Re: Error messages in debug on 3.0
On 10/10/13 18:32, Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: We're also getting: Info: Invalid operator for item Sql-Group: reverting to '==' ...which is logged to radiusd.log. This seems to be spurious - all our comparisons to SQL-Group are, of course using ==. Other than that, it all seems OK! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10 Oct 2013, at 18:32, Phil Mayers p.may...@imperial.ac.uk wrote:
I've just ported our config to 3.0 and I'm seeing a few error messages; they
don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
...whenever I try to compare against absent attributes. What's the correct
syntax for this now - do I need:
if ((Attr) (Attr op RHS)) {
Yes.
...or can I ignore the message?
I'm also seeing this with:
if (%{outer.request:Blah})
...if I'm not in a tunnel (in some generic logging policy); what's the right
syntax for that?
possibly if (outer.request
Sorry about the errors, I think they should be more descriptive in master
unless Alan changed something when he did the second pass fix up for conditions.
But yes, in general a presence check is now required. It makes it easier to
spot attributes which should be there but aren't.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10/10/13 18:51, Arran Cudbard-Bell wrote: possibly if (outer.request Hmm, no same thing, and worse it's squashing Module-Failure-Message :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
Phil Mayers wrote:
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
That should be fixed. Either it can be deleted, or reworded.
...whenever I try to compare against absent attributes. What's the
correct syntax for this now - do I need:
if ((Attr) (Attr op RHS)) {
...or can I ignore the message?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10 Oct 2013, at 22:23, Alan DeKok al...@deployingradius.com wrote:
Phil Mayers wrote:
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
That should be fixed. Either it can be deleted, or reworded.
I've reworded it. The code in master actually tells you what was wrong, but the
changes
were quite extensive so it didn't get ported to v3.0.x.
I've also removed the error on accessing a request which doesn't exist, so
presence checks work as expected.
The actual presence check itself is ok.
In radius_evaluate_tmpl:
case VPT_TYPE_ATTR:
case VPT_TYPE_LIST:
if (radius_vpt_get_vp(request, vpt) != NULL) {
rcode = true;
} else {
rcode = false;
}
break;
Which works for
if (outer.request:Attribute)
and
if (outer.request)
It's just one of the functions called to convert the enumerated request type to
an actual REQUEST threw an error when the request didn't exist.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
Bill Grant wrote: I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
You are right I temporarily disabled SE Linux with echo 0 /selinux/enforce and it worked. Now I just need to figure out exactly what it is blocking. Thanks for the help! From: Alan DeKok [al...@deployingradius.com] Sent: Saturday, May 25, 2013 7:44 PM To: FreeRadius users mailing list Subject: Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist Bill Grant wrote: I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or does not exist
I was able to fix it by doing the following. I installed setroubleshoot yum install setroubleshoot Then I ran the following command sealert -a /var/log/audit/audit.log /path/to/mylogfile.txt mylogfile.txt showed: found 3 alerts in /var/log/audit/audit.log SELinux is preventing /usr/sbin/radiusd from create access on the semaphore . * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed create access on the sem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp SELinux is preventing /usr/sbin/radiusd from search access on the directory /home. * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed search access on the home directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp SELinux is preventing /usr/sbin/radiusd from name_connect access on the tcp_socket . * Plugin catchall (100. confidence) suggests *** If you believe that radiusd should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp I ran the commands listed above: grep radiusd /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp That fixed the problem, thanks again. From: Bill Grant [wgr...@ebpl.org] Sent: Saturday, May 25, 2013 8:29 PM To: FreeRadius users mailing list Subject: RE: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist You are right I temporarily disabled SE Linux with echo 0 /selinux/enforce and it worked. Now I just need to figure out exactly what it is blocking. Thanks for the help! From: Alan DeKok [al...@deployingradius.com] Sent: Saturday, May 25, 2013 7:44 PM To: FreeRadius users mailing list Subject: Re: Error: rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server is unavailable or doesnot exist Bill Grant wrote: I am having trouble starting freeradius at boot on CentOS 6.4. It starts, but it does not connect to my database; however, if run it manually from the command the it works fine. I think there is permission issue somewhere. See the log below: when I run following command as root it works It's probably some SELinux rule. The normal Linux APIs allow *any* process to make outbound connections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error syntax in sql accounting.
Hocine M wrote: Hi everybody, I always have an error in radius.log file : Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr�s de '' � la ligne 1 Don't edit the configuration files and break them. You do understand what Erreur de syntaxe means, right? I made my radacct accounting table with the schema founf in /etc/freeradius/sql/mysql/schema.sql. I use a mysql server databse. in my sql.conf i use the standard queries for accounting. It looks like you don't. Run the server in debugging mode, as suggested in the FAQ, man page, web pages, and daily on this list. Only that will tell you what's really going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: [ldap] All ldap connections are in use
On 21 Nov 2012, at 13:00, Phil Brown phil.br...@port.ac.uk wrote: We have started seeing problems our radius server with the Error Error: [ldap] All ldap connections are in use We have increased the ldap_connections_number from 5 to 20 which has largely resolved the issue. we now receive over 100,000 authentications a day, is there any guide to ldap_connections_number for the number of authentications or should we just keep increasing the number until the issue goes away For 2.0 I would usually make it as big as the thread pool. The only reason to make it smaller is if processing that many requests in parallel has a negative impact on the overal TPS (transactions per second) of the LDAP server, or if you get so few requests sent via a connection that it gets cleaned up via some intermmediary bit of networking equipment. If you have the time/resources you could do a plot of increasing numbers of parallel requests vs overall TPS, and find the sweet spot for your specific LDAP cluster/server. If you upgrade to 3.0 the connection pool code there allows you to specify elastic pools which automatically add or remove connections to/from the connection pool to cope with the current server load. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Hi, I have just untarred the 2.2.0 tarball, and added just one line the users file: gokul Cleartext-Password:=abcde at the top of the file...or at the bottom? If you add it to the bottom then other things in the file will prevent that user from being seen/used - add your test user/pass to the top of the users file you didnt give the full output of 'radiusd -X' either - I'm assuming that you are editing the correct users file - eg /usr/local/etc/raddb/users or /etc/raddb/users and not the users file thats in the source directory... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
On 11/10/2012 03:54 AM, Shravan S G wrote: Hi all, I am trying to configure FreeRadius 2.2.0. I am trying to test with the radtest utility. However, when I run radtest, on my radiusd server, I get the following error - ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user. I know this is some issue with the authentication part. However, I have not been able to pinpoint the problem. Also, I haven't been able to find any relevant solutions on the web. I have just untarred the 2.2.0 tarball, and added just one line the users file: gokul Cleartext-Password:=abcde If so, this hasn't taken. The debug shows: ++[files] returns noop ...and thenL [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Check you're editing the right file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Issue is resolved. I was infact editing the wrong users file. I was editing the users file in the raddb folder of the uncompressed tarball. Thanks for the help. Regards, Shravan On Sat, Nov 10, 2012 at 6:54 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 11/10/2012 03:54 AM, Shravan S G wrote: Hi all, I am trying to configure FreeRadius 2.2.0. I am trying to test with the radtest utility. However, when I run radtest, on my radiusd server, I get the following error - ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user. I know this is some issue with the authentication part. However, I have not been able to pinpoint the problem. Also, I haven't been able to find any relevant solutions on the web. I have just untarred the 2.2.0 tarball, and added just one line the users file: gokul Cleartext-Password:=abcde If so, this hasn't taken. The debug shows: ++[files] returns noop ...and thenL [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Check you're editing the right file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
On 20 Sep 2012, at 12:23, Tatiana DIBANDA tdiband...@yahoo.fr wrote:
Arran,
Test for this first segmentation fault :
reading pairlist file /usr/local/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module suffix from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Erreur de segmentation
-original config : In the default and inner-tunnel file we had eap2 {ok =
return} in the Authorize section,allowed eap2 in the authentication section
and eap2 in the post-process.
- remove '-O2' from CFLAGS in Make.inc
- rebuild freeradius
- GDB trace in gdb-radiusd1.log (attached to this mail)
Test for this second segmentation fault:
++[pap] returns noop
Found Auth-Type = eap2
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
Erreur de segmentation
- config: in default and inner-tunnel file just allowed eap2 in
authentication section
- remove '-O2' from CFLAGS in Make.inc
-rebuild freeradius
-GDB trace in gdb-radiusd2.log (attached to this mail)
PS: in the two cases have this in default file if (EAP-Message) { update
control { Auth-Type:=eap2}} and in users file added this line: user
Cleartext-Password := password.
Both traces are with an older binary that was built with optimizations turned
on.
Program received signal SIGSEGV, Segmentation fault.
0x080529d3 in cf_log_err (ci=0x0,
fmt=0x8085210 \%s\ modules aren't allowed in '%s' sections -- they have
no such method.) at conffile.c:2641
warning: Source file is more recent than executable.
GDB also complains of this... Please ensure you're using the new binary. You
should not see value optimized out appearing in the GDB output.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
Use your first config to test whether the patch worked (it should generate an error and exit). You now appear to be getting a different segfault Please provide a backtrace for this segfault. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
On 19 Sep 2012, at 14:33, Tatiana DIBANDA tdiband...@yahoo.fr wrote:
Arran
My first configuration:
In the default and inner-tunnel file we had eap2 {ok = return} in the
Authorize section,allowed eap2 in the authentication section and eap2 in the
post-process.
When we started my server: segmentation fault as you can see to
output-segfault file attached to this mail.
The gdb's ouput is in the ouput_gdb-radius.log file also attached to this
mail.
You have reported two separate segfaults.
I need you to test with your original config to check that the fix I added for
the *first* segfault works.
reading pairlist file /usr/local/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module suffix from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Erreur de segmentation
I need you to provide another GDB trace for the *second* segfault, so I can
look at the cause.
++[pap] returns noop
Found Auth-Type = eap2
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
Erreur de segmentation
It would be helpful, before you provide the second GDB trace, to edit Make.inc
and remove '-O2' from CFLAGS and rebuild, so that we can see the values that
were optimized out.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
arnauld ndefo wrote:
i want to implement the freeradius with eap-psk. In many forum it is
recommend to read the experimental.conf for configure the module eap2.
After reading the experimental.conf, i have created the file eap2.conf
which is attached to my email.
Also, in the radius.conf, i have put in module section $INCLUDE
eap2.conf. In the default file, i have put in the authenticate section
eap2 { ok = return}; replace in that file, all the eap by eap2.
OK.
When i launch the radius with export
LD_PRELOAD=/home/dibus/hostap-06/eap_example/libeap.so radiusd -X ; i
have the output which is in file sortie_freerad_ubuntu. At the end, you
will see and error of segmentation when it starts to load the module files
See doc/bugs
Someone can help me to find the issue please??? It is very urgent for me.
It's nice that it's urgent for you. It's not urgent for us.
*Why* is it urgent? Are you a student doing an assignment? Or
someone whose job requires EAP-PSK?
Please explain.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
arnauld ndefo wrote: I am working on a project which is based on EAP_PSK and implement this is the first part. Which didn't answer my question. Seems that in some part of a code, the eap2 module is not allowed. Do you have an idea about this error please. Since you're not going to answer my questions, and you're not really following the instructions in doc/bugs, I can't help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
On 18 Sep 2012, at 13:42, arnauld ndefo ndefo2...@yahoo.fr wrote: Thank you for your reply Alan. I am working on a project which is based on EAP_PSK and implement this is the first part. As you have recommend, i have used the gdb to debug and see the problem. The output that i have is below # gdb radiusd GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as i486-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/local/sbin/radiusd...done. (gdb) set logging file gdb-radiusd.log (gdb) set logging on Copying output to gdb-radiusd.log. (gdb) set args -f (gdb) run Starting program: /usr/local/sbin/radiusd -f [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x080529d3 in cf_log_err (ci=0x0, fmt=0x8085210 \%s\ modules aren't allowed in '%s' sections -- they have no such method.) at conffile.c:2641 2641 radlog(L_ERR, %s[%d]: %s, ci-filename, ci-lineno, buffer); Seems that in some part of a code, the eap2 module is not allowed. Please provide a backtrace from GDB. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
Hi, Starting program: /usr/local/sbin/radiusd -f [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x080529d3 in cf_log_err (ci=0x0, fmt=0x8085210 \%s\ modules aren't allowed in '%s' sections -- they have no such method.) at conffile.c:2641 send output of 'radiusd -X' - looks like you have a fundamental configuration problem alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
/sbin
logdir = /usr/local/var/log/radius
run_dir = /usr/local/var/run/radiusd
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module exec from file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module expr from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module expiration from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating module logintime from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = eap2
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module pap from file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module chap from file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module mschap from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module digest from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module unix from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = /usr/local/var/log/radius/radwtmp
}
Module: Linked to module rlm_eap2
Module: Instantiating module eap2 from file /usr/local/etc/raddb/eap2.conf
eap2 {
timer_expire = 60
cisco_accounting_username_bug = no
backend_auth = yes
tls {
ca_cert = /usr/local/etc/raddb/certs/ca.pem
server_cert = /usr/local/etc/raddb/certs/server.pem
private_key_file = /usr/local/etc/raddb/certs/server.pem
private_key_password = whatever
dh_file = /usr/local/etc/raddb/certs/dh
}
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module preprocess from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module suffix from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Erreur de segmentation
De : alan buxey a.l.m.bu...@lboro.ac.uk
À : arnauld ndefo ndefo2...@yahoo.fr; FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Cc : Alan DeKok al...@deployingradius.com; tatiana dibanda
tdiband...@yahoo.fr; tdibanda2...@yahoo.fr tdibanda2...@yahoo.fr
Envoyé le : Mardi 18 septembre 2012 14h58
Objet : Re: error of segmentation during the implementation of eap2
Hi,
Starting program: /usr/local/sbin/radiusd -f
[Thread debugging using libthread_db enabled
Re: error of segmentation during the implementation of eap2
We have built the v2.1.X version. After that i have followed the experimental.conf file to configure the eap2.conf. The long term support release. The only changes to this code will be minor bug fixes. All new development is done in the stable branch. $ git clone git://git.freeradius.org/freeradius-server.git $ cd freeradius-server $ git fetch origin v2.1.x:v2.1.x $ git checkout v2.1.x De : Arran Cudbard-Bell a.cudba...@freeradius.org À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc : arnauld ndefo ndefo2...@yahoo.fr; tatiana dibanda tdiband...@yahoo.fr; tdibanda2...@yahoo.fr tdibanda2...@yahoo.fr; Alan DeKok al...@deployingradius.com Envoyé le : Mardi 18 septembre 2012 15h19 Objet : Re: error of segmentation during the implementation of eap2 On 18 Sep 2012, at 13:58, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Starting program: /usr/local/sbin/radiusd -f [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x080529d3 in cf_log_err (ci=0x0, fmt=0x8085210 \%s\ modules aren't allowed in '%s' sections -- they have no such method.) at conffile.c:2641 send output of 'radiusd -X' - looks like you have a fundamental configuration problem alan Comitted a fix for the segfault. Please build from v2.1.x or master. Still won't work, but at least you'll get a proper error. -Arran- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
Hi, We have built the v2.1.X version. After that i have followed the experimental.conf file to configure the eap2.conf. The long term support release. The only changes to this code will be minor bug fixes. All new development is done in the stable branch. $ git clone git://git.freeradius.org/freeradius-server.git $ cd freeradius-server $ git fetch origin v2.1.x:v2.1.x $ git checkout v2.1.x did you do this AFTER Arrans email? If so, when you run the program (after recompiling etc) you should now get a different error code. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
Hi, Hi, We do this before, when we started freeradius compilation. yes - and now you have to do it again (well, just the git pull) as a patch has been made to the repository. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
My project is to authenticate a client openpana with my radius server. The authentication method used by the client is based on the EAP-PSK, which is why I would have a radius server with authtentification method as EAP-PSK. After apply the instruction of doc/bugs, i have got a file gdb-radiusd.log which i have attached to the mail. Thank you De : Alan DeKok al...@deployingradius.com À : arnauld ndefo ndefo2...@yahoo.fr; FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Mardi 18 septembre 2012 14h54 Objet : Re: error of segmentation during the implementation of eap2 arnauld ndefo wrote: I am working on a project which is based on EAP_PSK and implement this is the first part. Which didn't answer my question. Seems that in some part of a code, the eap2 module is not allowed. Do you have an idea about this error please. Since you're not going to answer my questions, and you're not really following the instructions in doc/bugs, I can't help you. Alan DeKok. gdb-radiusd (1).log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
Hi, My project is to authenticate a client openpana with my radius server. The authentication method used by the client is based on the EAP-PSK, which is why I would have a radius server with authtentification method as EAP-PSK. After apply the instruction of doc/bugs, i have got a file gdb-radiusd.log which i have attached to the mail. I take it that you've tried removing eap2 call from authorize and only have it in the authentication section? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
On 18 Sep 2012, at 15:07, arnauld ndefo ndefo2...@yahoo.fr wrote: My project is to authenticate a client openpana with my radius server. The authentication method used by the client is based on the EAP-PSK, which is why I would have a radius server with authtentification method as EAP-PSK. After apply the instruction of doc/bugs, i have got a file gdb-radiusd.log which i have attached to the mail. 1. Confirm that your git repository head is at commit 02567cf3c5aa758d7153c0bd7020e27a5067f7c3 (git pull). 2. Confirm that you have rebuilt the server. 3. If you still experience the segfault please edit the Makefile to remove the -O2 flag and rebuild the server, then post the output of gdb 'bt all'. 4. http://www.youtube.com/watch?v=0M7ibPk37_U -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
Hi,
Concerning the error of segmentation, we have removed in the section authorize
the part eap2{ ok = return} in the default and inner-server file. After that we
have got the output of the radiusd -X which is in the attached file
radiusd.txt. Normally we think that it is fine because the eap2 module has been
loaded and we have at the end the line
... adding new socket proxy address * port 52902
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
For the test of the eap2 module, we have put in the users file the line user1
Auth-Type :=eap2, Cleartext-Password :=password
On the client, we have got
#radtest user1 password 127.0.0.1:18120 0 testing1234
sh: getcwd() failed: No such file or directory
Sending Access-Request of id 217 to 127.0.0.1 port 18120
User-Name = user1
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Reject packet from host 127.0.0.1 port 18120, id=217, length=20
And on the server we have got
rad_recv: Access-Request packet from host 127.0.0.1 port 53591, id=217,
length=75
User-Name = user1
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xd755b04bec06d6babdc5c934be2aae5a
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[files] users: Matched entry user1 at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = eap2
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap2] No EAP-Message. Not doing EAP.
++[eap2] returns fail
Failed to authenticate the user.
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 217 to 127.0.0.1 port 53591
Waking up in 4.9 seconds.
Cleaning up request 1 ID 217 with timestamp +96
I have checked all the file and everything is Ok. Then i dont know why the
server doesnt success to authenticate the user??? As you see, we have a failed
to authenticate the user.
Do you have an ideas or suggestions please??
Thank you
De : alan buxey a.l.m.bu...@lboro.ac.uk
À : arnauld ndefo ndefo2...@yahoo.fr; FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Cc : Alan DeKok al...@deployingradius.com; tatiana dibanda
tdiband...@yahoo.fr; tdibanda2...@yahoo.fr tdibanda2...@yahoo.fr
Envoyé le : Mardi 18 septembre 2012 17h57
Objet : Re: error of segmentation during the implementation of eap2
Hi,
My project is to authenticate a client openpana with my radius server. The
authentication method used by the client is based on the EAP-PSK, which is
why I would have a radius server with authtentification method as EAP-PSK.
After apply the instruction of doc/bugs, i have got a file gdb-radiusd.log
which i have attached to the mail.
I take it that you've tried removing eap2 call from authorize and only have it
in the authentication
section?
alan#export LD_PRELOAD=/home/dibus/hostap-06/eap_example/libeap.so radiusd -X
FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Sep 16 2012 at
03:55:41
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb
Re: error of segmentation during the implementation of eap2
Sorry to spam you, but we have #radtest user1 password 127.0.0.1:1812 0
testing1234 and
#radtest user1 password 127.0.0.1:18120 0 testing1234
and we have got the same result for the client
De : arnauld ndefo ndefo2...@yahoo.fr
À : alan buxey a.l.m.bu...@lboro.ac.uk; FreeRadius users mailing list
freeradius-users@lists.freeradius.org; Arran Cudbard-Bell
a.cudba...@freeradius.org
Cc : Alan DeKok al...@deployingradius.com; tatiana dibanda
tdiband...@yahoo.fr; tdibanda2...@yahoo.fr tdibanda2...@yahoo.fr
Envoyé le : Mardi 18 septembre 2012 23h38
Objet : Re: error of segmentation during the implementation of eap2
Hi,
Concerning the error of segmentation, we have removed in the section authorize
the part eap2{ ok = return} in the default and inner-server file. After that we
have got the output of the radiusd -X which is in the attached file
radiusd.txt. Normally we think that it is fine because the eap2 module has been
loaded and we have at the end the line
... adding new socket proxy address * port 52902
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
For the test of the eap2 module, we have put in the users file the line user1
Auth-Type :=eap2, Cleartext-Password :=password
On the client, we have got
#radtest user1 password 127.0.0.1:18120 0 testing1234
sh: getcwd() failed: No such file or directory
Sending Access-Request of id 217 to 127.0.0.1 port 18120
User-Name = user1
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Reject packet from host 127.0.0.1 port 18120, id=217, length=20
And on the server we have got
rad_recv: Access-Request packet from host 127.0.0.1 port 53591, id=217,
length=75
User-Name = user1
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xd755b04bec06d6babdc5c934be2aae5a
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[files] users: Matched entry user1 at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = eap2
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap2] No EAP-Message. Not doing EAP.
++[eap2] returns fail
Failed to authenticate the user.
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 217 to 127.0.0.1 port 53591
Waking up in 4.9 seconds.
Cleaning up request 1 ID 217 with timestamp +96
I have checked all the file and everything is Ok. Then i dont know why the
server doesnt success to authenticate the user??? As you see, we have a failed
to authenticate the user.
Do you have an ideas or suggestions please??
Thank you
De : alan buxey a.l.m.bu...@lboro.ac.uk
À : arnauld ndefo ndefo2...@yahoo.fr; FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Cc : Alan DeKok al...@deployingradius.com; tatiana dibanda
tdiband...@yahoo.fr; tdibanda2...@yahoo.fr tdibanda2...@yahoo.fr
Envoyé le : Mardi 18 septembre 2012 17h57
Objet : Re: error of segmentation during the implementation of eap2
Hi,
My project is to authenticate a client openpana with my radius server. The
authentication method used by the client is based on the
EAP-PSK, which is
why I would have a radius server with authtentification method as EAP-PSK.
After apply the instruction of doc/bugs, i have got a file gdb-radiusd.log
which i have attached to the mail.
I take it that you've tried removing eap2 call from authorize and only have it
in the authentication
section?
alan-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
Hi, Sorry to spam you, but we have #radtest user1 password 127.0.0.1:1812 0 testing1234 and #radtest user1 password 127.0.0.1:18120 0 testing1234 and we have got the same result for the client radtest doesnt send EAP packets line user1 Auth-Type :=eap2, Cleartext-Password :=password you ant do that - read the docs, never set the Auth-Type. the packet needs to have the right contents to be dealt with [eap2] No EAP-Message. Not doing EAP. ++[eap2] returns fail see. eap2 isnt happy. if you are wanting to test EAP-whateverflavour, then you need to use a client that can send EAP-whateverflavour (like when testing EAP-PWD, I was using the latest beta of wpa_supplicant ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
As Alan B just said, radtest does not send EAP packets, no matter where you
send the RADIUS packets, to the inner tunnel or the outer tunnel, radtest
doesn't send EAP-Message.
You have hardcoded auth-type eap2 in your users file, so when the request
enters the authenticate section, the eap2 module is called instead of the PAP
module.
The EAP module says, WTH dude why am I being called when there's no
EAP-message, and the server sends back a reject.
I can't remember if the eap2 module has the code to check for eap-message and
set the appropriate Auth-Type, and i'm not going to check, because you still
haven't confirmed whether that patch fixed the segfault or not. Grrr.
Instead of the users file entry, do something like
authorize {
if (EAP-Message) {
update control {
Auth-Type := eap2
}
}
}
And please stop CCing everyone, mailman is smart enough not to send send
duplicates, but it's still annoying.
-Arran-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error of segmentation during the implementation of eap2
We dont know how to use the git pull command that you have sent to us. Then to
fix the error of segmentation, we have just removed in the authorize section of
the default and innet-tunnel file the part eap2 { ok=return}. We have not used
the patch that you have recommand.
We have done in the freeradius-server directory the command git pull /
git repository and we have got nothing.
I you have some suggestion to know how to Confirm that your git repository head
is at commit 02567cf3c5aa758d7153c0bd7020e27a5067f7c3 (git pull), please tell
us.
Thank you
De : Arran Cudbard-Bell a.cudba...@freeradius.org
À : arnauld ndefo ndefo2...@yahoo.fr
Cc : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Mercredi 19 septembre 2012 0h06
Objet : Re: error of segmentation during the implementation of eap2
As Alan B just said, radtest does not send EAP packets, no matter where you
send the RADIUS packets, to the inner tunnel or the outer tunnel, radtest
doesn't send EAP-Message.
You have hardcoded auth-type eap2 in your users file, so when the request
enters the authenticate section, the eap2 module is called instead of the PAP
module.
The EAP module says, WTH dude why am I being called when there's no
EAP-message, and the server sends back a reject.
I can't remember if the eap2 module has the code to check for eap-message and
set the appropriate Auth-Type, and i'm not going to check, because you still
haven't confirmed whether that patch fixed the segfault or not. Grrr.
Instead of the users file entry, do something like
authorize {
if (EAP-Message) {
update control {
Auth-Type := eap2
}
}
}
And please stop CCing everyone, mailman is smart enough not to send send
duplicates, but it's still annoying.
-Arran-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error
ulimit? -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of David Peterson Sent: Tuesday, March 06, 2012 10:04 AM To: FreeRadius users mailing list Subject: Error Has anyone run across this: Couldn't open dictionary /usr/local/share/freeradius/dictionary: Too many open files | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 | www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error
David Peterson wrote: Has anyone run across this: Couldn't open dictionary /usr/local/share/freeradius/dictionary: Too many open files You edited the dictionaries and broke them. You have a circular loop in loading the dictionaries. So the loading process is infinite, and never finishes. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error-cause-attribute in CoA-Nak
Gennaro Leo wrote:
How can I configure the freeradius to set error-cause-attributes (e.g.
401 - Unsupported Attribute) when sending a CoA-Nak after receiving an
Accounting Request?
$ man unlang
update reply {
Error-Cause = Unsupported-Attribute
}
This should go into the send-coa subsection.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error-cause-attribute in CoA-Nak
Gennaro Leo wrote:
How can I configure the freeradius to set error-cause-attributes (e.g.
401 - Unsupported Attribute) when sending a CoA-Nak after receiving an
Accounting Request?
$ man unlang
update reply {
Error-Cause = Unsupported-Attribute
}
This should go into the send-coa subsection.
Alan DeKok.
Hi Alan,
thanks for your quick reply.
I added the Attribute-Name Unsupported-Attribute in the dictionary
and modified the send-coa subsection as you suggested. Anyway in the
dictionary the 401 code is not accepted (max 255). Can I modify this
limit?
Thanks
Gennaro
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error-cause-attribute in CoA-Nak
Gennaro Leo wrote: I added the Attribute-Name Unsupported-Attribute in the dictionary Did I say to do that? and modified the send-coa subsection as you suggested. Anyway in the dictionary the 401 code is not accepted (max 255). Can I modify this limit? You need to follow instructions. Do what I said. It works. DON'T do extra work. It doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error-cause-attribute in CoA-Nak
Hi, I began by saying that I am a newbie so you could expect some errors by me. Fortunately I solved immediately. Thank you anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error Reading Certificate file
McSparin, Joe wrote: Get this error when running radiusd -X I checked my passwords in eap.cnf, ca.cnf, server.cnf and client.cnf rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server.pem' Well... check the permissions. You're likely running the server as radiusd, and the files are readable only by root Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error Reading Certificate file
That got it thanks. I had changed the permission on the files but not the certs directory. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Friday, December 30, 2011 10:22 AM To: FreeRadius users mailing list Subject: Re: Error Reading Certificate file McSparin, Joe wrote: Get this error when running radiusd -X I checked my passwords in eap.cnf, ca.cnf, server.cnf and client.cnf rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server.pem' Well... check the permissions. You're likely running the server as radiusd, and the files are readable only by root Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
It's a package add from FreeBSD ports. I'll try reinstalling it on another machine and see where it puts it. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 22, 2011 5:46 PM To: FreeRadius users mailing list Subject: Re: Error when trying to create certificates McSparin, Joe wrote: It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Find out who created the packaged (RPM, DEB, etc.) for your system, and file a bug. The default distribution ships the xpextensions file in the /etc/raddb/certs/ directory for a reason. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
On Fri, Dec 23, 2011, at 08:52, McSparin, Joe wrote: It's a package add from FreeBSD ports. I'll try reinstalling it on another machine and see where it puts it. http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/freeradius2/files/pkg-message.in?rev=1.2;content-type=text%2Fplain -- Herbert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, December 22, 2011 1:18 AM To: FreeRadius users mailing list Subject: Re: your mail Hi, Keep getting this error message when running make in my /raddb/certs directory I reinstalled openssl but to no avail. Any thoughts? /usr/bin/openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf ERROR: loading the config file 'xpextensions' does the 'xpextensions' file exist in your raddb/certs directory? does it have useful permissions? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error when trying to create certificates
McSparin, Joe wrote: It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Find out who created the packaged (RPM, DEB, etc.) for your system, and file a bug. The default distribution ships the xpextensions file in the /etc/raddb/certs/ directory for a reason. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error when trying to create certificates
McSparin, Joe wrote: It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. That's weird. What OS/distro is this? OS packages would usualy put them in /usr/share/doc/freeradius/examples/certs (or similar). Certainly NOT in /usr/local. Is this a package, or self-compiled? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Failed to send packet; No response from Server
Alan, I updated the ports tree in FreeBSD which upgraded FreeRadius to 2.1.12 from 2.1.10. After installation I am successful on doing basic PAP Authentication. It solved this issue. Thank You so much! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Error-Failed-to-send-packet-No-response-from-Server-tp5030058p5036729.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: /etc/freeradius/proxy.conf[667]: Failed looking up hostname radius.easyzonecorp.net.
Hi, on server startup after reboot freeradius not start and show error Error: /etc/freeradius/proxy.conf[667]: Failed looking up hostname radius.easyzonecorp.net. but when i try to start by hand /etc/init.d/freeradius start, it 's OK. Why freeradius fail to looking up hostname only on server startup? soudns to me like you are trying to run the server before the network stack or interfaces are up. how are you running the server startup? what level did you start it at ? usually software packages will have it starting at the right time alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Failed to send packet; No response from Server
suggestme wrote: I was successful to install Freeradius 2.1.10 Upgrade to 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Activation Attribute
Det Det wrote: I have Activation attribute in radcheck table (which has a date VALUE) in old RADIUS server. I don't find this attribute in FreeRADIUS. I get this error. any idea? What is Activation? It's not a standard RADIUS attribute. FreeRADIUS doesn't support it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Activation Attribute
On Fri, Sep 9, 2011 at 9:50 AM, Det Det det.explo...@yahoo.com wrote: Hi, I have Activation attribute in radcheck table (which has a date VALUE) in old RADIUS server. I don't find this attribute in FreeRADIUS. I get this error. any idea? What radius server is that? If it's also a freeradius installation, the old admin might add a custom attribute, in which case you can see how it was defined in the usual dictionary directory (/usr/[local/]/share/freeradius), and you can copy the file (or just the part that defines the attribute) to your new FR installation. If it's some other radius server, then you basically need the dictionary file that defines the attribute (might need to ask your NAS/radius vendor), and put it on FR's dictionary directory. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in dialupadmin
yes i've passed the same issue after dialup admin installation. but what you reporting is not an error it is only the debug info on top of the pages that will remain there (and shows all the sql behind) until you dont remove the sql debug in admin.conf: # Uncomment to enable sql debug # #sql_debug: true maybe there is an error of no connection that you didnt pasted -- View this message in context: http://freeradius.1045715.n5.nabble.com/Error-in-dialupadmin-tp4783214p4785752.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in dialupadmin
Hi andreapepa, Thanks for your answer. If I comment back this line I only see a white screen. This is very very weird. I've installed thousands of web apps, and almost all php based. There's no connection error anywhere. I tried with the php CLI and I only see the same errors from apache2 error.log. Could you give me some help, please? HTML works fine. Regards. Alberto Mijares On Fri, Sep 9, 2011 at 5:39 AM, andreapepa andrea.p...@trentinonetwork.it wrote: yes i've passed the same issue after dialup admin installation. but what you reporting is not an error it is only the debug info on top of the pages that will remain there (and shows all the sql behind) until you dont remove the sql debug in admin.conf: # Uncomment to enable sql debug # #sql_debug: true maybe there is an error of no connection that you didnt pasted -- View this message in context: http://freeradius.1045715.n5.nabble.com/Error-in-dialupadmin-tp4783214p4785752.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi, I seem to have the same issue as described in this thread, I also have XP/Novell legacy clients, and I want to move to AD from eDir. Re: Error: User-Name is not the same as MS-CHAP namehttps://lists.freeradius.org/pipermail/freeradius-users/2011-June/msg00070.html The last mention I can see of this was a few months ago, has anything changed since ? I was wondering if I can work around the issue by using realms to strip the username and then force the domain into the ntlm_auth line in the mschap module. I got some way with this approach but it still seems to wants to create the hash using the DOMAIN/USER which I'm guessing is wrong. Anyway, if there is a fix or workaround I'd be grateful if you could you let me know. Thanks, Bruce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with AD/freeradius config
On Jul 15, 2011, at 4:26 PM, Edge wrote: Exec-Program output: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Helps to actually read the debug output you're posting ;) Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error with AD/freeradius config
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Your path to ntlm auth is wrong. You need to specify the path to the ntlm auth
bin/exe that comes with samba.
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Edge
Sent: Friday, July 15, 2011 9:27 AM
To: freeradius-users@lists.freeradius.org
Subject: Error with AD/freeradius config
OK, sorry as this is a long mail because Im going to include as much config
as possible.
I have been playing around trying to get this to work with little success
though the debug error messages have changed since yesterday
Im having trouble getting freeradius to use ntlm_auth - the error massage is
now stating a permission error..
Just to confirm, Im following the steps on deployingradius.com ..
PAP has been tested and is working
Samba configured and working
wbinfo -a = works, having tested multiple logins
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user
--password=password = working, again tested with multiple logins
radtest user password localhost 0 testing123 = does not work, see debug info
at end of email..
Contents of/raddb/modules/ntlm_auth file
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
wait = yes
program = /usr/local/etc/raddb/modules/ntlm_auth --request-nt-key
--domain=xx --username=%{mschap:User-Name}
--password=%{User-Password}
}
I have modified the authenticate sections of the raddb/sites-enabled/default
file, and of the raddb/sites-enabled/inner-tunnel file
Listed below are the authenticate sections only as that is all I have
changed
sites-enabled/default
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal crypt authentication, the pap module should
# be used instead of the unix module. The unix module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the updated code from
attr_filter
# }
# }
}
#
raddb/sites-enabled/inner-tunnel file - again just showing the bit
modified..
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
#
Re: Error with AD/freeradius config
Hi
Arran, I did read the debug messages, I just didn't understand what they
were telling me, I couldn't understand why it had failed to execute as the
file was there, I was root and I even tried using an admin account - just in
case..
Gary has given me a clue so off I go hunting..
Thanks Guys and have a good weekend
-Original Message-
From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: 15 July 2011 16:17
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 58
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Error with AD/freeradius config (Arran Cudbard-Bell)
2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name) (Alexander Clouter)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Fri, 15 Jul 2011 16:31:34 +0200
From: Arran Cudbard-Bell a.cudba...@freeradius.org
Subject: Re: Error with AD/freeradius config
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 7df14eea-3164-48bd-996b-8edc42c59...@freeradius.org
Content-Type: text/plain; charset=us-ascii
On Jul 15, 2011, at 4:26 PM, Edge wrote:
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Helps to actually read the debug output you're posting ;)
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
--
Message: 2
Date: Fri, 15 Jul 2011 15:49:34 +0100
From: Alexander Clouter a...@digriz.org.uk
Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name)
To: freeradius-users@lists.freeradius.org
Message-ID: uk06f8-ku7@chipmunk.wormnet.eu
Phil Mayers p.may...@imperial.ac.uk wrote:
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it,
rlm_realms adds a Stripped-User-Name attribute and also updates the
User-Name attribute to the same value.
I am 90% sure that's not what rlm_realm does. We use unlang to process
realms now, but I am certain we used it with nostrip and it left the
original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
--
Message: 3
Date: Fri, 15 Jul 2011 10:16:48 -0500
From: Gary Gatten ggat...@waddell.com
Subject: RE: Error with AD/freeradius config
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID:
30615_1310743009_4E2059E1_30615_115_1_D9B37353831173459FDAA836D3B43499C5218
6...@wadpmbxv0.waddell.com
Content-Type: text/plain; charset=us-ascii
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Your path to ntlm auth is wrong. You need to specify the path to the ntlm
auth bin/exe that comes with samba.
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org]
On Behalf Of Edge
Sent: Friday, July 15, 2011 9:27 AM
To: freeradius-users@lists.freeradius.org
Subject: Error with AD/freeradius config
OK, sorry as this is a long mail because Im going to include as much config
as possible.
I have been playing around trying to get this to work with little success
though the debug error messages have changed since yesterday
Im having trouble getting freeradius
RE: Error with AD/freeradius config
If I may interject... if Gary's hint does not pan out I would suggest also
checking that the ntlm_auth binary is accessible to the FR daemon, I had an
issue on my box that the file permissions were correct but one of the
directories in the path was denying me access. So not only does the file need
the correct permissions but every directory in the path does too. That one was
a bugger to pin down the first time I came against it : )
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of Edge
Sent: Friday, July 15, 2011 10:42 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Error with AD/freeradius config
Hi
Arran, I did read the debug messages, I just didn't understand what they were
telling me, I couldn't understand why it had failed to execute as the file was
there, I was root and I even tried using an admin account - just in case..
Gary has given me a clue so off I go hunting..
Thanks Guys and have a good weekend
-Original Message-
From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: 15 July 2011 16:17
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 58
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Error with AD/freeradius config (Arran Cudbard-Bell)
2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name) (Alexander Clouter)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Fri, 15 Jul 2011 16:31:34 +0200
From: Arran Cudbard-Bell a.cudba...@freeradius.org
Subject: Re: Error with AD/freeradius config
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 7df14eea-3164-48bd-996b-8edc42c59...@freeradius.org
Content-Type: text/plain; charset=us-ascii
On Jul 15, 2011, at 4:26 PM, Edge wrote:
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Helps to actually read the debug output you're posting ;)
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
--
Message: 2
Date: Fri, 15 Jul 2011 15:49:34 +0100
From: Alexander Clouter a...@digriz.org.uk
Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name)
To: freeradius-users@lists.freeradius.org
Message-ID: uk06f8-ku7@chipmunk.wormnet.eu
Phil Mayers p.may...@imperial.ac.uk wrote:
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it,
rlm_realms adds a Stripped-User-Name attribute and also updates the
User-Name attribute to the same value.
I am 90% sure that's not what rlm_realm does. We use unlang to process
realms now, but I am certain we used it with nostrip and it left the
original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and making it's
way out into outer.reply. When you use 'User-Name' in post-auth{} you will get
reply:User-Name rather than request:User-Name if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
--
Message: 3
Date: Fri, 15 Jul 2011 10:16:48 -0500
From: Gary Gatten ggat...@waddell.com
Subject: RE: Error with AD/freeradius config
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID:
30615_1310743009_4E2059E1_30615_115_1_D9B37353831173459FDAA836D3B43499C5218
6...@wadpmbxv0.waddell.com
Content-Type: text/plain; charset=us-ascii
RE: Error with AD/freeradius config
I can't guarantee the syntax of the ntlm_auth command is correct for OP's particular environment, but I will guarantee you must specify the correct path to the Samba ntlm_auth binary. As for perms, I agree they can be tricky. If I run into issues I typically start running stuff as root. Not fail safe, but does uncover perms issues pretty quick. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Friday, July 15, 2011 10:53 AM To: FreeRadius users mailing list Subject: RE: Error with AD/freeradius config If I may interject... if Gary's hint does not pan out I would suggest also checking that the ntlm_auth binary is accessible to the FR daemon, I had an issue on my box that the file permissions were correct but one of the directories in the path was denying me access. So not only does the file need the correct permissions but every directory in the path does too. That one was a bugger to pin down the first time I came against it : ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Edge Sent: Friday, July 15, 2011 10:42 AM To: freeradius-users@lists.freeradius.org Subject: Re: Error with AD/freeradius config Hi Arran, I did read the debug messages, I just didn't understand what they were telling me, I couldn't understand why it had failed to execute as the file was there, I was root and I even tried using an admin account - just in case.. Gary has given me a clue so off I go hunting.. Thanks Guys and have a good weekend -Original Message- From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org [mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: 15 July 2011 16:17 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 75, Issue 58 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Error with AD/freeradius config (Arran Cudbard-Bell) 2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name) (Alexander Clouter) 3. RE: Error with AD/freeradius config (Gary Gatten) -- Message: 1 Date: Fri, 15 Jul 2011 16:31:34 +0200 From: Arran Cudbard-Bell a.cudba...@freeradius.org Subject: Re: Error with AD/freeradius config To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 7df14eea-3164-48bd-996b-8edc42c59...@freeradius.org Content-Type: text/plain; charset=us-ascii On Jul 15, 2011, at 4:26 PM, Edge wrote: Exec-Program output: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Helps to actually read the debug output you're posting ;) Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- Message: 2 Date: Fri, 15 Jul 2011 15:49:34 +0100 From: Alexander Clouter a...@digriz.org.uk Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name) To: freeradius-users@lists.freeradius.org Message-ID: uk06f8-ku7@chipmunk.wormnet.eu Phil Mayers p.may...@imperial.ac.uk wrote: Unfortunately, when you set nostrip in the config, it doesn't add a Stripped-User-Name attribute to the request, but when you unset it, rlm_realms adds a Stripped-User-Name attribute and also updates the User-Name attribute to the same value. I am 90% sure that's not what rlm_realm does. We use unlang to process realms now, but I am certain we used it with nostrip and it left the original User-Name intact and populated Stripped-User-Name. You are right, we use rlm_realm and it leaves User-Name unadulterated. This sounds like maybe the *inner* auth User-Name is realmless and making it's way out into outer.reply. When you use 'User-Name' in post
Re: Error with AD/freeradius config
On 14/07/11 16:04, Edge wrote: My /sites-enabled/default file - I have just copied the authentication section as everything else in the file is at default settings Not necessary or helpful. Full debug (which you didn't provide; you trimmed the start) is what's needed. rad_recv: Access-Request packet from host 127.0.0.1 port 44992, id=218, length=60 User-Name = User-Password = x NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 This is not an MSCHAP request. It's a PAP request, probably from radtest or radclient. You need to test with EAP. Either use eapol_test from the wpa_supplicant source, or use radtest -t mschap and direct the request to the testing port of the inner-tunnel virtual server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with AD/freeradius config
On Jul 14, 2011, at 5:18 PM, Gary Gatten wrote: I don’t think you need braces and such, this is not as much an auth type as a method Try just a single line that reads: ntlm_auth Also, I actually had to set my default auth-type to ntlm_auth. You know the part where it says “…for testing only..”. in the users file? But, I had to leave it in or it would never call ntlm_auth and hence to logins would work. G See here *sigh*: http://wiki.freeradius.org/NTLM+Auth+with+PAP+HOWTO Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error with AD/freeradius config
Not sure if that was intended for OP or myself, but I went to check it out and it wants me to login. I did with my fb, but then it wanted access to stuff I don't want to share - so I can't read it. In my case I use (currently) ntlm_auth exclusively, so setting the default to that doesn't bother me - much At some point I'll need to do some LDAP stuff, which then I'm sure it will bother me more. G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, July 14, 2011 10:34 AM To: FreeRadius users mailing list Subject: Re: Error with AD/freeradius config On Jul 14, 2011, at 5:18 PM, Gary Gatten wrote: I don't think you need braces and such, this is not as much an auth type as a method Try just a single line that reads: ntlm_auth Also, I actually had to set my default auth-type to ntlm_auth. You know the part where it says ...for testing only... in the users file? But, I had to leave it in or it would never call ntlm_auth and hence to logins would work. G See here *sigh*: http://wiki.freeradius.org/NTLM+Auth+with+PAP+HOWTO Arran Cudbard-Bell a.cudba...@freeradius.orgmailto:a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with AD/freeradius config
Thanks for the quick reply Gary
I changed the /usr/local/etc/raddb/sites-enabled/default file to
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
#
I also changed the /usr/local/etc/raddb/sites-enabled/inner-tunnel file to
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
ntlm_auth
# Pluggable Authentication Modules.
I can confirm that the top of my users file has the following entry..
DEFAULT Auth-Type = ntlm_auth
The debug file is still giving the same output..
rad_recv: Access-Request packet from host 127.0.0.1 port 46984, id=103,
length=60
User-Name =
User-Password = xxx
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = , looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - xxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 103 to 127.0.0.1 port 46984
Waking up in 4.9 seconds.
Cleaning up request 17 ID 103 with timestamp +95119
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: 14 July 2011 16:19
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 49
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Error with AD/freeradius config (Phil Mayers)
2. Re: SoH - FR 2.1.11 (Phil Mayers)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Thu, 14 Jul 2011 16:13:28 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re: Error with AD/freeradius config
To: freeradius-users@lists.freeradius.org
Message-ID: 4e1f0798.3000...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 14/07/11 16:04, Edge wrote:
My /sites-enabled/default file - I have just copied the authentication
section as everything else in the file is at default settings
Not necessary or helpful. Full debug (which you didn't provide; you trimmed
the start) is what's needed.
rad_recv: Access-Request packet from host 127.0.0.1 port 44992,
id=218,
length=60
User-Name =
User-Password = x
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
This is not an MSCHAP request. It's a PAP request, probably from radtest or
radclient.
You need to test with EAP. Either use eapol_test from the wpa_supplicant
source, or use radtest -t mschap and direct the request to the testing
port of the inner-tunnel virtual server.
--
Message: 2
Date: Thu, 14 Jul 2011 16:14:48 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re: SoH - FR 2.1.11
To: freeradius-users@lists.freeradius.org
Message-ID: 4e1f07e8.6060...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 14/07/11 15:59, Palmer J.D.F. wrote:
Thanks Phil Arran,
I keep starting reply emails and another arrives before I get to send
them.
Hehe.
I've tried array hack, that fails even with 'firewall' as the condition.
if (%{SoH-MS-Windows-Health-Status[*]} =~ /firewall/), where as if
(SoH-MS-Windows-Health-Status
RE: Error with AD/freeradius config
Where do you have the ntlm_auth command specified? You can put it in
numerous/various FR conf files; I think mine is in radiusd.conf, but I forget.
And, what IS that command? It should be essentially the same command you
execute to test SAMBA with outside the FR environment.
I can help more after lunch if needed. Well, helping more assumed I've
helped some already - which is a big assumption huh!?
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Edge
Sent: Thursday, July 14, 2011 11:18 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Error with AD/freeradius config
Thanks for the quick reply Gary
I changed the /usr/local/etc/raddb/sites-enabled/default file to
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
#
I also changed the /usr/local/etc/raddb/sites-enabled/inner-tunnel file to
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
ntlm_auth
# Pluggable Authentication Modules.
I can confirm that the top of my users file has the following entry..
DEFAULT Auth-Type = ntlm_auth
The debug file is still giving the same output..
rad_recv: Access-Request packet from host 127.0.0.1 port 46984, id=103,
length=60
User-Name =
User-Password = xxx
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = , looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - xxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 103 to 127.0.0.1 port 46984
Waking up in 4.9 seconds.
Cleaning up request 17 ID 103 with timestamp +95119
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: 14 July 2011 16:19
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 49
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Error with AD/freeradius config (Phil Mayers)
2. Re: SoH - FR 2.1.11 (Phil Mayers)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Thu, 14 Jul 2011 16:13:28 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re: Error with AD/freeradius config
To: freeradius-users@lists.freeradius.org
Message-ID: 4e1f0798.3000...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 14/07/11 16:04, Edge wrote:
My /sites-enabled/default file - I have just copied the authentication
section as everything else in the file is at default settings
Not necessary or helpful. Full debug (which you didn't provide; you trimmed
the start) is what's needed.
rad_recv: Access-Request packet from host 127.0.0.1 port 44992,
id=218,
length=60
User-Name =
User-Password = x
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
This is not an MSCHAP request. It's a PAP request, probably from radtest or
radclient.
You need to test with EAP. Either use eapol_test from the wpa_supplicant
Re: Error with AD/freeradius config
On 14/07/11 16:34, Arran Cudbard-Bell wrote: http://wiki.freeradius.org/NTLM+Auth+with+PAP+HOWTO How about what I've just put there? Needs testing, but it should work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with AD/freeradius config
On Jul 14, 2011, at 6:03 PM, Gary Gatten wrote: Not sure if that was intended for OP or myself, but I went to check it out and it wants me to login. I did with my fb, but then it wanted “access” to stuff I don’t want to share – so I can’t read it. No matter what FB says, all omnigollum is interested in is your name and email (I know, I wrote it). Can't figure out where the privacy control settings are for the App on Facebook, so if you have an issue, sign up with GitHub or twitter. But anyway, you only actually need to sign in to edit or create pages. gollum was just getting confused... and i've unconfused it. In my case I use (currently) ntlm_auth exclusively, so setting the default to that doesn’t bother me – much…. At some point I’ll need to do some LDAP stuff, which then I’m sure it will bother me more. Probably not, but the correct way to do it is posted at that wiki page. -Arran G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, July 14, 2011 10:34 AM To: FreeRadius users mailing list Subject: Re: Error with AD/freeradius config On Jul 14, 2011, at 5:18 PM, Gary Gatten wrote: I don’t think you need braces and such, this is not as much an auth type as a method Try just a single line that reads: ntlm_auth Also, I actually had to set my default auth-type to ntlm_auth. You know the part where it says “…for testing only..”. in the users file? But, I had to leave it in or it would never call ntlm_auth and hence to logins would work. G See here *sigh*: http://wiki.freeradius.org/NTLM+Auth+with+PAP+HOWTO Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with AD/freeradius config
On Jul 14, 2011, at 6:29 PM, Phil Mayers wrote: On 14/07/11 16:34, Arran Cudbard-Bell wrote: http://wiki.freeradius.org/NTLM+Auth+with+PAP+HOWTO How about what I've just put there? Neat :) Looks good. Tweaked a few bits and pieces and converted it back to RST. I wanted this to be bundled with general AD documentation in the docs directory at some point. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with AD/freeradius config
On 07/14/2011 06:11 PM, Arran Cudbard-Bell wrote: How about what I've just put there? Neat :) Looks good. Tweaked a few bits and pieces and converted it back to RST. I wanted this to be bundled with general AD Back to? There was just an empty page there when I visited, or am I missing your point? Anyway. RST, Markdown, not fussed (except for code formatting - see my other email) documentation in the docs directory at some point. Sounds sensible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with Thread
On Wed, Jun 29, 2011 at 6:32 PM, Jean Carlos Oliveira Guandalini jean.guandal...@corp.visaonet.com.br wrote: Hello, i'm using version 1.1.8, my OS is Linux (Gentoo). The usual response would be upgrade. 1.x is not supported anymore. My server stop and log this: Error: FATAL: Thread create failed: Resource temporarily unavailable Before this log, have: Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client1:41250 - ID: 195 due to unfinished request 155365 Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client2:59253 - ID: 235 due to unfinished request 155374 my guess is freeradius is busy handling requests that took a long time. Usually this happens when your backend (e.g. db) takes a long time to process the request, which is quite common if (for example) you record accouting packets in database, and never clean it up so it has millions of rows. Or your db is not properly designed (e.g. not indexed in the right columns). Or you're using custom queries which cause high load to the db. In any case, I'd start by fixing whatever backend you use first, make sure it can respond in a timely manner. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with Thread
Unfortunately I not update a version because one module what we use was not run correctly in newer versions If I use Mysql(InnoDB) instead MyISAM, maybe help with table lock and consequently better performance? Thanks Jean Em 29-06-2011 10:10, Fajar A. Nugraha escreveu: On Wed, Jun 29, 2011 at 6:32 PM, Jean Carlos Oliveira Guandalini jean.guandal...@corp.visaonet.com.br wrote: Hello, i'm using version 1.1.8, my OS is Linux (Gentoo). The usual response would be upgrade. 1.x is not supported anymore. My server stop and log this: Error: FATAL: Thread create failed: Resource temporarily unavailable Before this log, have: Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client1:41250 - ID: 195 due to unfinished request 155365 Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client2:59253 - ID: 235 due to unfinished request 155374 my guess is freeradius is busy handling requests that took a long time. Usually this happens when your backend (e.g. db) takes a long time to process the request, which is quite common if (for example) you record accouting packets in database, and never clean it up so it has millions of rows. Or your db is not properly designed (e.g. not indexed in the right columns). Or you're using custom queries which cause high load to the db. In any case, I'd start by fixing whatever backend you use first, make sure it can respond in a timely manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with Thread
On Wed, Jun 29, 2011 at 8:29 PM, Jean Carlos Oliveira Guandalini jean.guandal...@corp.visaonet.com.br wrote: Unfortunately I not update a version because one module what we use was not run correctly in newer versions That sucks :P If I were you I'd start investing in reeimplementing that module so it's compatible with newer 2.x. Possibly even rewriting it in perl so it can be run with rlm_perl. If I use Mysql(InnoDB) instead MyISAM, maybe help with table lock and consequently better performance? When someone ask me that question, usually it's a sign that they know very litlle about database. And my best advice would be get a dba. The reason is that: - Note that I said GUESS previously. You need to determine whethere it IS in fact the database that's slow. That would require some knowledge about the database being used, including how to find out what is causing the most load. This is a skill that a dba will have. - Innodb and MyISAM have their own strength/weakness, but I've never had a case where JUST changing the storage engine would automagically solve all problem. Storage engine selection and tuning is usually part of the solution, but it's not the ONLY one. In fact, I'd say when it comes to performance, index matters more than storage engine type. Again, this is a skill that a dba will have. - The default queries used by freeradius is fairly simple and straightforward. Thus, the effort/skill required to make it faster is pretty much the normal things that a dba would do for a common database. These might include (but not limited to) optimizing index, table definitions, queries, partitioning, clustering, and so on. Again, this is a skill that a dba will have. So my best advice right now is find out if the db is the cause of the slow response (running top on the db server would be a good start). If it is, get help from a dba or ask in the db's respective forum/list. If it's not, well, I'd start with running radiusd -X, simulate with a test auth/acct packet, and see where it's taking the most time. -- Fajar Em 29-06-2011 10:10, Fajar A. Nugraha escreveu: On Wed, Jun 29, 2011 at 6:32 PM, Jean Carlos Oliveira Guandalini jean.guandal...@corp.visaonet.com.br wrote: Hello, i'm using version 1.1.8, my OS is Linux (Gentoo). The usual response would be upgrade. 1.x is not supported anymore. My server stop and log this: Error: FATAL: Thread create failed: Resource temporarily unavailable Before this log, have: Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client1:41250 - ID: 195 due to unfinished request 155365 Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client2:59253 - ID: 235 due to unfinished request 155374 my guess is freeradius is busy handling requests that took a long time. Usually this happens when your backend (e.g. db) takes a long time to process the request, which is quite common if (for example) you record accouting packets in database, and never clean it up so it has millions of rows. Or your db is not properly designed (e.g. not indexed in the right columns). Or you're using custom queries which cause high load to the db. In any case, I'd start by fixing whatever backend you use first, make sure it can respond in a timely manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with Thread
Thank for your advices, I really think what have a problem with DB. Because the problem only happens when have many authentication requests simultaneously. Thanks again. Jean Em 29-06-2011 10:46, Fajar A. Nugraha escreveu: On Wed, Jun 29, 2011 at 8:29 PM, Jean Carlos Oliveira Guandalini jean.guandal...@corp.visaonet.com.br wrote: Unfortunately I not update a version because one module what we use was not run correctly in newer versions That sucks :P If I were you I'd start investing in reeimplementing that module so it's compatible with newer 2.x. Possibly even rewriting it in perl so it can be run with rlm_perl. If I use Mysql(InnoDB) instead MyISAM, maybe help with table lock and consequently better performance? When someone ask me that question, usually it's a sign that they know very litlle about database. And my best advice would be get a dba. The reason is that: - Note that I said GUESS previously. You need to determine whethere it IS in fact the database that's slow. That would require some knowledge about the database being used, including how to find out what is causing the most load. This is a skill that a dba will have. - Innodb and MyISAM have their own strength/weakness, but I've never had a case where JUST changing the storage engine would automagically solve all problem. Storage engine selection and tuning is usually part of the solution, but it's not the ONLY one. In fact, I'd say when it comes to performance, index matters more than storage engine type. Again, this is a skill that a dba will have. - The default queries used by freeradius is fairly simple and straightforward. Thus, the effort/skill required to make it faster is pretty much the normal things that a dba would do for a common database. These might include (but not limited to) optimizing index, table definitions, queries, partitioning, clustering, and so on. Again, this is a skill that a dba will have. So my best advice right now is find out if the db is the cause of the slow response (running top on the db server would be a good start). If it is, get help from a dba or ask in the db's respective forum/list. If it's not, well, I'd start with running radiusd -X, simulate with a test auth/acct packet, and see where it's taking the most time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_ldap: All ldap connections are in use
On 13/06/11 14:44, Angus JIANG Jian wrote: we found the following error messages in the RADIUS log Error: rlm_ldap: All ldap connections are in use on redhat workstation 5 OS. Error: Discarding duplicate request from client AP1840-4:1031 - ID: 72 due to unfinished request 1017 7:05pm - Tried to restarted the RADIUS daemon but the problem still exist 7:08pm - Tried to increase the ldap_connection limit from 15 to 50 but got other error message Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request - Resume the ldap_connection limit, the problem still exist Your LDAP server is taking too long. It's too slow. Ensure your LDAP database is indexed correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_ldap: All ldap connections are in use
Hi, Our ldap server is Novell edirectory 8.6 , the radius is taking with edirectory8.6. Regards Angus ITU Systems Ext: 6551 -Original Message- From: freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org [mailto:freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Monday, June 13, 2011 10:12 PM To: freeradius-users@lists.freeradius.org Subject: Re: Error: rlm_ldap: All ldap connections are in use On 13/06/11 14:44, Angus JIANG Jian wrote: we found the following error messages in the RADIUS log Error: rlm_ldap: All ldap connections are in use on redhat workstation 5 OS. Error: Discarding duplicate request from client AP1840-4:1031 - ID: 72 due to unfinished request 1017 7:05pm - Tried to restarted the RADIUS daemon but the problem still exist 7:08pm - Tried to increase the ldap_connection limit from 15 to 50 but got other error message Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request - Resume the ldap_connection limit, the problem still exist Your LDAP server is taking too long. It's too slow. Ensure your LDAP database is indexed correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Email Disclaimer This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK are not binding upon OUHK unless made in accordance with OUHK's constitution and duly authorised. OUHK staff are expressly prohibited from breaching applicable law, infringing third party rights, making defamatory statements and committing tortious acts by e-mail communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_ldap: All ldap connections are in use
Hi Phil, All authentication was stopped at 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:34 2011 : Auth: Login OK: [s9540746] (from client localhost port 0) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s0182695] (from client localhost port 0) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s9540746] (from client AP1840-7 port 0 cli 8C-7B-9D-AC-DE-88) Tue Jun 7 18:59:35 2011 : Auth: Login OK: [s0182695] (from client wlan2_phy port 0 cli 8C-7B-9D-C5-1D-A5) Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Tue Jun 7 18:59:36 2011 : Auth: Login incorrect: [s1017761/no User-Password attribute] (from client wlan2_phy port 0 cli 8C-7B-9D-9C-29-21) Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Tue Jun 7 18:59:36 2011 : Auth: Login incorrect: [s1001903/no User-Password attribute] (from client AP1840-6 port 0 cli 8C-7B-9D-A4-95-AE) Tue Jun 7 18:59:36 2011 : Info: rlm_eap_mschapv2: Issuing Challenge Tue Jun 7 18:59:36 2011 : Info: rlm_eap_mschapv2: Issuing Challenge Tue Jun 7 18:59:36 2011 : Error: TLS Alert write:fatal:bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Tue Jun 7 18:59:36 2011 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Regards Angus ITU Systems Ext: 6551 -Original Message- From: freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org [mailto:freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org] On Behalf Of Angus JIANG Jian Sent: Monday, June 13, 2011 10:53 PM To: FreeRadius users mailing list Subject: RE: Error: rlm_ldap: All ldap connections are in use Hi, Our ldap server is Novell edirectory 8.6 , the radius is taking with edirectory8.6. Regards Angus ITU Systems Ext: 6551 -Original Message- From: freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org [mailto:freeradius-users-bounces+ajiang=ouhk.edu...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Monday, June 13, 2011 10:12 PM To: freeradius-users@lists.freeradius.org Subject: Re: Error: rlm_ldap: All ldap connections are in use On 13/06/11 14:44, Angus JIANG Jian wrote: we found the following error messages in the RADIUS log Error: rlm_ldap: All ldap connections are in use on redhat workstation 5 OS. Error: Discarding duplicate request from client AP1840-4:1031 - ID: 72 due to unfinished request 1017 7:05pm - Tried to restarted the RADIUS daemon but the problem still exist 7:08pm - Tried to increase the ldap_connection limit from 15 to 50 but got other error message Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request - Resume the ldap_connection limit, the problem still exist Your LDAP server is taking too long. It's too slow. Ensure your LDAP database is indexed correctly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Email Disclaimer This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK are not binding upon OUHK unless made in accordance with OUHK's constitution and duly authorised. OUHK staff are expressly prohibited from breaching applicable law, infringing third party rights, making defamatory statements and committing tortious acts by e-mail communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Email Disclaimer This e-mail and its attachments, if any, are confidential and contain information for an intended recipient. The Open University of Hong Kong (OUHK) disclaims any liability for any loss or damage if this e-mail is received by any person who is not the intended recipient. E-mail transmissions cannot be guaranteed to be completely secure, error or virus free. No responsibility is accepted by the OUHK for any loss or damage arising in any way from receipt or use thereof. Arrangements or statements appearing to bind OUHK
RE: Error: User-Name is not the same as MS-CHAP name
On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... I have a link to a torrent, just send me a email at pau...@mail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 03/06/11 13:10, Paul Harris wrote: On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... I have a link to a torrent, just send me a email at pau...@mail.com Or not. I'm not downloading a torrent of copyrighted software to fix someone else's problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 2011/06/03 02:15 PM, Phil Mayers wrote: I'm not downloading a torrent of copyrighted software to fix someone else's problem. As long as you dont get a key, it is legal. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Johan Meiring wrote: As long as you dont get a key, it is legal. No. This list is not the place to discuss non-FreeRADIUS software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 03/06/11 15:09, Johan Meiring wrote: On 2011/06/03 02:15 PM, Phil Mayers wrote: I'm not downloading a torrent of copyrighted software to fix someone else's problem. As long as you dont get a key, it is legal. This is getting farcical... Not picking on any one specific person here, but seriously - can anyone not contributing to the discussion at the level of the radius protocols just move along please? I will get to it when I get to it, and in a manner of my own choosing. If you think you can do it faster, then please - do so. I'll gladly defer. Installing a copy of Windows XP and trying to reproduce some crappy Novell client issue is very much not top of my TODO list. Grumbling, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. Aight. Keep us posted. Did you have a chance to look at it? Thanks! -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 02/06/11 14:47, Francois Gaudreault wrote: Did you have a chance to look at it? Ironically I'm having trouble finding a windows XP install CD... This might help: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=21eabb90-958f-4b64-b5f1-73d0a413c8ef Last time I check Virtualbox can also use VHD, so it should work even on Linux/Mac hosts. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/29/2011 03:10 PM, Francois Gaudreault wrote: Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote: Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain. Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in. Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Usually, people only use send username automatically with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. Is there a way we could work around this hard-coded check since in our case, we only have one john? Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? Correct, the machines are not member of an AD domain. However, they have the Novell Client installed, and they are using a kind of AD tree in their eDirectory structure. So machine auth works the same as if it was an AD domain. The users are not member of that special tree. Usually, people only use send username automatically with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. It is possible that in Windows XP, something is broken at the supplicant level. In windows 7, the OS is brilliant enough not to send the machine name. However, mainly 80% of his machines are Windows XP. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
In my shop I see a mix of domain and non domain machines. Each type will send machine or user\localmachine for user's name depending on the configuration of the windows suplicant. Avoid having users logon to domain machines with local user accounts unless you have configured the windows suplicant from the default. Do the same with non domain machines. Here I check for the form \full.windows.domain.name. If this is present, I use ntlm-auth. If it is not, I strip off the \host part in the inner tunnel and use that as a user in an ldap store which has mschap password hashes. In most cases this works for domain machines where users are logging in with local accounts or logging in locally with cached user credentials. The rest show up at the help desk. I am excited about the mschap patches talked about in recent posts. Sent from Verizon Wireless -Original Message- From: Phil Mayers p.may...@imperial.ac.uk Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 30 May 2011 14:55:03 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Error: User-Name is not the same as MS-CHAP name On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi, On 11-05-30 9:55 AM, Phil Mayers wrote: On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. I completely agree with you on this. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. Aight. Keep us posted. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/28/2011 06:33 PM, Francois Gaudreault wrote: Sending tunneled request EAP-Message = 0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc09a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = STIC08862\\TechRMC State = 0x510e2245510938eb25e1ac3222e20688 Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically That is - does this work if the Novell client isn't in the picture? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote: Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in. What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use send username automatically We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Thanks! -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/27/2011 09:04 PM, Francois Gaudreault wrote: Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). I honestly lost track of this issue; the guy had spread it over a couple of mailing list posts, and the debug output kept getting sent as either URLs I couldn't access, or heavily mangled text, so I'm afraid I drifted away. Can you summarise in brief the setup you have, and as per Alan's request, send the full debug output of radiusd -X for a failing authentication. Please don't trim or edit the output. By summarise your setup I mean: * what clients, and how they're setup * what NASes * what behaviour you're trying to achieve I'll repeat something I've had cause to say several times recently: Either: 1. The client is sending wrong/mismatching usernames 2. Something along the way is mangling the usernames 3. You have configured FreeRADIUS to mangle it There really aren't any other options. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, and Alan, I will get you the debug output for Windows XP SP3 boxes (likely Monday). I will summarise what we have. Basically, this is a setup where the client is using eDirectory to authorize the users using the rlm_ldap module. On the windows boxes, it is configured to do PEAP using MSCHAPv2. When we send a host credential (ie. host/mycomputer.domain.tld) it will pass the authorization and during the authentication phase, it will use ntlm_auth to ensure that the machine is member of the domain. That part is working fine, the mschap module does its job. For the users, they have windows 7s and windows XPs. Windows 7 appears to be working without problems since the username is sent without the computer name as the domain prefix. The problem comes with the windows XP boxes. If we let windows send the credentials automatically (when novell logs in), the LDAP authorization will work properly, but the authentication will fail even if the Cleartext-Password attribute is set by the LDAP module. It will throw that MS-CHAP error. We also ensure that everything that comes from something that is not matching host/something will use the MS-CHAP-NTLM-Auth = No. The only way to make Windows XP work is to disable the automatically send username thing and only send the username without the domain name. However, the user experience will definitely be terrible. The NAS Client is an Avaya Access Point. Thanks for your feedbacks guys, it is appreciated. I will get you the debug information and the sites configuration as soon as I can. Have a nice weekend. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi,
Here is the complete debug log :
rad_recv: Access-Request packet from host 10.220.30.5 port 29010,
id=194, length=179
User-Name = STIC08862\\TechRMC
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-A1:AVAYA-RESEAU
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11a
EAP-Message = 0x0216015354494330383836325c54656368524d43
Message-Authenticator = 0xfa084ddf06908a03fe823772e3df038e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = STIC08862\TechRMC, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm STIC08862 for User-Name = STIC08862\TechRMC
[ntdomain] No such realm STIC08862
++[ntdomain] returns noop
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/)
expand: %{User-Name} - STIC08862\TechRMC
? Evaluating (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap] expand: (uid=%{mschap:User-Name}) - (uid=TechRMC)
[ldap] expand: o=CSPI - o=CSPI
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 194 to 10.220.30.5 port 29010
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x309c14c6309d0dd14b00d913c56dbe3f
Finished request 78.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010,
id=195, length=255
User-Name = STIC08862\\TechRMC
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-A1:AVAYA-RESEAU
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11a
EAP-Message =
0x02010050198000461603010041013d03014de118d0fb7ad90b86758750890c116038cb55d9c09e4f2b4228a03e019e3d421600040005000a000900640062000300060013001200630100
State = 0x309c14c6309d0dd14b00d913c56dbe3f
Message-Authenticator = 0xbb36f856b12e7151d07b7f62bb8ac4d1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = STIC08862\TechRMC, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm STIC08862 for User-Name = STIC08862\TechRMC
[ntdomain] No such realm STIC08862
++[ntdomain] returns noop
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/)
expand: %{User-Name} - STIC08862\TechRMC
? Evaluating (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++? if (%{User-Name} =~ /^host\/.*nw2.cspi.qc.ca$/) - FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 1 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap]
Re: Error: User-Name is not the same as MS-CHAP name
Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). The problem is when the HOSTNAME is sent along with the username under windows XP. I tried to set a realm specially for this HOSTNAME, but we got the same error. Well... re-writing the names in the inner-tunnel server is breaking authentication. We don't. The sites configuration are very straightforward (almost default), no fency rewrites in the default or the inner-tunnel. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? We do not rewrite anything. LDAP authorization passes properly, but when EAP authentication kicks in, we have this MS-CHAP error. We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name. We need other ideas here. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Francois Gaudreault wrote: We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name. We need other ideas here. Post the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Thank's Alan, it works! We had the same issue with python auths being serialized that we had with pam, but running out of debug mode fixed the issue. Pam probably would have worked if we tried that, but it was a pam_python module anyway so it is better going directly to python. Thanks again, Jim On Wed, May 18, 2011 at 1:44 AM, Alan DeKok al...@deployingradius.com wrote: Jim Whitescarver wrote: The only thing we want is python authentication. I just commented out everything else. I will start again and try to minimize edits. I am rather clueless about the nature the minimum edits should have. Add what you need. The default configuration *works*. It seems that every configuration file needs python in every section for it to be recognized. No. You need to list python everywhere you want it to be *used*. I don't think we want to use the users file. We only want to call the python module for any request. That's just rude. The first message you posted showed a users file entry, and wondered why it didn't work. Now you say you don't want to use it. Figure out what you want to do. The majority of the issues you're having are due to inconsistency. It's not clear why we would leave other stuff in if we are not using anything but the python module. Because you don't understand what it does. If you don't understand it, deleting it is wrong. Hey, I don't understand what this widget is on my car engine. I'll just rip it off. Hmm, my car no longer works. I know... I'll blame the mechanic! You wouldn't do that to a car mechanic. Don't do it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Jim Whitescarver wrote: But, after sucessfully calling our python module the user is rejected ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Don't edit the default configuration and break it. Below is the complete log. Any ideas of what we may be doing wrong? (1) Run the server in debugging mode. -Xx gives *too* much information (2) If you 3ant to use the users file, *DON'T* delete files from the authorize section. All of the work you put into simplifying the configuration files was wasted. If you don't understand how the server works, change as little as possible. Read man radiusd, and see the DEBUGGING section. It gives *EXPLICIT* instructions for how to change the configuration of the server. Follow them. This is documented. Following the documentation helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
On Tue, May 17, 2011 at 3:08 PM, Alan DeKok al...@deployingradius.com wrote: Jim Whitescarver wrote: But, after sucessfully calling our python module the user is rejected ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Don't edit the default configuration and break it. The only thing we want is python authentication. I just commented out everything else. I will start again and try to minimize edits. I am rather clueless about the nature the minimum edits should have. It seems that every configuration file needs python in every section for it to be recognized. Any ideas of what we may be doing wrong? (1) Run the server in debugging mode. -Xx gives *too* much information (2) If you 3ant to use the users file, *DON'T* delete files from the authorize section. I don't think we want to use the users file. We only want to call the python module for any request. All of the work you put into simplifying the configuration files was wasted. If you don't understand how the server works, change as little as possible. We will try again. It's not clear why we would leave other stuff in if we are not using anything but the python module. Thanks for the tips. Jim. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Jim Whitescarver wrote: The only thing we want is python authentication. I just commented out everything else. I will start again and try to minimize edits. I am rather clueless about the nature the minimum edits should have. Add what you need. The default configuration *works*. It seems that every configuration file needs python in every section for it to be recognized. No. You need to list python everywhere you want it to be *used*. I don't think we want to use the users file. We only want to call the python module for any request. That's just rude. The first message you posted showed a users file entry, and wondered why it didn't work. Now you say you don't want to use it. Figure out what you want to do. The majority of the issues you're having are due to inconsistency. It's not clear why we would leave other stuff in if we are not using anything but the python module. Because you don't understand what it does. If you don't understand it, deleting it is wrong. Hey, I don't understand what this widget is on my car engine. I'll just rip it off. Hmm, my car no longer works. I know... I'll blame the mechanic! You wouldn't do that to a car mechanic. Don't do it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and
inner-tunnel and ran diff. I can see in the debug output of the server that
User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong.
http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm
freeradius:/etc # diff -qr raddb raddefault
Files raddb/clients.conf and raddefault/clients.conf differ
Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ
Files raddb/modules/ldap and raddefault/modules/ldap differ
Files raddb/modules/mschap and raddefault/modules/mschap differ
Files raddb/sites-available/inner-tunnel and
raddefault/sites-available/inner-tunnel differ
Files raddb/sites-enabled/inner-tunnel and
raddefault/sites-enabled/inner-tunnel differ
-
freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf
206,209d205
client 10.0.0.0/8 {
secret = testing123
shortname = net1
}
freeradius:/etc # diff raddb/modules/attr_rewrite
raddefault/modules/attr_rewrite
32,65d31
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-domain-name {
attribute = Stripped-User-Name
searchfor = (\.test\.local)
searchin = packet
new_attribute = no
replacewith =
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^(host/.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = ^(.*[\\/]+)
replacewith =
max_matches = 1
}
--
freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap
33,36c33,36
server = 10.220.7.7
identity = cn=tics,o=test
password = ldappass
basedn = o=test
---
server = ldap.your.domain
#identity = cn=admin,o=My Org,c=UA
#password = mypass
basedn = o=My Org,c=UA
77,79c77,78
#start_tls = no
start_tls = yes
port=636
---
start_tls = no
118c117
password_attribute = nspmPassword
---
124c123
edir_account_policy_check = yes
---
edir_account_policy_check = no
--
freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap
37c37
with_ntdomain_hack = yes
---
65,66c65
#ntlm_auth = /path/to/nitlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
---
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
freeradius:/etc # diff raddb/sites-available/inner-tunnel
raddefault/sites-available/inner-tunnel
48,52d47
if (User-Name !~ /^host\//) {
update control {
MS-CHAP-Use-NTLM-Auth := no
}
}
97,101c92
copy.user-name
remove-domain-name
add-dollar-sign
strip-realm-name
ntdomain
---
# ntdomain
151c142
ldap
---
# ldap
239,241c230,232
Auth-Type LDAP {
ldap
}
---
# Auth-Type LDAP {
# ldap
# }
299c290
ldap
---
# ldap
311d301
ldap
Robert Mc Cready wrote:
I do not rewrite the User-name attribute I rewrite only the
Stripped-User-Name attribute with these:
No. Go READ the debug log you posted. The inner-tunnel virtual
server gets:
Sending tunneled request
EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ...
Re: Error: User-Name is not the same as MS-CHAP name
On 05/10/2011 03:35 PM, Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
