i finally got it to happen inside of gdb. this is freeradius 1.1.6, on rhel5 x86-64 if this problem is fixed in 2.0 or 1.1.7 please let me know. Starting program: /usr/sbin/radiusd -X [Thread debugging using libthread_db enabled] [New Thread 46912543318400 (LWP 8450)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 46912543318400 (LWP 8450)] 0x2c1666d5 in _int_malloc () from /lib64/libc.so.6 * 1 Thread 46912543318400 (LWP 8450) 0x2c1666d5 in _int_malloc () from /lib64/libc.so.6 Thread 1 (Thread 46912543318400 (LWP 8450)): #0 0x2c1666d5 in _int_malloc () from /lib64/libc.so.6 No symbol table info available. #1 0x2c167d4d in malloc () from /lib64/libc.so.6 No symbol table info available. #2 0x2be05102 in CRYPTO_malloc () from /lib64/libcrypto.so.6 No symbol table info available. #3 0x2be2a6b7 in BN_free () from /lib64/libcrypto.so.6 No symbol table info available. #4 0x2be2a808 in bn_expand2 () from /lib64/libcrypto.so.6 No symbol table info available. #5 0x2be2abd5 in BN_bin2bn () from /lib64/libcrypto.so.6 No symbol table info available. #6 0x2be36ea0 in RSA_PKCS1_SSLeay () from /lib64/libcrypto.so.6 No symbol table info available. #7 0x2bb7cc62 in ssl3_get_client_key_exchange () from /lib64/libssl.so.6 No symbol table info available. #8 0x2bb7ecaf in ssl3_accept () from /lib64/libssl.so.6 No symbol table info available. #9 0x2bb854c3 in ssl3_read_bytes () from /lib64/libssl.so.6 No symbol table info available. #10 0x2bb82431 in ssl3_renegotiate_check () from /lib64/libssl.so.6 No symbol table info available. #11 0x2e1d77da in tls_handshake_recv (ssn=0x58718240) at tls.c:173 err = value optimized out #12 0x2e1d6ad5 in eaptls_process (handler=0x59e07860) at eap_tls.c:638 tls_session = (tls_session_t *) 0x58718240 tlspacket = (EAPTLS_PACKET *) 0x5860bc80 status = EAPTLS_LENGTH_INCLUDED #13 0x2ebe642b in eappeap_authenticate (arg=0x584e9ac0, handler=0x59e07860) at rlm_eap_peap.c:169 rcode = value optimized out status = value optimized out tls_session = (tls_session_t *) 0x58718240 #14 0x2dfcf1c6 in eaptype_call (atype=0x584e7d50, handler=0x59e07860) at eap.c:167 rcode = value optimized out #15 0x2dfcf30a in eaptype_select (inst=0x584d23d0, handler=0x59e07860) at eap.c:361 default_eap_type = value optimized out eaptype = (eaptype_t *) 0x59d5feb8 vp = value optimized out namebuf = [EMAIL PROTECTED] eaptype_name = 0x2e1d7d26 peap #16 0x2dfcdffb in eap_authenticate (instance=0x584d23d0, request=0x58609f90) at rlm_eap.c:261 inst = (rlm_eap_t *) 0x2c442960 handler = (EAP_HANDLER *) 0x59e07860 eap_packet = (eap_packet_t *) 0x0 rcode = value optimized out #17 0x55563682 in modcall (component=0, c=0x584cfe30, request=0x58609f90) at modcall.c:236 myresult = 0 #18 0x55563c71 in call_one (component=-1404819104, p=0x80, request=0x5860b0e0, priority=0x2c442ad0, result=0x40) at modcall.c:269 r = value optimized out #19 0x5556384c in modcall (component=0, c=0x584cfe80, request=0x58609f90) at modcall.c:324 g = (modgroup *) 0x584cfe80 myresult = 0 #20 0xb763 in rad_check_password (request=0x58609f90) at auth.c:380 dval = (DICT_VALUE *) 0x0 auth_type_pair = value optimized out cur_config_item = value optimized out password_pair = (VALUE_PAIR *) 0x0 auth_item = value optimized out string = [EMAIL PROTECTED]:XUU\000\000LíVUUU\000\0008ö\a\000\000\000\000\000uest 521P\031OXUU\000\000ç6VUUU\000\000\220\237`XUU\000\000\000\020\000\000\002\000\000\000\200ázª*\000\000\000\000\000\000\000\000ÿÿö\003\000\000\030\000\000\000P(OXUU\000\000Ä\\oÑÿ\177\000\000À\\oÑÿ\177\000\000\001\000\000\000\000\000\000\000\220\237`XUU\000\000P\031OXUU\000\000qVUUU\000\000P(OXUU\000\000P\031OXUU\000\000Ä\\oÑÿ\177\000\000... auth_type = 6 result = value optimized out auth_type_count = 1 #21 0xbc8a in rad_authenticate (request=0x58609f90) at auth.c:675 check_item = value optimized out vp = (VALUE_PAIR *) 0x5860b0e0 namepair = (VALUE_PAIR *) 0x586c89d0 check_item = value optimized out reply_item = value optimized out auth_item = (VALUE_PAIR *) 0x0 module_msg = value optimized out tmp = (VALUE_PAIR *) 0x0 result = 3 r = value optimized out umsg =
RE: seg fault
no - i'd read that as some other part of your 64bit x86 box is trashing the memory. hmm, the box itself is totally stable, nothing else has been an issue... hyperthreading on? no they are true dualcore Xeon's w/ no hyperthreading. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
general protection fault 1.1.6
rhel5 x86-64 2.6.18-8.1.6.el5 freeradius 1.1.6 ntlm authentication to windows AD server. Dec 16 15:50:13 ion winbindd[18013]: rpc_api_pipe: Remote machine activedirectoryserver.clarku.edu pipe \NETLOGON fnum 0xc003returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Dec 16 18:03:58 ion kernel: radiusd[17644] general protection rip:2c1666d5 rsp:7fff600f93f0 error:0 Any chance these are related, (i know the times are far apart, however our radius server is very slow on the weekends, as well as over winter break which we are currently) i could actually imagine going an hour or even two without any authentication attempts. -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and AD
i do the exact same thing like this.
DEFAULT Prefix == domainnameinputted, Strip-User-Name = No
domain = domainnameoutputted
then in my ntml_auth section:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{domain}
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
make sure you nake a dictionary attribute for domain as well.
Joe Vieira
UNIX Systems Administrator
Clark University
On Tuesday 11 December 2007 9:29:46 am Dave Gibelli wrote:
Hi
I am testing Freeradius within an 802.1x environment.
I want to send authentication request to 4 different AD DC's depending
on the Domain sent from the client to the Authenticator.
Can Freeradius forward request in this way?
Dave
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help with ldap/checkitem
I suggest you investigate the user of LDAP groups. thanks for the suggestion, I did that last night and it worked well for me. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with ldap/checkitem
Hi, I am having some confusing trouble with an LDAP check item. applicable line from ldap attribute file --- checkItem VPNGroupNameclarkuVlan Users file. ## VPN USER CONFIG DEFAULT NAS-Port-Type == Virtual, Framed-Protocol == PPP, Autz-Type := VPN Reply-Message = Welcome %u, to Clark University's network #AUTHORIZED USE ONLY#, Fall-Through = Yes # VPN TEST USER CONFIG DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes debug output ... rlm_ldap: checking if remote access for CLARKU\bjulin is allowed by clarkuVpnAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding clarkuVlan as VPNGroupName, value testing op=21 ... Login OK: [CLARKU\\bjulin] (from client vpn port 176) Sending Access-Accept of id 8 to 10.13.13.1 port 1025 Reply-Message = Welcome CLARKUbjulin, to Clark University's network #AUTHORIZED USE ONLY# Framed-MTU = 576 MS-CHAP2-Success = 0x MS-MPPE-Recv-Key = 0 MS-MPPE-Send-Key = 0 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 ... so i see it set the check item VPNGroupName to testing, but it never matches in the users file, can anyone point to what i am doing wrong? -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap/checkitem
I created the attribute, and i don't get any dictionary errors [EMAIL PROTECTED] raddb]# cat dictionary | grep VPN ATTRIBUTE VPNGroupName3001string Joe Vieira UNIX Systems Administrator Clark University - ITS [EMAIL PROTECTED] wrote: Attribute is most likely VPN-Group-Name. Check in the freeradius dictionary. Ivan Kalik Kalik Informatika ISP Dana 9/11/2007, Joe Vieira [EMAIL PROTECTED] piše: Hi, I am having some confusing trouble with an LDAP check item. applicable line from ldap attribute file --- checkItem VPNGroupNameclarkuVlan Users file. ## VPN USER CONFIG DEFAULT NAS-Port-Type == Virtual, Framed-Protocol == PPP, Autz-Type := VPN Reply-Message = Welcome %u, to Clark University's network #AUTHORIZED USE ONLY#, Fall-Through = Yes # VPN TEST USER CONFIG DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes debug output rlm_ldap: checking if remote access for CLARKU\bjulin is allowed by clarkuVpnAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding clarkuVlan as VPNGroupName, value testing op=21 Login OK: [CLARKU\\bjulin] (from client vpn port 176) Sending Access-Accept of id 8 to 10.13.13.1 port 1025 Reply-Message = Welcome CLARKUbjulin, to Clark University's network #AUTHORIZED USE ONLY# Framed-MTU = 576 MS-CHAP2-Success = 0x MS-MPPE-Recv-Key = 0 MS-MPPE-Send-Key = 0 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 so i see it set the check item VPNGroupName to testing, but it never matches in the users file, can anyone point to what i am doing wrong? -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap/checkitem
so a little more info on this if i change DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes to DEFAULT VPNGroupName =* testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes i STILL don't get the attribute...so clearly i am doing something VERY wrong, is anyone able to send me in the right direction? Joe Vieira UNIX Systems Administrator Clark University - ITS Joe Vieira wrote: I created the attribute, and i don't get any dictionary errors [EMAIL PROTECTED] raddb]# cat dictionary | grep VPN ATTRIBUTE VPNGroupName3001string Joe Vieira UNIX Systems Administrator Clark University - ITS [EMAIL PROTECTED] wrote: Attribute is most likely VPN-Group-Name. Check in the freeradius dictionary. Ivan Kalik Kalik Informatika ISP Dana 9/11/2007, Joe Vieira [EMAIL PROTECTED] piše: Hi, I am having some confusing trouble with an LDAP check item. applicable line from ldap attribute file --- checkItem VPNGroupNameclarkuVlan Users file. ## VPN USER CONFIG DEFAULT NAS-Port-Type == Virtual, Framed-Protocol == PPP, Autz-Type := VPN Reply-Message = Welcome %u, to Clark University's network #AUTHORIZED USE ONLY#, Fall-Through = Yes # VPN TEST USER CONFIG DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes debug output rlm_ldap: checking if remote access for CLARKU\bjulin is allowed by clarkuVpnAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding clarkuVlan as VPNGroupName, value testing op=21 Login OK: [CLARKU\\bjulin] (from client vpn port 176) Sending Access-Accept of id 8 to 10.13.13.1 port 1025 Reply-Message = Welcome CLARKUbjulin, to Clark University's network #AUTHORIZED USE ONLY# Framed-MTU = 576 MS-CHAP2-Success = 0x MS-MPPE-Recv-Key = 0 MS-MPPE-Send-Key = 0 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 so i see it set the check item VPNGroupName to testing, but it never matches in the users file, can anyone point to what i am doing wrong? -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using ldap for general attributes
Hi, So I have a plan to use ldap to generally set attributes and use those attributes to set multiple specific attributes in radius. example: ldap server - radius - VPN vpngroup - vpn filter and vpn tunnel and dhcp scope - vpn does that make sense to do in the users file? could someone give me a general example of how they would try to do it? I was thinking in the ldap mapping file of adding a check item vpngroup (or whatever) and then using the users file to match off of that to set a reply of what i am looking for Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 1.1.7 hangs 100% cpu
before this started happening i changed max request time up to 60 cleanup delay to 6 max requests to 64 as well as increased the min number of servers to 8. i thought those changes would be pretty harmless, should i have been more careful with them maybe max_requests is too high as well, i was just taking a shot in the dark. the comments in the conf file said useful range from 256 - infinity. Setting max_requests high won't affect anything. any other ideas? it hasn't happened ONCE in debug mode... joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius 1.1.7 hangs 100% cpu
It looks like a threading issue. Other than that, I haven't seen anyone else run into that with 1.1.7. sorry i made a mistake originally (i sent a correction but it prolly got lost in the mix of all the messages to this list) i am running 1.1.6. are there any issues with 1.1.6 and threading? thanks, joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius 1.1.7 hangs 100% cpu
Hi,
I currently have the server in debug and am waiting to see if it fails with an
actual error. In the mean time this is what i am seeing.
rhel5-64bit freeradius 1.1.7 after about a day and a half one of the threads
decides to use 100% of the CPU it's on, and nothing is logged in the normal
logs from the time that starts.
my conf file is here let me know if you see a problem with it...everything
WORKS, except when it hangs.
before this started happening i changed max request time up to 60 cleanup delay
to 6 max requests to 64 as well as increased the min number of servers to
8. i thought those changes would be pretty harmless, should i have been more
careful with them?
###CONFIG FILE
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc/
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 34
# It can either contain *, or an IP address, or a fully qualified
# Internet domain name. The default is *
#
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = 10.5.5.11
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means use /etc/services for the proper port
port = 0
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
type = auth
}
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = 10.13.13.13
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means use /etc/services for the proper port
port = 0
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
type = auth
}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g.,
RE: correction radius 1.1.6 hangs 100% cpu
Sorry, i am running 1.1.6 not 7.
Joe
From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Joe Vieira [EMAIL
PROTECTED]
Sent: Tuesday, November 06, 2007 6:22 AM
To: FreeRadius users mailing list
Subject: radius 1.1.7 hangs 100% cpu
Hi,
I currently have the server in debug and am waiting to see if it fails with an
actual error. In the mean time this is what i am seeing.
rhel5-64bit freeradius 1.1.7 after about a day and a half one of the threads
decides to use 100% of the CPU it's on, and nothing is logged in the normal
logs from the time that starts.
my conf file is here let me know if you see a problem with it...everything
WORKS, except when it hangs.
before this started happening i changed max request time up to 60 cleanup delay
to 6 max requests to 64 as well as increased the min number of servers to
8. i thought those changes would be pretty harmless, should i have been more
careful with them?
###CONFIG FILE
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc/
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 34
# It can either contain *, or an IP address, or a fully qualified
# Internet domain name. The default is *
#
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = 10.5.5.11
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means use /etc/services for the proper port
port = 0
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
type = auth
}
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = 10.13.13.13
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means use /etc/services for the proper port
port = 0
# Type of packets to listen
RE: radius 1.1.7 hangs 100% cpu
Joe Vieira wrote: before this started happening i changed max request time up to 60 cleanup delay to 6 max requests to 64 as well as increased the min number of servers to 8. i thought those changes would be pretty harmless, should i have been more careful with them? Leave max_requests at 0. It shouldn't be changed from that. i don't mean max_requests_per_server (which is 0). maybe max_requests is too high as well, i was just taking a shot in the dark. the comments in the conf file said useful range from 256 - infinity. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
odd user authenticated...
Hello, Here is the run down on my set up. RHEL5 64bit - freeradius 1.1.6, samba 3.0.23c-2, using peap(ms-chapv2)/ ntlm_auth for authentication and ldap for authorization. so I have ntlm_auth configured and working correctly. everytime a specific user logs in, i see this directly after his login success. 80986-Tue Sep 18 17:10:37 2007 : Auth: Login OK: [students\\USER/no User-Password attribute] (from client UNKNOWN-CLIENT port 0) - user auth line. 80987:Tue Sep 18 17:10:37 2007 : Auth: Login OK: [RUN\\\305\355\277\255/no User-Password attribute] (from client wism2 port 29 cli 00-1B-77-27-B2-48) - freaky line now, that looks like extended unicode to me in the username...obviously we don't have a user named that, or even a domain named 'RUN', moreover it doesn't seem like that username should even have been authorized thru the ldap rules -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. those are prolly the lines of interest, your ntlm_auth is failing. try it via the command line, once you get it working via the command line you'll have a MUCH better chance of it working in freeradius. hints are kinit - get that working also get wbinfo -u listing your domain users Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple authorization modules
Hello, I am curious about the methodology for using one authorization module for one type of service and another for a different type of service. basically we have wireless and VPN that is being authorized and authenticated through our radius box. i would like to be able to control authorization to each of those independently though different ldap attributes. I currently have it working with one ldap module, so both service are authorized thru the same attribute i am using freeradius 1.1.6 Any thoughts? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple authorization modules
Nevermind, i figured it out. Joe Vieira wrote: Hello, I am curious about the methodology for using one authorization module for one type of service and another for a different type of service. basically we have wireless and VPN that is being authorized and authenticated through our radius box. i would like to be able to control authorization to each of those independently though different ldap attributes. I currently have it working with one ldap module, so both service are authorized thru the same attribute i am using freeradius 1.1.6 Any thoughts? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
listen directive
Is it possible to have radius listen on multiple (but not all) ip's / interfaces on a server? Joe Vieira UNIX Systems Administrator Clark University - ITS 508.793.7287 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: listen directive
Joe Vieira wrote: Is it possible to have radius listen on multiple (but not all) ip's / interfaces on a server? Yes. Use multiple listen directives. thanks Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.1.6 Segmentation Fault with LDAP
You need to compile with ldap depricated option. Joe -Original Message- From: Robert E. Toense [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: 6/25/2007 6:03 PM Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 1.1.6 Segmentation Fault with LDAP
it's a compile time option. add -DLDAP_DEPRECATED to your CFLAGS. so when you compile it ( if you're using a spec file to build an RPM which i am assuming cause you're running FC5 ) just add that to your CFLAGS -- it should be one of the first few lines in the spec file under the %build section. you can also set it thru the configure script before you compile (if you're not using an RPM) i hope that makes it a little more clear. and i hope it helps you, let me know good luck! i had the EXACT same symptoms, and this solved it for me, so i would try it before worrying about extensive debugging stuff. Joe -Original Message- From: [EMAIL PROTECTED] on behalf of Robert E. Toense Sent: Mon 6/25/2007 7:47 PM To: FreeRadius users mailing list Subject: Re: FreeRadius 1.1.6 Segmentation Fault with LDAP Joe, This may sound silly, but could you elaborate? Is this a configure option to FreeRadius? If so, I don't see it. Thanks, Robert Joe Vieira wrote: You need to compile with ldap depricated option. Joe -Original Message- From: Robert E. Toense [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: 6/25/2007 6:03 PM Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP I am attempting to setup FreeRadius 1.1.6 to do PEAP authentication to an LDAP backend on another server. PEAP is working just fine to local Radius passwords. However, I get a segmentation fault whenever I try to use LDAP. Output from radiusd -X follows (sensitive information sanitized). OpenLDAP 2.3.30 is also installed. This is a Fedora Core 5 system. I see no network traffic between the Radius server and the LDAP server. Any hints? Robert rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(uid=username)' radius_xlat: 'ou=,dc=,dc=,dc=DDD' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to lappgen.nist.gov:636, authentication 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: seg fault
attached is my gdb log, looks like something happens with the ldap_set_option() function. thanks for having a lot Joe -Original Message- From: [EMAIL PROTECTED] on behalf of Alan Dekok Sent: Wed 6/13/2007 3:33 AM To: FreeRadius users mailing list Subject: Re: seg fault Joe Vieira wrote: Hi, i've got freeradius 1.1.6 running on rhel5. when i goto do an ldap auth. i get this ... Segmentation fault See doc/bugs Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html gdb.radiusd.log Description: gdb.radiusd.log - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: seg fault
Found the issue, i added -DLDAP_DEPRECATED to the CFLAGS. Joe Joe Vieira wrote: Hi, i've got freeradius 1.1.6 running on rhel5. when i goto do an ldap auth. i get this ... Segmentation fault See doc/bugs Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
seg fault
Hi, i've got freeradius 1.1.6 running on rhel5. when i goto do an ldap auth. i get this Listening on authentication 10.5.5.11:1812 Ready to process requests. rad_recv: Access-Request packet from host 10.5.5.11:32769, id=76, length=59 User-Name = jvieira User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rlm_ldap: - authorize rlm_ldap: performing user authorization for jvieira rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to erebus.clarku.edu:389, authentication 0 Segmentation fault __ dmesg radiusd[3396]: segfault at 70f2e4c8 rip 2efb9380 rsp 409fe650 error 4 any ideas? thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
in my experience, i have seen the hosts PASS their name as
host/HOST$.domain.domain.domain what version of samba are you using?
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation:
I have an LDAP Directory which is filled by samba-Deamon, for example with
hosts that are added to my domain. Samba signs every host-account with a $
at the end. If my laptop would be named christian, the entry created by SaMBa
in LDAP is christian$
Now I configured host authentication of windows Machines with freeradius.
Windows machines are configured to answer with their host account and
password. The windows machine christian answeres with the string
host/christian als Username. I configured realm with proxy to cut away
host/. So the current Username is christian.
The username in LDAP is christian$ and so I added a $ sign in the following
line of the radiusd.conf
Change the line from : filter = (uid=%{Stripped-User-Name:-%{User-Name}})
to: filter = (uid=%{Stripped-User-Name:-%{User-Name}}$)
This adds a $ sign to every User ID at the end. I can do authentication for
all Hosts authenticate with their host account.
The problem is, that I have no possibility to authenticate with a username
that has no $ as last character. This is the case for all users exept host
accounts.
Do you have a hint for me, how I could add the $ sign at the end of
hostnames, but not for normal users?
Best regards
Christian
___
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista and 802.1x ..
We have an problem here where I work. It seems like Windows Vista no longer can open 802.1x / WAP / TKIP / PEAP / MS-CHAP-V2 connections it's an issue with your cert not having all the correct attributes, update to the newest version of freeradius and read the eap documentation. I've gone thru the same frustration, blame Microsoft. Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista and 802.1x ..
no. if it worked with XP then the certs are fine - the server needs to be upgraded to support Vista. I assumed since he was using the IBM supplicant stuff in XP, that worked around the cert issues. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
active directory host authentication
Hi, Using freeradius 1.1.5 samba 3.0.24...i have an interesting problem, and was curious what methods other people would take to solve it. I am setting up radius for our new wpa2 wireless network, which means that windows machine auth should work so that people can LOGIN to their laptops. i have it working (with a slight hack). when a windows xp machine sends its machine auth to radius it sends host/machinename.activedirectorydomain.domain.domain. so freeradius takes the activedirectorydomain part of that and assumes that the domain's actual name (what you use for authentication) in our caseblame the windows people, that is NOT the case. example computer.ad.clarku.edu is the dns name...however that computer is actually joined to the CLARKU domain..so the authentication needs to be against the CLARKU domain as the AD domain doesn't exist. does that make sense? any ideas? the hack i have in place is a hardcoded domain of CLARKU in the NTLM_AUTH check(this can't stay as we have multiple domains). thanks in advance for any insight. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: active directory host authentication
well, you can use regexp/attr_filter to look for these systems and then just chop off the activedirectorydomain.domain.domain. part thus allowing the AD REALM to be forced by yourselves. I tried something similar i used attr_rewrite to replace the bad parts of User-Name with the modified correct values, it, however because i am using eap-ttls, i got an eap error rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler can you point me to a doc where the attr_filter is explained better? from reading the comments/documentation i got the impression it was primarily used for proxying, and wouldn't work for other things... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: active directory host authentication
ah! you really cannot play with User-Name - as you have found, the client doesnt like that to be changed. what you want to do is copy User-Name to Stripped-User-Name and then play with Stripped-User-Name - and use that in the rest of the stages. how do i copy User-Name to something else? what i ended up doing (it's not super pretty, but works) is using Hints and if prefix == host (as machines auth as host/blahblah) then i set a new attribute called domain and use that for the auth, and if i get a real domain as the prefix i just assign that as the attribute domain...not pretty but it works. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't connect to remote freeradius server
A B wrote: I've installed freeradius 1.1.5 and am able to run radtest successfully on the machine that freeradius is installed on. However, when I try to run radtest (or NTRadPing or radius test client) it is unable to connect to the server. Does anyone have any ideas? I do have the servers I'm running radtest on listed in clients.conf first off, when you run radiusd -X (debug) do you see any requests coming into the server? is UDP port 1812 open on your hosts firewall (iptables, ipchains, pf, whatever your using) and ya you should prolly have an entry in clients.conf for the client you are testing from... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't connect to remote freeradius server
A B wrote: This is the output of radiusd -x. It does say it's listening on 1812 for authentication and 1813 for accounting. rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. That doesn't mean that you can access those ports from off of the box...did you check your firewall configuration to make sure those ports are accessible? easy test is to nmap -sU whatever your freeradius box's ip is On 4/3/07, *joe vieira* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: A B wrote: I've installed freeradius 1.1.5 and am able to run radtest successfully on the machine that freeradius is installed on. However, when I try to run radtest (or NTRadPing or radius test client) it is unable to connect to the server. Does anyone have any ideas? I do have the servers I'm running radtest on listed in clients.conf first off, when you run radiusd -X (debug) do you see any requests coming into the server? is UDP port 1812 open on your hosts firewall (iptables, ipchains, pf, whatever your using) and ya you should prolly have an entry in clients.conf for the client you are testing from... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS client issues
Hey, Weird question: I am running freeradius 1.1.5, with samba 3.0.24. configured using EAP-PEAP, works, when I use a windows XP client and DO NOT do automatically connect with my domain login name and password, it works like a charm. However when i DO configure it to auto login it fails miserably...the domain comes across fine, and ntlm_auth seems okay, it just fails to provide to correct --nt-response. if anyone has a hint please let me know. here is my debug output for the failure. Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+OpenLDAP+SAMBA+Windows Domain Logon.
Sérgio Kojima wrote: Hello all. My freeradius1.1.5 is configured to work with openldap and samba PDC, resume, it works fine when i login with username/password/domain, but this user already logon one time on domain, that is, the user is on cache in this windows machine (XP and W2kPRO). When i try with a username/password/the same domain that never logon in this machine, or do not have cache in windows, return a message error that do not have controler domain. What can i do to resolve? The windows XP and 2k can`t logon this way with switchs-802.1x ? what version of samba are you using, samba needs to be able to do machine authentication for this to work...i just got it working myself (after some headache) i think you need samba 3.0.21 or higher.. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+OpenLDAP+SAMBA+Windows Domain Logon.
Sérgio Kojima wrote: Hello all. My freeradius1.1.5 is configured to work with openldap and samba PDC, resume, it works fine when i login with username/password/domain, but this user already logon one time on domain, that is, the user is on cache in this windows machine (XP and W2kPRO). When i try with a username/password/the same domain that never logon in this machine, or do not have cache in windows, return a message error that do not have controler domain. What can i do to resolve? The windows XP and 2k can`t logon this way with switchs-802.1x ? I am also very curious if anyone has a good solution for this...i've read some stuff about 802.1x bootstraping in XP/vista, but haven't really seen it working. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DEFAULT and users file
Erico Augusto wrote: Hi, I'm using EAP-TTLS to supplicant authentication. to authenticate the users at freeradius, I'm using users file to match user's password: user User-Password == test Reply-Message = success Is there a way, using DEFAULT, for example, to return success to all users without the necessity to match the User-Password(bypass freeradius authentication). What I'm trying to do is authenticate users just at post-auth. I'm using some examples from doc directory, but without success... Thanks, Erico. do you mean like,? DEFAULTAuth-Type := Accept Reply-Message = success to accept all users and reply success to them or just DEFAULT Reply-Message = success just to reply success to everyone (im pretty sure) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + Post-auth clear password
Erico Augusto wrote: Hi, I would like to send clear-text password at post-auth using eap-ttls. is there a way? I'm avoiding to write a lot of details about the question. Just using post-auth I got to send User-password attribute, but it's cyphered at destination(Yes, there is all the TLS tunneling stuff, but I'm trying to see the problem at a simpler-unknown perspective). i think by default pap is an md5 hash, you should be able to change that tho in the radiusd.conf (altho i could be totally insane.) in 1.1.4+ this looks to have changed to be auto negotiated. other people will know better than me but, i think this is accurate. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius -peap ad/ldap
Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
