RE: configure freeradius to use UPN instead of samaccountname

2013-10-14 Thread stefan.paetow 
You might want to do an LDAP lookup first on your UPN to find the 
samAccountName, then use that with ntlm_auth.

Stefan


From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
 On Behalf Of Angelica Delgado
Sent: 14 October 2013 21:51
To: FreeRadius users mailing list
Subject: configure freeradius to use UPN instead of samaccountname

We have our freeradius setup to authenticate with Active Directory for EAP.  
Currently, it uses the samaccountname but we want to use UPN instead. We get 
"NT_STATUS_NO_SUCH_USER" when testing with ntlm through command line.

ntlm_auth --request-nt-key --domain=test.local 
--username=tu...@pub.com<mailto:tu...@pub.com>



Can you please let us know what needs to be configured to support the UPN?



Thanks.







-- 

This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.

Any opinions expressed within this e-mail are those of the individual and not 
necessarily of Diamond Light Source Ltd. 

Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments 
are free from viruses and we cannot accept liability for any damage which you 
may sustain as a result of software viruses which may be transmitted in or with 
the message.

Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

 







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: configure freeradius to use UPN instead of samaccountname

2013-10-14 Thread Alan DeKok 
Angelica Delgado wrote:
> We have our freeradius setup to authenticate with Active Directory for
> EAP.  Currently, it uses the samaccountname but we want to use UPN
> instead. We get "NT_STATUS_NO_SUCH_USER" when testing with ntlm through
> command line.
> 
> ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com
>
> Can you please let us know what needs to be configured to support the UPN?

  ntlm_auth is from Samba.  It's not part of FreeRADIUS.  Ask the Samba
people how it works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

configure freeradius to use UPN instead of samaccountname

2013-10-14 Thread Angelica Delgado 
We have our freeradius setup to authenticate with Active Directory for
EAP.  Currently, it uses the samaccountname but we want to use UPN instead.
We get "NT_STATUS_NO_SUCH_USER" when testing with ntlm through command line.

ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com



Can you please let us know what needs to be configured to support the UPN?



Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Book for freeradius 3.0

2013-10-13 Thread Osvaldo T Crispim Filho 
Is there any book about the new version of FreeRADIUS 3.0?


-- 
 - Osvaldo T Crispim Filho -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with compiling freeradius on Ubuntu Linux

2013-10-12 Thread Arran Cudbard-Bell 

On 12 Oct 2013, at 17:40, Andrei Petru Mura  wrote:

> Hello,
> 
> I imported FreeRADIUS from git on Eclipse, and tried to build it, but this 
> error occurs while building the project:
> 
> threads.h:47:2: error: #error WITH_THREADS defined, but pthreads not available
> 
> Can anybody guide me how to solve this issue? Thanks.

This is an invalid state. The configure script will not define WITH_THREADS 
unless the pthread headers are available.

Check if HAVE_PTHREAD_H and WITH_THREADS are defined src/include/autoheader.h. 
If they're both defined then Eclipse is messing with the build system, if one 
is defined and the other is not, then autoconf/the configure scripts are broken.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems with compiling freeradius on Ubuntu Linux

2013-10-12 Thread Andrei Petru Mura 
Hello,

I imported FreeRADIUS from git on Eclipse, and tried to build it, but this
error occurs while building the project:

*threads.h:47:2: error: #error WITH_THREADS defined, but pthreads not
available*
*
*
Can anybody guide me how to solve this issue? Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: clone break freeradius

2013-10-11 Thread stefan.paetow 
Did you also change the MAC address for the network adapter in the VMWare 
settings? Otherwise VMWare believes (and possibly your network too) the two 
machines are the same.

After changing the MAC address, reconfigure your network settings on the clone 
and reboot. Delete the trust (computer) account for the original machine from 
Active Directory. Then retry the net join command for both machines.

Stefan


From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
 On Behalf Of trevor obba
Sent: 11 October 2013 00:38
To: freeradius-users@lists.freeradius.org
Subject: clone break freeradius

I configured freeradius version 2.2.0 running on Ubuntu 12.04 to authenticate 
against active directory and it is working fine until I decide to clone 
(vmware) the machine.

Once the machine is clone I changed the IP address, hostname in (/etc/hosts and 
/etc/hostname) and also changed the name in /etc/samba/smb.conf

Finally I tried to join the clone machine using “net join –U administrator” 
unfortunately this break the original freeradius machine by no longer 
authenticating to active directory and the clone machine will not join the 
Domain also.
I think the clone machine is still referring the original machine which breaks 
the original machine unfortunately I do not know how to fix it.

How do I fix the original machine?
What else do I change on the clone machine so that I can successfully join it 
to domain with breaking the original machine?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: clone break freeradius

2013-10-11 Thread A . L . M . Buxey 
hi,

you must ensure you 'sign out' of the AD before you clone as otherwise
both objects are the same...and, as you have found, doing something
with the cloen breaks the first server.  or just dont bind to the AD before
cloning.

to fix, you need to ensure that both machines have their own identity (eg
/etc/hosts and $HOSTNAME all refer to a unique name per machine) and that
there is nothing in the AD referencing either system.  THEN net ads join
each boxbut this isnt a freeradius question.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

clone break freeradius

2013-10-10 Thread trevor obba 
I configured freeradius version 2.2.0 running on Ubuntu 12.04
to authenticate against active directory and it is working fine until I decide
to clone (vmware) the machine.

Once the machine is clone I changed the IP address, hostname
in (/etc/hosts and /etc/hostname) and also changed the name in
/etc/samba/smb.conf

Finally I tried to join the clone machine using “net join –U
administrator” unfortunately this break the original freeradius machine by no
longer authenticating to active directory and the clone machine will not join
the Domain also.
I think the clone machine is still referring the original machine
which breaks the original machine unfortunately I do not know how to fix it.

How do I fix the original machine?
What else do I change on the clone machine so that I can
successfully join it to domain with breaking the original machine?-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread John Dennis 
On 10/10/2013 08:39 AM, Puzzel wrote:
> I've made configure at top level ./configure
> --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
> --with-oracle-include-dir=/usr/include/oracle/11.2/client64
> 
> Then i made make, but i still can't find rlm_sql_oracle.so file. :/

Try reading the output of the build process, it will tell you what went
wrong.

Hint:

Redirection:

do_something 2>&1 | tee -a some_file



-- 
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Alan DeKok 
Puzzel wrote:
> I've made configure at top level ./configure
> --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
> --with-oracle-include-dir=/usr/include/oracle/11.2/client64

  If the build is having issues, you should READ the output of
"configure".  It tells you what it's building, and what it's not
building.  Just look for "oracle" in the output.  It's not hard.

> Then i made make, but i still can't find rlm_sql_oracle.so file. :/

  Again, READ the output of "make".  Look for oracle.  It's not hard.

  You're like someone who's sitting next to a road sign, and claiming
he's lost.  Well... look up.  You're not lost.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell 

On 10 Oct 2013, at 13:39, Puzzel  wrote:

> I've made configure at top level ./configure
> --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
> --with-oracle-include-dir=/usr/include/oracle/11.2/client64
> 
> Then i made make, but i still can't find rlm_sql_oracle.so file. :/

run the configure script in src/modules/rlm_sql/drivers/rlm_sql_oracle and post 
the output and config.log file.

-Arran

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel 
I've made configure at top level ./configure
--with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
--with-oracle-include-dir=/usr/include/oracle/11.2/client64

Then i made make, but i still can't find rlm_sql_oracle.so file. :/

-Original Message-----
From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Thursday, October 10, 2013 1:51 PM
To: FreeRadius users mailing list
Subject: Re: freeradius 2.2.0 on Fedora and oracle module


On 10 Oct 2013, at 12:34, "Puzzel"  wrote:

> When i do make at top level, i'm getting this output:
> 
> make
> Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and
retry".
> Stop.

- Missing - Something is not there that should be.
- 'Make.inc' - The thing that should be there but isn't.
- Run - Execute a command.
- './configure' - The command you should execute.
- '[options]' - Any additional options you want to add like --prefix or
--with-shared-libs=no.
- and - There's something additional you have to do as well as running the
previous command.
- retry - Repeat the previous command which generated this error message.

*sigh*

-Arran


> 
> -Original Message-
> From: 
> freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org
> [mailto:freeradius-users-bounces+puzzel1982=gmail.com@lists.freeradius
> .org]
> On Behalf Of Arran Cudbard-Bell
> Sent: Thursday, October 10, 2013 12:50 PM
> To: FreeRadius users mailing list
> Subject: Re: freeradius 2.2.0 on Fedora and oracle module
> 
> 
> On 10 Oct 2013, at 10:31, Puzzel  wrote:
> 
>> Tnx Arran,
>> 
>> ./configure went fine and then created all.mk file.
>> What to do next? "make" don't work. I'm sorry i'm not very much 
>> experienced in linux.
> 
> You need to do make in the top level directory not in the module
directory. 
> all.mk is a make include not an actual make file.
> 
> It should pick up that rlm_sql_oracle has been configured (even if 
> it's not marked as stable) and build it.
> 
> -Arran
> 
> Arran Cudbard-Bell  FreeRADIUS Development 
> Team
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

Arran Cudbard-Bell  FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell 

On 10 Oct 2013, at 12:34, "Puzzel"  wrote:

> When i do make at top level, i'm getting this output:
> 
> make
> Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and retry".
> Stop.

- Missing - Something is not there that should be.
- 'Make.inc' - The thing that should be there but isn't.
- Run - Execute a command.
- './configure' - The command you should execute.
- '[options]' - Any additional options you want to add like --prefix or 
--with-shared-libs=no.
- and - There's something additional you have to do as well as running the 
previous command.
- retry - Repeat the previous command which generated this error message.

*sigh*

-Arran


> 
> -Original Message-
> From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org
> [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org]
> On Behalf Of Arran Cudbard-Bell
> Sent: Thursday, October 10, 2013 12:50 PM
> To: FreeRadius users mailing list
> Subject: Re: freeradius 2.2.0 on Fedora and oracle module
> 
> 
> On 10 Oct 2013, at 10:31, Puzzel  wrote:
> 
>> Tnx Arran,
>> 
>> ./configure went fine and then created all.mk file.
>> What to do next? "make" don't work. I'm sorry i'm not very much 
>> experienced in linux.
> 
> You need to do make in the top level directory not in the module directory. 
> all.mk is a make include not an actual make file.
> 
> It should pick up that rlm_sql_oracle has been configured (even if it's not
> marked as stable) and build it.
> 
> -Arran
> 
> Arran Cudbard-Bell  FreeRADIUS Development Team
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel 
When i do make at top level, i'm getting this output:

make
Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and retry".
Stop.

-----Original Message-
From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Thursday, October 10, 2013 12:50 PM
To: FreeRadius users mailing list
Subject: Re: freeradius 2.2.0 on Fedora and oracle module


On 10 Oct 2013, at 10:31, Puzzel  wrote:

> Tnx Arran,
> 
> ./configure went fine and then created all.mk file.
> What to do next? "make" don't work. I'm sorry i'm not very much 
> experienced in linux.

You need to do make in the top level directory not in the module directory. 
all.mk is a make include not an actual make file.

It should pick up that rlm_sql_oracle has been configured (even if it's not
marked as stable) and build it.

-Arran

Arran Cudbard-Bell  FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell 

On 10 Oct 2013, at 10:31, Puzzel  wrote:

> Tnx Arran,
> 
> ./configure went fine and then created all.mk file.
> What to do next? "make" don't work. I'm sorry i'm not very much experienced
> in linux.

You need to do make in the top level directory not in the module directory. 
all.mk is a make include not an actual make file.

It should pick up that rlm_sql_oracle has been configured (even if it's not
marked as stable) and build it.

-Arran

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel 
Tnx Arran,

./configure went fine and then created all.mk file.
What to do next? "make" don't work. I'm sorry i'm not very much experienced
in linux.

-Original Message-
From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Thursday, October 10, 2013 11:04 AM
To: FreeRadius users mailing list
Subject: Re: freeradius 2.2.0 on Fedora and oracle module


On 10 Oct 2013, at 09:22, Puzzel  wrote:

> Yes, you are right, the oracle inlcude path was in the different 
> location
> (/usr/include/oracle/11.2/client64 not /usr/lib...).
> 
> Now i've got another problem.
> 
> ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
> --with-oracle-include-dir=/usr/include/oracle/11.2/client64
> checking for oci.h... checking for gcc... gcc checking whether the C 
> compiler works... yes checking for C compiler default output file 
> name... a.out checking for suffix of executables...
> checking whether we are cross compiling... no checking for suffix of 
> object files... o checking whether we are using the GNU C compiler... 
> yes checking whether gcc accepts -g... yes checking for gcc option to 
> accept ISO C89... none needed yes
> configure: WARNING: oracle libraries not found.  Use 
> --with-oracle-lib-dir=.
> configure: WARNING: silently not building rlm_sql_oracle.
> configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz.
> configure: creating ./config.status
> config.status: creating Makefile


Please use version 3.0.0 the configure script is much better.

http://freeradius.org/download.html

Arran Cudbard-Bell  FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell 

On 10 Oct 2013, at 09:22, Puzzel  wrote:

> Yes, you are right, the oracle inlcude path was in the different location
> (/usr/include/oracle/11.2/client64 not /usr/lib...).
> 
> Now i've got another problem.
> 
> ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
> --with-oracle-include-dir=/usr/include/oracle/11.2/client64
> checking for oci.h... checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> yes
> configure: WARNING: oracle libraries not found.  Use
> --with-oracle-lib-dir=.
> configure: WARNING: silently not building rlm_sql_oracle.
> configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz.
> configure: creating ./config.status
> config.status: creating Makefile


Please use version 3.0.0 the configure script is much better.

http://freeradius.org/download.html

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel 
Yes, you are right, the oracle inlcude path was in the different location
(/usr/include/oracle/11.2/client64 not /usr/lib...).

Now i've got another problem.

./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
--with-oracle-include-dir=/usr/include/oracle/11.2/client64
checking for oci.h... checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
yes
configure: WARNING: oracle libraries not found.  Use
--with-oracle-lib-dir=.
configure: WARNING: silently not building rlm_sql_oracle.
configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz.
configure: creating ./config.status
config.status: creating Makefile

In the folder i've made ln links

ls -la /usr/lib/oracle/11.2/client64/lib/
razem 151112
drwxr-xr-x. 2 root root 4096 10-10 10:14 .
drwxr-xr-x. 4 root root 4096 10-09 14:46 ..
lrwxrwxrwx. 1 root root   17 10-10 10:14 libclntsh -> libclntsh.so.11.1
lrwxrwxrwx. 1 root root   17 10-09 14:46 libclntsh.so ->
libclntsh.so.11.1
-rw-r--r--. 1 root root 48797739 2009-08-15  libclntsh.so.11.1
-rw-r--r--. 1 root root15365 2009-08-15  libheteroxa11.so
lrwxrwxrwx. 1 root root   11 10-10 10:09 libnnz -> libnnz11.so
-rw-r--r--. 1 root root  787 2009-08-15  libnnz11.so
lrwxrwxrwx. 1 root root   15 10-09 14:46 libocci.so -> libocci.so.11.1
-rw-r--r--. 1 root root  1261302 2009-08-15  libocci.so.11.1
-rw-r--r--. 1 root root 89382994 2009-08-15  libociei.so
-rw-r--r--. 1 root root   165157 2009-08-15  libocijdbc11.so
-rw-r--r--. 1 root root   997069 2009-08-15  libsqora.so.11.1
-rw-r--r--. 1 root root  1996228 2009-08-15  ojdbc5.jar
-rw-r--r--. 1 root root  2111220 2009-08-15  ojdbc6.jar
-rw-r--r--. 1 root root  1656280 2009-08-15  orai18n.jar
-rw-r--r--. 1 root root82983 2009-08-15  orai18n-mapping.jar
-rw-r--r--. 1 root root   298388 2009-08-15  ottclasses.zip
-rw-r--r--. 1 root root37807 2009-08-15  xstreams.jar

but it didn't help.

-Original Message-
From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org]
On Behalf Of a.l.m.bu...@lboro.ac.uk
Sent: Thursday, October 10, 2013 9:41 AM
To: FreeRadius users mailing list
Subject: Re: freeradius 2.2.0 on Fedora and oracle module

Hi,

>I'e installed oracle instant client from rpm packages (basic + 
> devel)

okay. if you've done this rather than manually installing from Oracle then
its most likely that the paths are different...you will need to check where
your Oracle files have been installed and use those paths instead

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Fajar A. Nugraha 
On Thu, Oct 10, 2013 at 2:22 PM, Puzzel  wrote:

>  --with-oracle-include-dir=/usr/lib/oracle/11.2/client64
>
> ** **
>
>

> configure: WARNING: oracle headers not found.  Use
> --with-oracle-include-dir=.configure: WARNING: silently not
> building rlm_sql_oracle.
>
> configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h.
>
> configure: creating ./config.status
>
> ** **
>
> Could you help me with that?
>
> **
>

Does oci.h exist on that directory?

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread A . L . M . Buxey 
Hi,

>I'e installed oracle instant client from rpm packages (basic + devel)

okay. if you've done this rather than manually installing from Oracle then
its most likely that the paths are different...you will need to check where
your Oracle files have been installed and use those paths instead

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel 
Hi there,

 

Im trying use freeradius with oracle database.

I've used guide on this site
http://wiki.freeradius.org/modules/Rlm_sql_oracle to compile oracle driver.

 

I'e installed oracle instant client from rpm packages (basic + devel)

 

When i use 

 

./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib
--with-oracle-include-dir=/usr/lib/oracle/11.2/client64

 

i got this output

 

checking for oci.h... checking for gcc... gcc

checking whether the C compiler works... yes

checking for C compiler default output file name... a.out

checking for suffix of executables...

checking whether we are cross compiling... no

checking for suffix of object files... o

checking whether we are using the GNU C compiler... yes

checking whether gcc accepts -g... yes

checking for gcc option to accept ISO C89... none needed

no

configure: WARNING: oracle headers not found.  Use
--with-oracle-include-dir=.

configure: WARNING: silently not building rlm_sql_oracle.

configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h.

configure: creating ./config.status

 

Could you help me with that?

 

Tnx a lot

Thomas

 

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 3 and DHCP

2013-10-09 Thread Arran Cudbard-Bell 

On 9 Oct 2013, at 11:56, Rok Kosir  wrote:

> On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote:
>> On 8 Oct 2013, at 17:44, Phil Mayers 
>>  wrote:
>> 
>> 
>>> On 08/10/13 17:01, Rok Kosir wrote:
>>> 
>>> 
>>>> authentication to mysql), when i run freeradius -X, i get Segmentation
>>>> Fault when it reaches dhcp listner.
>>>> 
>>> See doc/bugs.
>>> 
>> and skip to section 2. :)
>> 
>> Arran Cudbard-Bell 
>> 
>> 
>> FreeRADIUS Development Team
>> 
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> 
> Rebuilt manually and with dhcp it started the server, when dhcp request came 
> it crashed.
> I did use --enable-development when configuring
> 
> All i got in logs is  
> kernel: [7949524.015421] radiusd[19648] general protection ip:7fa7082c1670 
> sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000]
> 
> no other coredump available except from  gdb
> Generated gdb  http://pastebin.com/raw.php?i=C1NYzckb

Thanks for that.

git clone g...@github.com:FreeRADIUS/freeradius-server.git
cd freeradius-server
git checkout v3.0.x

Should no longer segv.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 3 and DHCP

2013-10-09 Thread Rok Kosir 

On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote:

On 8 Oct 2013, at 17:44, Phil Mayers  wrote:


On 08/10/13 17:01, Rok Kosir wrote:


authentication to mysql), when i run freeradius -X, i get Segmentation
Fault when it reaches dhcp listner.

See doc/bugs.

and skip to section 2. :)

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Rebuilt manually and with dhcp it started the server, when dhcp request 
came it crashed.

I did use --enable-development when configuring

All i got in logs is
kernel: [7949524.015421] radiusd[19648] general protection 
ip:7fa7082c1670 sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000]


no other coredump available except from  gdb
Generated gdb http://pastebin.com/raw.php?i=C1NYzckb

Also debug from radiusd -X http://pastebin.com/raw.php?i=B8tRs1xh

config options were:
./configure --build x86_64-linux-gnu --config-cache --enable-developer 
--prefix=/usr --exec-prefix=/usr --mandir=/usr/share/man 
--sysconfdir=/etc --libdir=/usr/lib/freeradius --datadir=/usr/share 
--localstatedir=/var --with-raddbdir=/etc/freeradius 
--with-logdir=/var/log/freeradius --with-large-files --with-udpfromto 
--without-rlm_eap_tnc  --without-rlm_eap_ikev2 --without-rlm_sql_oracle 
--without-rlm_sql_unixodbc


on Ubuntu 12.04 kernel 3.2.0-29-generic


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 3 and DHCP

2013-10-08 Thread Arran Cudbard-Bell 

On 8 Oct 2013, at 17:44, Phil Mayers  wrote:

> On 08/10/13 17:01, Rok Kosir wrote:
> 
>> authentication to mysql), when i run freeradius -X, i get Segmentation
>> Fault when it reaches dhcp listner.
> 
> See doc/bugs.

and skip to section 2. :)

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 3 and DHCP

2013-10-08 Thread Phil Mayers 

On 08/10/13 17:01, Rok Kosir wrote:


authentication to mysql), when i run freeradius -X, i get Segmentation
Fault when it reaches dhcp listner.


See doc/bugs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 3 and DHCP

2013-10-08 Thread Rok Kosir 
Hello,

i had running version of freeradius 2.1.10 (from ubuntu ppa) with
workable EAP-TTLS configuration. Today when i noticed that version 3 is
out i decided to upgrade to it and also test the built-in dhcp server.
All was goin well until i enabled dhcp (EAP-TTLS was working and
authentication to mysql), when i run freeradius -X, i get Segmentation
Fault when it reaches dhcp listner.
It is the same if i use default dhcp site (one provided with source) or
if i follow guide on freeRadius wiki (
http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation)

I built package from source as described in instruction for debian.

Here is return of my freeradius -xv:
Tue Oct  8 15:07:55 2013 : Info: freeradius: FreeRADIUS Version 3.0.0,
for host x86_64-pc-linux-gnu, built on Oct  8 2013 at 10:44:53
Tue Oct  8 15:07:55 2013 : Debug: Server was built with:
Tue Oct  8 15:07:55 2013 : Debug:   accounting
Tue Oct  8 15:07:55 2013 : Debug:   authentication
Tue Oct  8 15:07:55 2013 : Debug:   ascend binary attributes
Tue Oct  8 15:07:55 2013 : Debug:   coa
Tue Oct  8 15:07:55 2013 : Debug:   control-socket
Tue Oct  8 15:07:55 2013 : Debug:   detail
Tue Oct  8 15:07:55 2013 : Debug:   dhcp
Tue Oct  8 15:07:55 2013 : Debug:   dynamic clients
Tue Oct  8 15:07:55 2013 : Debug:   proxy
Tue Oct  8 15:07:55 2013 : Debug:   regex-posix
Tue Oct  8 15:07:55 2013 : Debug:   session-management
Tue Oct  8 15:07:55 2013 : Debug:   stats
Tue Oct  8 15:07:55 2013 : Debug:   tcp
Tue Oct  8 15:07:55 2013 : Debug:   threads
Tue Oct  8 15:07:55 2013 : Debug:   tls
Tue Oct  8 15:07:55 2013 : Debug:   unlang
Tue Oct  8 15:07:55 2013 : Debug:   vmps
Tue Oct  8 15:07:55 2013 : Debug: Server core libs:
Tue Oct  8 15:07:55 2013 : Debug:   talloc : 2.0.*
Tue Oct  8 15:07:55 2013 : Debug:   ssl: OpenSSL 1.0.1 14 Mar 2012


I have pasted debug from freeradius -X  on pastebin so it doesn't
clutter too much here: http://pastebin.com/raw.php?i=u9mM3avv

Any help is appreciated.

Regards,
Rok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius issue : Active Directory Integration

2013-10-04 Thread Phil Mayers 

On 10/04/2013 07:02 AM, Shameek Bhattacharya wrote:


Hello,
  I am facing issue with MS CHAP authentication in Ubuntu 13.04 .
Also NTLM Authentication takes place when putting 'wait = no' in
/etc/freeradius/modules/ntlm_auth

ie
exec ntlm_auth {
 wait = no


"wait = no" is wrong here. You need to wait, to check the result of 
authentication.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius issue : Active Directory Integration

2013-10-03 Thread Alan Buxey 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi.

Wondering what authentication method you are using as maybe looking at wrong 
ntlm  check the mschap module for its ntlm_auth incantation.  Also, if you 
have doubts about the AD account used to bind them follow that up.  Get it 
bound in the same way. What does ntlm_auth do on the command line for you?


alan
- --
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8

iHkEAREIADkFAlJOYUIyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i
dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC6y4ACdEIQs/dxW8YhNraSmI3pX
qbNXMmcAn2s9S34AfgH/JbgqjHiYr51Vw9uN
=lpVL
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius issue : Active Directory Integration

2013-10-03 Thread Andreas Sartori 
Hi,

> Hello,
> I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
> NTLM Authentication takes place when putting 'wait = no' in
> /etc/freeradius/modules/ntlm_auth
> 


is ntml_auth on the command line working?
Please provide some debug output.

regards
-andreas

-- 
___
FACHHOCHSCHULE SALZBURG GmbH
Salzburg University of Applied Sciences

Andreas Sartori
Systems Engineer
IS - Information Services

Lecturer
ITS - Information Technology and Systems Management
MMT - Multimedia Technology
Urstein Süd 1 | 5412 Puch/Salzburg | Austria
fon:  +43 (0)50-2211-1655 | fax: -1699
web: www.fh-salzburg.ac.at

Gerichtsstand Salzburg | FN166054y
___

- Original Message -
> From: "Shameek Bhattacharya" 
> To: freeradius-users@lists.freeradius.org
> Sent: Friday, October 4, 2013 8:02:59 AM
> Subject: Freeradius issue : Active Directory Integration
> 
> 
> 
> 
> 
> 
> Hello,
> I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
> NTLM Authentication takes place when putting 'wait = no' in
> /etc/freeradius/modules/ntlm_auth
> 
> ie
> exec ntlm_auth {
> wait = no
> program = “/usr/bin/ntlm_auth -request-nt-key
> -username=%{mschap:User-Name} -password=%{User-Password}”
> }
> 
> 
> 
> 
> 
> But MS CHAP fails completely . Tried all options but not working at
> all . I have another Freeradius Server with same configuration which
> is working perfectly. The only difference is that the faulty Radius
> Server was joined to Domain with a backup administrator account ,
> not with the default Domain Administrator account . Is this creating
> the issue ? Please suggest . I have attached the debug output.
> 
> 
> Regards,
> 
> Shameek
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius issue : Active Directory Integration

2013-10-03 Thread Shameek Bhattacharya 
Hello,
 I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
NTLM Authentication takes place when putting 'wait = no' in
/etc/freeradius/modules/ntlm_auth

ie
exec ntlm_auth {
wait = no
program = “/usr/bin/ntlm_auth -request-nt-key
-username=%{mschap:User-Name} -password=%{User-Password}”
}


But MS CHAP fails completely . Tried all options but not working at all . I
have another Freeradius Server with same configuration which is working
perfectly. The only difference is that the faulty Radius Server was joined
to Domain with a backup administrator account , not with the default Domain
Administrator account . Is this creating the issue ? Please suggest . I
have attached the debug output.

Regards,
Shameek


Radius
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: control flow in FreeRADIUS authorize section

2013-10-02 Thread Arran Cudbard-Bell 

On 2 Oct 2013, at 22:57, a.l.m.bu...@lboro.ac.uk wrote:

> Hi,
> 
>>  A simple thing:
>> 
>> 
>>  
>>  update control {
>>  Tmp-String-0 := "stop"
>>  }
>>  ...
>> 
>> 
>> 
>> 
>>  if (Tmp-String-0 != "stop") {
>>  
>>  }
>> 
>>  That should work.  Ugly, but functional.
> 
> this is pretty much what I was going to suggest. ugly, yes. but sometimes 
> simple is best.
> and its much easier for a non unlang'y person to understand the logic! :)

Nah, the appearance of obscurity is another mans job security :p

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: control flow in FreeRADIUS authorize section

2013-10-02 Thread A . L . M . Buxey 
Hi,

>   A simple thing:
> 
> 
>   
>   update control {
>   Tmp-String-0 := "stop"
>   }
>   ...
> 
> 
> 
> 
>   if (Tmp-String-0 != "stop") {
>   
>   }
> 
>   That should work.  Ugly, but functional.

this is pretty much what I was going to suggest. ugly, yes. but sometimes 
simple is best.
and its much easier for a non unlang'y person to understand the logic! :)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: control flow in FreeRADIUS authorize section

2013-10-02 Thread Arran Cudbard-Bell 

> We want to stop executing the  in the first two cases 
> ("infected" and "tempsus"), effectively doing something like a return.

Where you have ok in the case stanzas, put

ok {
ok = return
}

-Arran

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: control flow in FreeRADIUS authorize section

2013-10-02 Thread Alan DeKok 
Bruce Bauman wrote:
> We want to stop executing the  in the first two
> cases ("infected" and "tempsus"), effectively doing something like a return.

  There is a "return" code.  See doc/configurable_failover.rst:

  ok {
ok = return
  }

  That may work.  The issue is that there's really no multi-level "stop"
or "break".  i.e. "stop doing ANYTHING, no matter how deeply nested you
are un the conditions.

  The unlang code isn't really meant to do that, sorry.

> I've read the documentation a hundred times and can't figure out how to
> do what I want - everything I've tried doesn't work.
> 
> If someone could give me a simple hint to point me in the right
> direction it would be greatly appreciated.

  A simple thing:



update control {
Tmp-String-0 := "stop"
}
...




if (Tmp-String-0 != "stop") {

}

  That should work.  Ugly, but functional.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

control flow in FreeRADIUS authorize section

2013-10-02 Thread Bruce Bauman 
We are getting unexpected behavior from FreeRADIUS 2.2.x (built from current 
git).

We want to check if a user is BLOCKED first, and only then do we want to 
perform some other checks.

Our current config looks like this:

authorize {
#auth_log # uncomment for debugging

# try to rewrite calling station ID to be sane
rewrite_calling_station_id

rewrite_username_lowercase

# set VLANs for infected or tempsuspension roles

IPSblocks_SQL {
# handle failures
notfound = 999
reject = 999
}

switch reply:RU-block-description {
case "infected" {
if(Airespace-Wlan-Id){
update reply {
Cisco-AVPair += 
"url-redirect=http://ruwireless.rutgers.edu/index.php?page=infected";
Airespace-ACL-Name = "Cisco_infected"
}
}
else {
update reply {
# try VLAN assignment
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := 1666
}
}
# force accept regardless of password
update control {
   Auth-Type := "Accept"
}
ok
}

case "tempsus" {
update reply {
# try VLAN assignment
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := 1666
}
# force accept regardless of password
update control {
   Auth-Type := "Accept"
}
ok
}
# default is to do nothing
}

  


The IPSblocks_SQL does set RU-block description correctly, and the case 
statement behaves as expected.

We want to stop executing the  in the first two cases 
("infected" and "tempsus"), effectively doing something like a return.

I've read the documentation a hundred times and can't figure out how to do what 
I want - everything I've tried doesn't work.

If someone could give me a simple hint to point me in the right direction it 
would be greatly appreciated.

-- Bruce


Bruce Bauman - Systems Administrator
Rutgers University Office of Information Technology
Campus Computing Services - Central Systems and Services
Office ~ (848) 445-6363



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Post a question on freeradius

2013-09-30 Thread Suryalakshmi Annadurai 
Email id: 
mailto:suryalakshmi.annadu...@carc.co.in>>

Or

ritu.gla...@gmail.com




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius - DeadLock

2013-09-25 Thread Fajar A. Nugraha 
On Thu, Sep 26, 2013 at 4:14 AM, Alisson wrote:

> So this error its caused by my application?
>
>
Whatever it is that creates queries to mysql.

In the default schema, radacct will continue to grow. If you're running it
on a production system with significant amount of user on a commodity
hardware, you need to find some way to maintain the table in a reasonable
size. For example, 10 million rows of radacct on a single-disk PC clearly
spells trouble.

The quickest way to "fix" that is by:
- create a new table with same structure: CREATE TABLE ... LIKE ... , see
mysql reference guide for details
- rename radacct to something else, and rename the new table to radacct

That way you'd get an empty radacct, but with old data still available to
examine. For example, you might want to copy current month's acct data (for
billing purposes) back.

After that, get a qualified DBA to help you manage your database
performance.

-- 
Fajar



>
> 2013/9/25 Arran Cudbard-Bell 
>
>>
>> On 25 Sep 2013, at 20:54, Alisson  wrote:
>>
>> > This messages are from radius.log
>>
>> Those errors were generated by the MySQL client library or the MySQL
>> server, just because they're included in the radius.log file does not mean
>> they originated from within the FreeRADIUS code base.
>>
>> > I've doesn't changed anything in db... and I haven't custom queries...
>>
>> Here is a post describing possible causes.  I've never seen this with the
>> stock queries and schema.
>>
>>
>> http://stackoverflow.com/questions/2332768/how-to-avoid-mysql-deadlock-found-when-trying-to-get-lock-try-restarting-trans
>>
>> Arran Cudbard-Bell 
>> FreeRADIUS Development Team
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius - DeadLock

2013-09-25 Thread Alisson 
So this error its caused by my application?


2013/9/25 Arran Cudbard-Bell 

>
> On 25 Sep 2013, at 20:54, Alisson  wrote:
>
> > This messages are from radius.log
>
> Those errors were generated by the MySQL client library or the MySQL
> server, just because they're included in the radius.log file does not mean
> they originated from within the FreeRADIUS code base.
>
> > I've doesn't changed anything in db... and I haven't custom queries...
>
> Here is a post describing possible causes.  I've never seen this with the
> stock queries and schema.
>
>
> http://stackoverflow.com/questions/2332768/how-to-avoid-mysql-deadlock-found-when-trying-to-get-lock-try-restarting-trans
>
> Arran Cudbard-Bell 
> FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius - DeadLock

2013-09-25 Thread Arran Cudbard-Bell 

On 25 Sep 2013, at 20:54, Alisson  wrote:

> This messages are from radius.log

Those errors were generated by the MySQL client library or the MySQL server, 
just because they're included in the radius.log file does not mean they 
originated from within the FreeRADIUS code base.

> I've doesn't changed anything in db... and I haven't custom queries...

Here is a post describing possible causes.  I've never seen this with the stock 
queries and schema.

http://stackoverflow.com/questions/2332768/how-to-avoid-mysql-deadlock-found-when-trying-to-get-lock-try-restarting-trans

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius - DeadLock

2013-09-25 Thread Alisson 
This messages are from radius.log

I've doesn't changed anything in db... and I haven't custom queries...



2013/9/25 Arran Cudbard-Bell 

>
> On 25 Sep 2013, at 20:08, Alisson  wrote:
>
> > Hi,
> >
> > I have a lot of logs with deadlocks
>
> Those would be caused by a bug in your custom SQL queries?
>
> Arran Cudbard-Bell 
> FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius - DeadLock

2013-09-25 Thread Arran Cudbard-Bell 

On 25 Sep 2013, at 20:08, Alisson  wrote:

> Hi,
> 
> I have a lot of logs with deadlocks

Those would be caused by a bug in your custom SQL queries?

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius - DeadLock

2013-09-25 Thread Alisson 
Hi,

I have a lot of logs with deadlocks


ed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting ALIVE
record - Deadlock found when trying to get lock; try restarting transaction
Wed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting
ALIVE record - Deadlock found when trying to get lock; try restarting
transaction
Wed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting
ALIVE record - Deadlock found when trying to get lock; try restarting
transaction
Wed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting
ALIVE record - Deadlock found when trying to get lock; try restarting
transaction
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting
ALIVE record - Deadlock found when trying to get lock; try restarting
transaction
Wed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting
ALIVE record - Deadlock found when trying to get lock; try restarting
transaction
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
Wed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting
ALIVE record - Deadlock found when trying to get lock; try restarting
transaction
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
Wed Sep 25 15:05:44 2013 : Error: [sql] Couldn't update SQL accounting
ALIVE record - Deadlock found when trying to get lock; try restarting
transaction
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: Cannot store result
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
Wed Sep 25 15:05:44 2013 : Error: rlm_sql_mysql: MySQL error 'Deadlock
found when trying to get lock; try restarting transaction'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: message freeradius

2013-09-24 Thread Alan DeKok 
María Teresa Mondragón Reyes wrote:
> I followed the instructions to configure freeradius plus remote mysql
> server and when put in debug mode freeradius -f -X i get
> this message.

  You don't need "-f -X".  Just "-X" is good enough.

> rad_recv: Accounting-Request packet from host 192.168.4.224 port 32769,
> id=157, length=285
> Invalid packet code 4 sent to a proxy port from home server
> 192.168.4.224 port 32769 - ID 157 : IGNORED
> Ready to process requests.

  Home servers are supposed to send Accounting-Response, not
Accounting-Request.

  You may have configured the client to send packets to the wrong port.

> Im getting the connection, there is no problem, my user is reaching a ip
> from the private network 192.168.6.xxx and can
> access to internet.

  That is completely different, and not useful here.

> My freeradius server is in the same machine that shorewall, DNS and
> gateway... my shorewall rules

  That isn't useful here.

  What information did you put into the client?  Server IP, port,
secret, etc.?  You likely entered the wrong information.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: message freeradius

2013-09-24 Thread Phil Mayers 

On 24/09/13 17:58, María Teresa Mondragón Reyes wrote:


rad_recv: Accounting-Request packet from host 192.168.4.224 port 32769,
id=157, length=285
Invalid packet code 4 sent to a proxy port from home server
192.168.4.224 port 32769 - ID 157 : IGNORED
Ready to process requests.


This should be clear. Someone is sending accounting packets to a 
non-accounting port.


Check your "listen" blocks, and either fix them, or fix the client to 
send to the right port.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

message freeradius

2013-09-24 Thread María Teresa Mondragón Reyes 

Hi everybody

I need some help

I'm new in this topic and I'm traying to configure a freeradius serve.

I followed the instructions to configure freeradius plus remote mysql 
server and when put in debug mode freeradius -f -X i get

this message.

rad_recv: Accounting-Request packet from host 192.168.4.224 port 32769, 
id=157, length=285
Invalid packet code 4 sent to a proxy port from home server 
192.168.4.224 port 32769 - ID 157 : IGNORED

Ready to process requests.

Im getting the connection, there is no problem, my user is reaching a ip 
from the private network 192.168.6.xxx and can

access to internet.

My freeradius server is in the same machine that shorewall, DNS and 
gateway... my shorewall rules

.
.
.
ACCEPT  loc $FW:192.168.4.254 udp 1812,1814,18120
.
.
.


Thanks in advanced

tere mondragón

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 101, Issue 50

2013-09-23 Thread paul trader 
On Mon, 23 Sep 2013 at 18:49, Rui Ribeiro opined:

RR:Your not crazy for sure. The problem authenticating with Windows boxen 
RR:is that they only support MSCHAPv2… kudos to Microsoft.

hi rui - thanks for that, although my family and co workers may disagree!  

according to this wiki faq entry:

http://wiki.freeradius.org/guide/faq#How-do-I-make-Windows-XP-clients-use-only-PAP-%28Not-CHAP%29

it's possible to force ms to use pap.  somehow, though, after reading 
another reply to my post, i'm getting the feeling ms clients are munging 
something in the username because it's not being found in the users file.

regards, paul-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 101, Issue 50

2013-09-23 Thread Rui Ribeiro 
--

Message: 5
Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)
From: paul trader 
To: freeradius-users@lists.freeradius.org
Subject: pap always returns noop for windows dialup authentication
Message-ID:

Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII


hi all - i've recently tried upgrading from v1 to v2.  on a centos 6.4 box
w/ all latest updates, i installed freeradius v2, added one username and
password to /etc/raddb/users:

test Cleartext-Password := "testing"

and the radtest command-line authentication works.  i then added one
client for our blade server to /etc/raddb/clients.conf:

client x.x.x.x {
   secret = x
   shortname = 3coms
}

substituting the correct ip and secret for the x's.

testing from my linux box w/ a modem, authentication works.  output from
radiusd -X shows all is well, my linux box receives an ip address and dns
servers.  relavant -X debug output shows:

++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok

however, when trying to authenticate from a windows box, authentication
fails.  every time.  i've tried it from a windows xp machine and 2 windows
7 machines.  the debug output always says:

[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject

i've been over and over everything a dozen times, have tried changing the
windows dialup security settings to use pap only, and also have tried
adding the following line to the users file:

Auth-Type = PAP

even though everything i've read said not to do that.  still doesn't work.
the only changes i've made to the default installation are to the users
and clients.conf files.  i have spent hours searching the internet for a
similar problem/solution and come up empty.  windows boxes will not
authenticate, pap always returns noop, and the user is rejected.

am i doing something glaringly wrong, or just going plain crazy?

regards, paul


--
Hi Paul,

Your not crazy for sure. The problem authenticating with Windows boxen is
that they only support MSCHAPv2…
kudos to Microsoft.

Regards,
Rui


On 23 September 2013 18:17,
wrote:

> Send Freeradius-Users mailing list submissions to
> freeradius-users@lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-requ...@lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-ow...@lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>1. Re: FreeRadius Error " Access Rejected" Only On Some CISCO
>   SwitchPorts (Alan DeKok)
>2. FreeRadius Error " Access Rejected" Only On Some CISCO Switch
>   Ports (Daniel Baker)
>3. Re: FreeRadius Error " Access Rejected" Only On Some CISCO
>   SwitchPorts (Daniel Baker)
>4. EAP-TLS Authentication (arvind132 .)
>5. pap always returns noop for windows dialup authentication
>   (paul trader)
>6. Re: pap always returns noop for windows dialup authentication
>   (Phil Mayers)
>7. Re: pap always returns noop for windows dialup authentication
>   (paul trader)
>
>
> --
>
> Message: 1
> Date: Mon, 23 Sep 2013 09:18:28 -0400
> From: Alan DeKok 
> To: FreeRadius users mailing list
> 
> Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO
> Switch  Ports
> Message-ID: <52403fa4.5090...@deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Daniel Baker wrote:
> >   [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
> >   [ldap] object not found
> > [ldap] search failed
>
>   What part of that is unclear?
>
> > What can I try to fix the authentication issues so that all ports are
> being successfully authenticated ?
>
>   Ensure that the people logging in have accounts in ldap.
>
>   Alan DeKok.
>
>
> --
>
> Message: 2
> Date: Mon, 23 Sep 2013 20:39:44 +0700
>

Re: FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports

2013-09-23 Thread Daniel Baker 

Thank you Alan I will pursue that line of inquiry further.


On 9/23/2013 8:18 PM, Alan DeKok wrote:

Daniel Baker wrote:

   [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
   [ldap] object not found
[ldap] search failed

   What part of that is unclear?


What can I try to fix the authentication issues so that all ports are being 
successfully authenticated ?

   Ensure that the people logging in have accounts in ldap.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports

2013-09-23 Thread Daniel Baker 



Hi Guys, we are trying to get Free Radius to authenticate our users who 
connect through  a Cisco Small Business POE switch.



When testing authentication with a shutdown / no shutdown command  on 
port fa/17  which has an IP phone connected to it we receive  the 
following errors:


FREE RADIUS :

[ldap]  expand: %{User-Name} -> root
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)
[ldap]  expand: dc=citlao,dc=local -> dc=citlao,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.

++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user

Failed to authenticate the user.
Login incorrect (  [ldap] User not found): [root/trash] (from client 
LTC-ROUTER port 2)

Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> root
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.

CISCO POE SWITCH:


SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down:  fa17

SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP 
status Forwarding

23-Sep-2013 14:17:42 %LINK-I-Up:  fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or 
password in Radius server

23-Sep-2013 14:18:07 %LINK-W-Down:  fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, 
aggregated (3)

23-Sep-2013 14:18:09 %LINK-I-Up:  fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or 
password in Radius server, aggregated (1)





However when we try the same test on a port  that has a PC connected to 
it we do not receive such an error.


The CISCO switch says that we have the wrong user name and the Free 
Radius log says access rejected.  Why would this only be the case when   
a CISCO IP phone tries to authenticate?


The Cisco switch port configurations are exactly the same and are as 
follows :


 dot1x max-req 1
 dot1x reauthentication
 dot1x timeout quiet-period 30
 dot1x mac-authentication mac-only
 dot1x port-control auto
 storm-control broadcast enable
 storm-control broadcast level 10
 storm-control include-multicast
 spanning-tree portfast
 macro description "no_ip_phone_desktop | ip_phone_desktop"
 switchport trunk allowed vlan add 100
 macro auto smartport type ip_phone_desktop

What can I try to fix the authentication issues so that all ports are being 
successfully authenticated ?


Thanks for your assistance,

Dan













-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports

2013-09-23 Thread Alan DeKok 
Daniel Baker wrote:
>   [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
>   [ldap] object not found
> [ldap] search failed

  What part of that is unclear?

> What can I try to fix the authentication issues so that all ports are being 
> successfully authenticated ? 

  Ensure that the people logging in have accounts in ldap.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Alan DeKok 
Husnain Taseer wrote:
> In tcpdump asterisk not sending request to the freeradius can u tell
> after configuring freeradius what configurations are needed to be done
> in asterisk.

  You were told to ask this question on the asterisk mailing list.

  We are not asterisk, and we know nothing about it.

  If you're not going to follow instructions, you will have a VERY hard
time solving the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Husnain Taseer 
In tcpdump asterisk not sending request to the freeradius can u tell after
configuring freeradius what configurations are needed to be done in
asterisk.


Regards,
Husnain Taseer


On Mon, Sep 23, 2013 at 4:11 PM, Adam Bishop  wrote:

> On 23 Sep 2013, at 11:27, Husnain Taseer  wrote:
>
> > Even I don't get any request from asterisk server in radius logs.
>
>
> You're looking at the wrong layer for the problem.
>
> Fire up tcpdump.  Do you see any radius traffic leaving the asterisk box?
> Does it reach the RADIUS server?
>
> If no traffic is leaving the asterisk server, you'll need to ask the
> Asterisk mailing lists. If traffic is going missing, you need to check your
> network.
>
> If traffic does reach the radius server, you've either broken your RADIUS
> configuration (post a full debug log) or your environment is screwed up
> (check the local firewall, SELinux, AppArmor...)
>
> Regards,
>
> Adam Bishop
>
>  gpg: 0x6609D460
>
> Janet, the UK's research and education network.
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Adam Bishop 
On 23 Sep 2013, at 11:27, Husnain Taseer  wrote:

> Even I don't get any request from asterisk server in radius logs.


You're looking at the wrong layer for the problem.

Fire up tcpdump.  Do you see any radius traffic leaving the asterisk box? Does 
it reach the RADIUS server?

If no traffic is leaving the asterisk server, you'll need to ask the Asterisk 
mailing lists. If traffic is going missing, you need to check your network.

If traffic does reach the radius server, you've either broken your RADIUS 
configuration (post a full debug log) or your environment is screwed up (check 
the local firewall, SELinux, AppArmor...)

Regards,

Adam Bishop

 gpg: 0x6609D460

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Husnain Taseer 
Hi,

I want to authenticate asterisk peer using freeradius I am using asterisk
12.0.0 and Freeradius 2.2.1. I have configured freeradius correctly as I am
able to authenticate user saved in users file from the terminal by using
"radclient" command from the terminal. but when I try to register peer in
asterisk the freeradius authentication doesn't work. Even I don't get any
request from asterisk server in radius logs.

My sip.conf configuration is :

[1000]
type=friend
context=test
auth_type=radius
host=dynamic

and user credentials are placed in /usr/local/etc/raddb/users as:

1000 Cleartext-Password := "password"


Please Help me in this regard.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports

2013-09-23 Thread Daniel Baker 




Hi Guys, we are trying to get Free Radius to authenticate our users who 
connect through  a Cisco Small Business POE switch.



When testing authentication with a shutdown / no shutdown command on 
port fa/17  which has an IP phone connected to it we receive the 
following errors:


FREE RADIUS :

[ldap]  expand: %{User-Name} -> root
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)
[ldap]  expand: dc=citlao,dc=local -> dc=citlao,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.

++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user

Failed to authenticate the user.
Login incorrect (  [ldap] User not found): [root/trash] (from client 
LTC-ROUTER port 2)

Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> root
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.

CISCO POE SWITCH:


SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down:  fa17

SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP 
status Forwarding

23-Sep-2013 14:17:42 %LINK-I-Up:  fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or 
password in Radius server

23-Sep-2013 14:18:07 %LINK-W-Down:  fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, 
aggregated (3)

23-Sep-2013 14:18:09 %LINK-I-Up:  fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or 
password in Radius server, aggregated (1)





However when we try the same test on a port  that has a PC connected to 
it we do not receive such an error.


The CISCO switch says that we have the wrong user name and the Free 
Radius log says access rejected.  Why would this only be the case when   
a CISCO IP phone tries to authenticate?


The Cisco switch port configurations are exactly the same and  are as 
follows :


 dot1x max-req 1
 dot1x reauthentication
 dot1x timeout quiet-period 30
 dot1x mac-authentication mac-only
 dot1x port-control auto
 storm-control broadcast enable
 storm-control broadcast level 10
 storm-control include-multicast
 spanning-tree portfast
 macro description "no_ip_phone_desktop | ip_phone_desktop"
 switchport trunk allowed vlan add 100
 macro auto smartport type ip_phone_desktop

What can I try to fix the authentication issues so that all ports are being 
successfully authenticated ?


Thanks for your assistance,

Dan











-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + 2 x LDAP + VLAN

2013-09-16 Thread Miroslav Lednicky 

Thank you,

it works with simple modification (not too effective):


ldap1
if (ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}

ldap2
if (ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 2
}
}


Miroslav

Dne 12.9.2013 19:36, Arran Cudbard-Bell napsal(a):


On 12 Sep 2013, at 18:18, Miroslav Lednicky mailto:miroslav.ledni...@fnusa.cz>> wrote:


Hello,

I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and
Ubuntu 12.04


authorize {
ldap1
if (ok) {
update reply {

Tunnel-Type = VLAN,

Tunnel-Medium-Type = IEEE-802

Tunnel-Private-Group-Id = 1

}
}
elsif {
ldap2
if (ok) {
update reply {

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 2
}
}
}
}

Arran Cudbard-Bell mailto:a.cudba...@freeradius.org>>
FreeRADIUS Development Team



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Mgr. Miroslav Lednický
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-16 Thread A . L . M . Buxey 
Hi,

>Could not authenticate user Username%Password with plaintext password
>challenge/response password authentication succeeded

thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for 
that command.

>In this Step, i must edit the following line with this text in the file:
>/etc/freeradius/modules/mschap
> 
>ntlm_auth = "/path/to/ntlm_auth --request-nt-key
>--username=%{mschap:User-Name:-None}
>--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
>--challenge=%{mschap:Challenge:-00}
>--nt-response=%{mschap:NT-Response:-00}"
> 
>But my default commented ntml_auth looks like this:
> 
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>--challenge=%{%{mschap:Challenge}:-00}
>--nt-response=%{%{mschap:NT-Response}:-00}"

the docs and default values have seperated over time.  

>In my default ntlm_auth, the option
>"--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" is missing. Should i add it?

depends on what you want to do and need to do. do you TRUST your clients to be 
sending the correct
domain?  I dont...so I've set the domain manually.

>$ radtest -t mschap bob hello localhost 0 testing123

>First Line:
>bob Cleartext-Password := "hello"

whats the users file got to do with anything? if you have clashing usernames 
you will have a few problems.
i expect you are trying to test your AD? the radtest failed due to incorrect 
password.. ie the AD is not bob/hello

I'd recommend using 'eapol_test' for better/advanced testing - its part of the 
wpa_supplicant
package.

>@Mathieu
>Is there a current RADIUS-book that you can recommend?

"FreeRADIUS for beginners" is a good current book

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-16 Thread Alan DeKok 
Beliars Fire wrote:
> The next Step wbinfo -a *user*%*password *works too, but i`m getting
> this Error-Message:
> 
> /Could not authenticate user Username%Password with plaintext password/
> challenge/response password authentication succeeded
> 
> Is this normal? How can I fix it? The Response seems to work correctly.

  It's a Samba issue.  Ask the Samba people.

> In my default ntlm_auth, the option
> "/--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*}" /is missing. Should i add it?

  Sure.  It's more needed if you use multiple domains.

> Actually i`m using my default uncommented ntlm_auth. So, i`m going to
> test the MS-CHAP authentification reuqest with this command:
> 
> /$ radtest -t mschap bob hello localhost 0 testing123/
> //
> /And i`m getting this Error-Message:/
> //
> /Sending Access-Request of id 251 to 127.0.0.1 port 1812

Run the server in debugging mode as suggested in the FAQ,
"man" page, web pages, and daily on this list.  Do NOT look at the
client output.  It's unimportant.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius 2.1.12 Second LDAP Server

2013-09-16 Thread Beliars Fire 
Hi,
 
thanks for the Help. Actually im decided to create a new VM and reinstall the 
complete Server. I`m following the complete How-To, but i`m getting two 
different Errors.
 
The First One is this:
 
It`s under the first Point: Configuring Authentification with Active Directory 
I`m startet the Samba and Kerberos Services und used this Command:
 
net join -U MyAdministrator

> Worked. I`m getting this Message: 
Using short domain name -- MYDomain
Joined 'UBUNTU' to realm 'MYDomain'
 
The next Step wbinfo -a user%password works too, but i`m getting this 
Error-Message:
 
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded

Is this normal? How can I fix it? The Response seems to work correctly.
 
 
The Second One is this:
 
It`s the last Point on this Page: Configuring FreeRadius to use ntml_auth for 
MS-CHAP
 
In this Step, i must edit the following line with this text in the file: 
/etc/freeradius/modules/mschap
 
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
 
But my default commented ntml_auth looks like this:
 
 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}"  
 
In my default ntlm_auth, the option "--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" 
is missing. Should i add it?
 
Actually i`m using my default uncommented ntlm_auth. So, i`m going to test the 
MS-CHAP authentification reuqest with this command:
 
$ radtest -t mschap bob hello localhost 0 testing123
 
And i`m getting this Error-Message:
 
Sending Access-Request of id 251 to 127.0.0.1 port 1812
 User-Name = "bob"
 NAS-IP-Address = 127.0.1.1
 NAS-Port = 0
 Message-Authenticator = 0x
 MS-CHAP-Challenge = 0x01774f129c72245c
 MS-CHAP-Response = 
0x000124ff68dcea66e8348622a45aa91804201f2102e9ecc0add6
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=38
 MS-CHAP-Error = "\000E=691 R
 
/etc/freeradius/users
 
First Line:
bob Cleartext-Password := "hello" 
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#

 
@Mathieu
Is there a current RADIUS-book that you can recommend?
 
-- BeliarsFire-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-14 Thread Mathieu Simon 
Hi

While I generally chime in with Alan's later message, one important you
should start reading about and differentiating
is Authentication and Authorization (the later is Accounting of AAA with
RADIUS).

While you can do Authorization using LDAP with AD, you can't do the
Authentication part using LDAP against AD.
Using Samba and ntlm_auth is the way to go, that due to to how AD stores
passwords.

Read deployingradius.com, specially the compatibility matrix and
"Authentication Systems and Password Compatibility".

You may do LDAP load balancing on the authorization part, but ntlm_auth and
balancing / failover is done by Samba.
Otherwise if you want to go deeper, get a RADIUS book :-) I can confirm
that the initial curve may be a bit steep if you
haven't done any RADIUS before, but it's well worth since it gets you
better overall understanding  on AAA and RADIUS, that will
definitely help if something goes belly up.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-13 Thread Nikolaos Milas 

On 13/9/2013 9:35 μμ, Nikolaos Milas wrote:



Where can I find the v3.0.0 source branch? 


Oh, I found it and it includes a spec file for redhat: 
https://github.com/FreeRADIUS/freeradius-server/tree/release_branch_3.0.0/redhat


Is the spec file in a well-working condition? (I might test, but knowing 
beforehand helps things. :-) )


Thanks,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-13 Thread Arran Cudbard-Bell 

On 13 Sep 2013, at 19:47, Nikolaos Milas  wrote:

> On 13/9/2013 9:35 μμ, Nikolaos Milas wrote:
> 
>> 
>> Where can I find the v3.0.0 source branch? 
> 
> Oh, I found it and it includes a spec file for redhat: 
> https://github.com/FreeRADIUS/freeradius-server/tree/release_branch_3.0.0/redhat
> 
> Is the spec file in a well-working condition? (I might test, but knowing 
> beforehand helps things. :-) )

It is, yes.

V3.0.0 was slated for release this week, but were waiting on feedback from one 
of the testers for a potentially critical bug in proxying code.

It would be good to try the DHCP code out with 3.0.0. IIRC the logic hasn't 
changed significantly, but the change of memory allocator has touched many 
areas of the code including DHCP.

If you're going to try out 3.0.0 then i'd use the release branch, and i'd do it 
now instead of waiting for the official release.  There'll be very few code 
changes between the release branch and the final released version.

The advantage of testing now is that bugs (if there are any) get fixed now, so 
you can deploy and official version which works for you on your production 
servers, instead of waiting a couple of months for the next official release.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-13 Thread Nikolaos Milas 

On 13/9/2013 8:40 μμ, Arran Cudbard-Bell wrote:


If you do it the way I suggested I highly recommend you use V3.0.0 
(release_branch_3.0.0 or master/HEAD) instead, as the list/attribute handling 
is much better.


Thanks,

I'll look into rlm_cache.

I wonder if anyone in this list has created a v3.0.0 spec file for 
RHEL/CentOS 6 rpm builds (or is one included in the source tree)?


(I prefer doing installs using RPM files because it helps me a lot in 
keeping the server -even a test box- tidy.)


If not, I might try adapting the v2.2.0 spec file (though I am not an 
expert on it).


Where can I find the v3.0.0 source branch?

By the way, is there an expected date for v3.0.0 release?

Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-13 Thread Nikolaos Milas 

On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:


1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?


Yes. 


I am having a hard time trying to adapt the example at: 
http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation to work 
from ldap.


We are starting from a point where we have an (LDAP) DIT branch 
ou=hosts,dc=example,dc=com, where hosts are stored (also used for 
MAC-Auth), using entries of the form:


dn: cn=host1.tech,ou=hosts,dc=example,dc=com
cn: host1.tech
objectClass: device
objectClass: ieee802Device
objectClass: top
objectClass: radiusprofile
objectClass: simpleSecurityObject
description: Main Workstation at Tech Dpt
ou: tech
l: Sierra Nevada
userPassword: test123
owner: cn=TechAdmins,ou=Groups,dc=example,dc=com
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusNASIpAddress: 10.10.10.125
radiusTunnelPrivateGroupId: 1
macAddress: 00:24:8b:3a:d1:db
radiusTerminationAction: 33
radiusHint: 50004
radiusFramedIPAddress: 10.10.10.63
radiusArapSecurity: 10.10.10.1
radiusArapZoneAccess: 255.255.255.128

We are attempting to assign the host (using DHCP) with the macAdress 
stored at macAddress attribute:


- the IP Address defined at radiusFramedIPAddress
- the gateway defined at radiusArapSecurity
- the mask defined at radiusArapZoneAccess

Can we use ldap calls (as when doing auth), in modules/ldap, like:

ldap ldap_dhcp {

server = "localhost"

identity = "uid=auth,ou=AdminAccounts,dc=example,dc=com"

password = "mysecret"

basedn = "ou=hosts,dc=example,dc=com"

filter = "(macAddress=%{DHCP-Client-Hardware-Address})"

start_tls = no

dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 2

timeout = 4

timelimit = 3

net_timeout = 1

}


...having added in ldap.attr the following (using current unused 
freeradius schema attributes):


replyItem   DHCP-Subnet-Mask  radiusArapZoneAccess

replyItem   DHCP-Router-Address  radiusArapSecurity

replyItem   DHCP-Your-IP-Address radiusFramedIPAddress


and then modify the example as follows:

server dhcp {

listen {

type = dhcp

ipaddr = 127.0.0.1

port = 67

interface = eth0

broadcast = no

}

dhcp DHCP-Discover {

ldap_dhcp

update reply {

DHCP-Message-Type = DHCP-Offer

}

update reply {

DHCP-Domain-Name-Server := 10.10.10.90

DHCP-Domain-Name-Server := 10.10.10.91

}

ok

}

dhcp DHCP-Request {

update reply {

DHCP-Message-Type = DHCP-Ack

}

ldap_dhcp

update reply {
DHCP-Domain-Name-Server := 10.10.10.90
DHCP-Domain-Name-Server := 10.10.10.91
}

ok

}

dhcp {

reject

}

}

...??

Is it correct as above? Do I have to call ldap_dhcp separately in each 
section (i.e. twice)?


Please clarify!

Regards,
Nick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-13 Thread Arran Cudbard-Bell 
> 
> Is it correct as above? Do I have to call ldap_dhcp separately in each 
> section (i.e. twice)?

Hopefully someone else will chime in who's actually used it, but this is what I 
believe the order of operations should be:

* Receive DHCP-Discover
- Call LDAP to get the IP assignment for the Mac-Address.
- Augment the reply list with additional options
- Cache the reply attributes you're about to send (see rlm_cache), you 
probably want to key it on the same attributes as your LDAP search
- Set DHCP-Message-Type

* Receive DHCP-Request
- Pull reply list out of cache
- Compare requested IP with that in reply list IP if != IP requested 
trash the reply list and DHCP-Message-Type := NAK
- If request IP == reply IP, DHCP-Message-Type := ACK

That way you only have one hit on your LDAP server, and you guarantee 
consistency across Offer and Request.

You can also do it the way you have in your example server (it has the 
advantage that it'll work behind load balancers, or multiple gateways pointing 
at different servers), but you should check the IP from LDAP is the same as the 
one requested, and NAK if appropriate.

If you do it the way I suggested I highly recommend you use V3.0.0 
(release_branch_3.0.0 or master/HEAD) instead, as the list/attribute handling 
is much better.

-Arran

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-13 Thread Alan DeKok 
Beliars Fire wrote:
> -> I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m
> configured Freeradius to use ntlm_auth > This was obviousy wrong, cause
> i want to implement LDAP-Severs.

  Please, don't think you're smarter than people with decades more
experience than you.  It's not polite.

  Follow the instructions in the web page.  Why?  Because they work.

  If you get rid of ntlm_auth, then your users won't be able to
authenticate using 802.1X.

> DEFAULT Auth-Type = ntlm_auth /# > Change it to LDAP, right?/

  No.  Follow the web page.

  If you're not going to follow instructions, then there's no point in
asking questions on this list.

> ... /# Did i need these Settings in this Version?/

  No.

> */etc/freeradius/sites-enabled/inner-tunnel*
> ...
> authenticate {
> ntlm_auth /# Change it to LDAP, right?/

  No.

> ...
> 
> _I`m editing this file, after your Post:_
> 
> */etc/freeradius/users*
> 
> DEFAULT Auth-Type = ldap

  No.

> /After changing, I`m getting this Error:/
> //etc/freeradius/users[1]: Parse error (check) for entry DEFAULT:
> Unknown value ldap for attribute Auth-Type
> /
> /So, ldap isn`t possible as Auth-Type? Which one i`must using?/

  It's possible.  But it won't work for you.  So don't do it.

> Thanks for Help! I´m working with Linux since 4 weeks, so its hard to be
> aware of all functions of Freeradius and Linux.

  It's dead simple.  Follow the web page.  It has step by step
instructions for how to get it to work.  The instructions are correct.
Anyone who knows how to use a text editor can follow them.

  The point of documentation is so non-experts can get things done.  If
you're going to ignore the documentation, then you're on your own.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius authenticate against Active directory

2013-09-13 Thread Matthew Newton 
On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote:
> expand: --username=%{mschap:User-Name:-None} -> --username=t...@abc.ac.uk
...
> Exec-Program output: Logon failure (0xc4f) 

> How can I fix the problem of authentication users that type
> in there local realm @abc.ac.uk with their username as well as proxing eduroam
> users?
> Basically, how do I authenticate local user or stripe local
> realm before pass to active directory for authentication?

Use unlang to strip the realm off, something like this before the call to eap:

  if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {
  update request {
  Stripped-User-Name := "%{1}"
  }
  if ("%{3}") {
  update request {
  Realm := "%{3}"
  }
  }
  else {
  # this will reject requests that have no realm
  reject
  }
  }

Then in your mschap module config use Stripped-User-Name instead of User-Name, 
e.g.

  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk 
--username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius authenticate against Active directory

2013-09-12 Thread trevor obba 
I am running freeradius 2.2.0, I have configured freeradius
to authenticate against active directory and also offer eduroam service 
 When I authenticate
my username as “test” and password in to my wireless devices it works.

However if I try to authenticate my username as t...@abc.ac.uk it does not work 
because
freeradius pass on t...@abc.ac.uk to active
directory without stripping out @abc.ac.uk as shown below:

[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username:
t...@abc.ac.uk
[mschap] Client is using MS-CHAPv2 for t...@abc.ac.uk,
we need NT-Password
[mschap]   
expand: --username=%{mschap:User-Name:-None} -> --username=t...@abc.ac.uk
[mschap] No NT-Domain was found in the User-Name.
[mschap]   
expand: %{mschap:NT-Domain} -> 
[mschap]   
... expanding second conditional
[mschap]   
expand: --domain=%{%{mschap:NT-Domain}:-UNIVERSITY} -> --domain=UNIVERSITY
[mschap] Creating challenge hash with username:
t...@abc.ac.uk
[mschap]   
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=6d98addf3855kk34f22
[mschap]   
expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=278994tg713ccd713g887k1196faaf038ef
Exec-Program output: Logon failure (0xc4f) 
 
How can I fix the problem of authentication users that type
in there local realm @abc.ac.uk with their username as well as proxing eduroam
users?
Basically, how do I authenticate local user or stripe local
realm before pass to active directory for authentication?-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + 2 x LDAP + VLAN

2013-09-12 Thread Arran Cudbard-Bell 

On 12 Sep 2013, at 18:18, Miroslav Lednicky  wrote:

> Hello,
> 
> I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 12.04

authorize {
ldap1
if (ok) {
update reply {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 1

}
}
elsif {
ldap2
if (ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 2 
}
}
} 
}

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Arran Cudbard-Bell 

>  It's like you're asking for flying lessons, and showing up with a
> bicycle.  There's a bit of a disconnect somewhere.

Not true, they make these awesome little fold up bikes you can chuck in the 
back of the plane.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + 2 x LDAP + VLAN

2013-09-12 Thread Miroslav Lednicky 

Hello,

I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 
12.04


I using it for 802.1x users.

I need switch users from ldap1 to VLAN 1 and users from ldap2 to VLAN 2.

I don't know how can i do it.

My configuration:

/etc/freeradius/modules/ldap:

ldap ldap1 {

...

server = 1.1.1.1
basedn = ou=users,dc=test,dc=cz

...

}

ldap  ldap2 {

...

server = 2.2.2.2
basedn = ou=users,dc=test1,dc=cz



}

/etc/freeradius/sites-enabled/inner-tunnel:

authorize {
chap
mschap
unix
suffix
eap {
ok=return
}
files
ldap1
ldap2
expiration
logintime
pap
}

authenticate {
Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}

Auth-Type LDAP1 {
ldap1
}

Auth-Type LDAP2 {
ldap2
}
eap
}

It works.

But i need send atributes to switch or Access Point:

Tunnel-Type=VLAN,
Tunnel-Medium-Type=IEEE-802,
Tunnel-Private-Group-Id=1

for users from ldap1

and

Tunnel-Type=VLAN,
Tunnel-Medium-Type=IEEE-802,
Tunnel-Private-Group-Id=2

for users from ldap2

I tried configure it in /etc/freeradius/users, but without success.

Thank You for help

Miroslav
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Kevin Bigalke 
Hello,
i`m
 running a Freeradius Server 2.1.12 on a  Ubuntu 13.04 VM. The Login 
with 802.1 works perfectly. I`m using a Windows LDAP Server for the 
Login and want to add a second LDAP-Server for a Fail Over. I`m 
following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a 
suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files 
are responsible for the integration of a second LDAP server? These are my 
current Settings:


 
/etc/freeradius/modules/ldap:
 
ldap ldap1 {
server = "serv01.xyz.local"


basedn = "dc=xyz,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

ldap_connections_number = 5
timeout = 4
timelimit = 3


net_timeout = 1
 
tls {

   start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap


edir_account_policy_check = no
 
set_auth_type = no

keepalive {
   # LDAP_OPT_X_KEEPALIVE_IDLE
   idle = 60


 
   # LDAP_OPT_X_KEEPALIVE_PROBES
   probes = 3


 
   # LDAP_OPT_X_KEEPALIVE_INTERVAL
   interval = 3


}
}
 
ldap ldap2 {
server = "serv02.xyz.local"


basedn = "dc=xyz,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

ldap_connections_number = 5
timeout = 4
timelimit = 3


net_timeout = 1
 
tls {

   start_tls = no
 
}
 


dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no

set_auth_type = no
 
keepalive {
   # LDAP_OPT_X_KEEPALIVE_IDLE


   idle = 60
 
   # LDAP_OPT_X_KEEPALIVE_PROBES


   probes = 3
 
   # LDAP_OPT_X_KEEPALIVE_INTERVAL


   interval = 3
}
}
 
/etc/samba/smb.conf:

 
[global]
workgroup = XYZ
 dns proxy = no
 
  security = ads

password server = serv01.xyz.local 
password server = serv02.xyz.local
winbind separator = +


 
 
/etc/freeradius/sites-enabled/inner-tunnel:

 
authenticate {
ntlm_auth
…

 
 
/etc/freeradius/sites-enabled/default:
 

authenticate {
ntlm_auth
…
 

/etc/freeradius/users:
DEFAULT Auth-Type = ntlm_auth
 

Thanks for Help!
BeliarsFire
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Alan DeKok 
Kevin Bigalke wrote:
> i`m running a Freeradius Server 2.1.12 on a  Ubuntu 13.04 VM. The Login
> with 802.1 works perfectly. I`m using a Windows LDAP Server for the
> Login and want to add a second LDAP-Server for a Fail Over. I`m
> following the Tutorials to setup my Freeradius Server: **Click
> <http://deployingradius.com/>**. I`cant find a suitable Tutorial to
> adding a second LDAP Server for a Fail Over. Which files are responsible
> for the integration of a second LDAP server?

  raddb/modules/ldap

> These are my current Settings:

  That seems reasonable.

> */etc/samba/smb.conf*:

  Which largely doesn't matter for FreeRADIUS.

> */etc/freeradius/sites-enabled/inner-tunnel:*
>  
> authenticate {
> ntlm_auth

  So... you're not using LDAP.

  Let's start from the beginning.  What, exactly are you trying to do?
What have you done?  Why did you think that would work?

  Be specific.

  In short, you *can't* do LDAP fail-over if you're using ntlm_auth.
That's because ntlm_auth interacts with Samba.  And you have *no* LDAP
configuration in the "authorize" section.  And Samba takes care of
Samba-related fail-overs, so LDAP isn't necessary.

  It's like you're asking for flying lessons, and showing up with a
bicycle.  There's a bit of a disconnect somewhere.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Arran Cudbard-Bell 

On 12 Sep 2013, at 15:47, Kevin Bigalke  wrote:

> Hello,
> i`m running a Freeradius Server 2.1.12 on a  Ubuntu 13.04 VM. The Login with 
> 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want 
> to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to 
> setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to 
> adding a second LDAP Server for a Fail Over. Which files are responsible for 
> the integration of a second LDAP server? These are my current Settings:

ldap {
server = "serv01.xyz.local,serv02.xyz.local"
...
}

libldap handles failover.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Arran Cudbard-Bell 

On 12 Sep 2013, at 16:29, Arran Cudbard-Bell  wrote:

> 
>> It's like you're asking for flying lessons, and showing up with a
>> bicycle.  There's a bit of a disconnect somewhere.
> 
> Not true, they make these awesome little fold up bikes you can chuck in the 
> back of the plane.

Still trying to come up with a justification for an rlm_avionics module.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Building FreeRadius with custom LDAP libraries

2013-09-12 Thread Alan DeKok 
Nikolaos Milas wrote:

> ldconfig -v output does not list any *ldap* libraries in /usr/lib64
> although they exist (while it lists *ldap* libs in
> /usr/local/openldap/lib64), obviously because:

  Well... this is a local OS issue.  You'll need to consult your OS
documentation to figure out what's going on.

  We're just RADIUS people.  We come close, but we don't know
*everything*. :)

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Building FreeRadius with custom LDAP libraries

2013-09-12 Thread Nikolaos Milas 

On 12/9/2013 2:46 μμ, Arran Cudbard-Bell wrote:


Your linker's search path doesn't include the directory the libraries are in.


Hmm, it seems the path is included but the ldap libs therein are not 
used because there is an "override" in /etc/ld.so.conf:


# ldconfig -v | grep -v ^$'\t'
/usr/lib64/atlas:
/usr/lib64/mysql:
/usr/lib64/qt-3.3/lib:
/usr/lib64/xulrunner:
/usr/local/berkeleydb/lib64:
/usr/local/openldap/lib64:
/lib:
/lib64:
/usr/lib:
/usr/lib64:
/lib64/tls: (hwcap: 0x8000)
/usr/lib64/sse2: (hwcap: 0x0400)
/usr/lib64/tls: (hwcap: 0x8000)

ldconfig -v output does not list any *ldap* libraries in /usr/lib64 
although they exist (while it lists *ldap* libs in 
/usr/local/openldap/lib64), obviously because:


# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/berkeleydb/lib64
/usr/local/openldap/lib64

Regards,
Nick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Building FreeRadius with custom LDAP libraries

2013-09-12 Thread Fajar A. Nugraha 
On Thu, Sep 12, 2013 at 3:25 PM, Nikolaos Milas  wrote:

> Hello,
>
> I am trying to use http://www.packetfence.org/**downloads/PacketFence/**
> freeradius/freeradius-2.2.0-2.**el6.src.rpm<http://www.packetfence.org/downloads/PacketFence/freeradius/freeradius-2.2.0-2.el6.src.rpm>to
>  create custom FreeRadius RPMs for RHEL/CentOS 6.
>
> The main aim is to add --with-dhcp compile option which is not included in
> the standard build.
>
>
For the record, 2.2.0 already builds dhcp support by default, so you should
not need to add --with-dhcp. See http://freeradius.org/

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Building FreeRadius with custom LDAP libraries

2013-09-12 Thread Arran Cudbard-Bell 

On 12 Sep 2013, at 11:02, Nikolaos Milas  wrote:

> On 12/9/2013 11:47 πμ, Arran Cudbard-Bell wrote:
> 
>> 
>> --with-rlm-ldap-lib-dir=
>> --with-rlm-ldap-include-dir=
>> 
>> Top level configure.
> 
> Thanks Arran,
> 
> It worked! I have built and installed the new RPMs and things are working OK.

Your linker's search path doesn't include the directory the libraries are in.

rlm_ldap ./configure opted not to build the module because it's dependencies 
were un met.

The module wasn't built, and so the rlm_ldap.so files didn't exist when 
building the RPM.

-Arran

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Building FreeRadius with custom LDAP libraries

2013-09-12 Thread Nikolaos Milas 

On 12/9/2013 11:47 πμ, Arran Cudbard-Bell wrote:



--with-rlm-ldap-lib-dir=
--with-rlm-ldap-include-dir=

Top level configure.


Thanks Arran,

It worked! I have built and installed the new RPMs and things are 
working OK.


Interestingly, trying to build with the default system libs was failing:

During RPMbuild:

   ...
   checking for ldap_init in -lldap_r... no
   checking for ldap.h... yes
   configure: WARNING: silently not building rlm_ldap.
   configure: WARNING: FAILURE: rlm_ldap requires: libldap_r.
   ...

and then (later):

error: File not found: 
/home/fradius1/rpmbuild/BUILDROOT/freeradius-2.2.0-3.el6.x86_64/usr/lib64/freeradius/rlm_ldap.so
error: File not found: 
/home/fradius1/rpmbuild/BUILDROOT/freeradius-2.2.0-3.el6.x86_64/usr/lib64/freeradius/rlm_ldap-2.2.0.so


But I have also installed the standard openldap and openldap-devel 
packages (openldap 2.4.23, as available by default repos) and:


$ ls -la /usr/lib64/*ldap*
lrwxrwxrwx. 1 root root 10 Sep 21 2012 /usr/lib64/libldap-2.4.so.2 -> 
libldap.so

-rw-r--r-- 1 root root 781914 Mar 20 15:57 /usr/lib64/libldapbackend.a
-rwxr-xr-x 1 root root 1151 Mar 20 15:57 /usr/lib64/libldapbackend.la
-rwxr-xr-x 1 root root 379419 Mar 20 15:57 /usr/lib64/libldapbackend.so
lrwxrwxrwx. 1 root root 12 Sep 21 2012 /usr/lib64/libldap_r-2.4.so.2 -> 
libldap_r.so
lrwxrwxrwx 1 root root 29 Jun 4 19:30 /usr/lib64/libldap_r.so -> 
/lib64/libldap_r-2.4.so.2.5.6
lrwxrwxrwx 1 root root 27 Jun 4 19:30 /usr/lib64/libldap.so -> 
/lib64/libldap-2.4.so.2.5.6

-rwxr-xr-x 1 root root 40320 Feb 22 2013 /usr/lib64/libsmbldap.so.0

...which is the default lib dir.

Solely for my comprehension, what could have been the reason for that 
failure? Shouldn't it work when looking for libs in the default libs dir?


Thanks again,
Nick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Building FreeRadius with custom LDAP libraries

2013-09-12 Thread Arran Cudbard-Bell 


--with-rlm-ldap-lib-dir=
--with-rlm-ldap-include-dir=

Top level configure.


> 
> Thanks,
> Nick
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Building FreeRadius with custom LDAP libraries

2013-09-12 Thread Nikolaos Milas 

Hello,

I am trying to use 
http://www.packetfence.org/downloads/PacketFence/freeradius/freeradius-2.2.0-2.el6.src.rpm 
to create custom FreeRadius RPMs for RHEL/CentOS 6.


The main aim is to add --with-dhcp compile option which is not included 
in the standard build.


The secondary aim is to build using custom ldap libraries, because we 
are using LTB OpenLDAP RPM packages 
(http://ltb-project.org/wiki/download#openldap).


The libraries as installed by these RPM packages are in 
/usr/local/openldap/lib64/ and /usr/local/openldap/include/


In the src.rpm I see:

   BuildRequires: openldap-devel

which I can change to:

   BuildRequires: openldap-ltb-debuginfo

but how can I define custom LDAP libraries?

Can I use something like:

export CPPFLAGS="${CPPFLAGS} -I/usr/local/openldap/include"
export LDFLAGS="${LDFLAGS} -L/usr/local/openldap/lib64"

...as we do for building Dovecot, or

CXXFLAGS="${CXXFLAGS} -I/usr/local/openldap/include"; export CXXFLAGS
LDFLAGS="${LDFLAGS} -L/usr/local/openldap/lib64 -lldap -llber 
-R/usr/local/openldap/lib64"; export LDFLAGS


...as we do for building PowerDNS?

( We have found the above for other software after significant effort. I 
hope it'll be easier with FreeRadius! :-) )


Please advise!

Thanks,
Nick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-11 Thread Alan DeKok 
Nikolaos Milas wrote:
> My understanding is that the term "production system" implies the
> definition above.

  It's just a warning.  If it works for you, it works.

> Does the reference to "code" apply to the configuration file only
> (sites-available/dhcp) or to the DHCP FreeRadius module (as I have
> probably misunderstood)?

  "code" means "code", not "configuration files"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-11 Thread Nikolaos Milas 

On 11/9/2013 5:05 μμ, Arran Cudbard-Bell wrote:


Define production-ready...


Production-ready DHCP Server: A DHCP Server that can be used as such in 
a real-life, mission-critical, organizational environment, i.e. in a 
network where clients (hosts) will only get an IP address if and only if 
the DHCP Server behaves as expected.


I was referring to the:

#    WARNING 
#
#   This code is experimental, and SHOULD NOT be used in a
#   production system.  It is intended for validation and
#   experimentation ONLY."

My understanding is that the term "production system" implies the 
definition above.


Does the reference to "code" apply to the configuration file only 
(sites-available/dhcp) or to the DHCP FreeRadius module (as I have 
probably misunderstood)?


Please, clarify.

Thanks,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-11 Thread Arran Cudbard-Bell 

On 11 Sep 2013, at 15:37, Nikolaos Milas  wrote:

> On 11/9/2013 5:05 μμ, Arran Cudbard-Bell wrote:
> 
>> Define production-ready...
> 
> Production-ready DHCP Server: A DHCP Server that can be used as such in a 
> real-life, mission-critical, organizational environment, i.e. in a network 
> where clients (hosts) will only get an IP address if and only if the DHCP 
> Server behaves as expected.

That you will need to verify yourself.

> 
> I was referring to the:
> 
> #    WARNING 
> #
> #   This code is experimental, and SHOULD NOT be used in a
> #   production system.  It is intended for validation and
> #   experimentation ONLY."
> 
> My understanding is that the term "production system" implies the definition 
> above.
> 
> Does the reference to "code" apply to the configuration file only 
> (sites-available/dhcp) or to the DHCP FreeRadius module (as I have probably 
> misunderstood)?


The code is in use on a number of 'production' systems.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-11 Thread Arran Cudbard-Bell 

On 11 Sep 2013, at 14:49, Nikolaos Milas  wrote:

> On 31/8/2013 5:57 μμ, Nikolaos Milas wrote:
> 
>> I'll look into DHCP...
> 
> Looking at the sites-available/dhcp example setup (on v2.2.0) I see that the 
> DHCP code is not production-ready.
> 
> Based on user feedback and on your involvement with next FreeRadius 
> release(s) development, do you expect the DHCP module to be production ready 
> in the next release?
> 
> I can surely experiment now with the current "experimental" release, but it 
> would be important to have a roadmap as to when the software will be 
> production-ready, so as to prepare some type of deployment schedule.

Define production-ready...

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius DHCP against LDAP

2013-09-11 Thread Nikolaos Milas 

On 31/8/2013 5:57 μμ, Nikolaos Milas wrote:


I'll look into DHCP...


Looking at the sites-available/dhcp example setup (on v2.2.0) I see that 
the DHCP code is not production-ready.


Based on user feedback and on your involvement with next FreeRadius 
release(s) development, do you expect the DHCP module to be production 
ready in the next release?


I can surely experiment now with the current "experimental" release, but 
it would be important to have a roadmap as to when the software will be 
production-ready, so as to prepare some type of deployment schedule.


Thanks and regards,
Nick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius eam sim authorization to everyone

2013-09-10 Thread Alan DeKok 
Maxim Shoustin wrote:
> Can I configure to give "OK" to any sim based on provider only, like
> "Orange", for example/

  No.  The design of EAP-SIM makes that impossible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius eam sim authorization to everyone

2013-09-09 Thread Maxim Shoustin 
Hello,
I use freeradius 2.2.0 (runs on Ubuntu).

I played enough with eap sim, (thanks for examples eapsim-02 - 06).

My goal is to test  client + AP but not
freeradius authorization/authentication process.

Ho can I configure freeradius to give success for every user, no matter
what is imsi, challenge, kc or sres.

Can I configure to give "OK" to any sim based on provider only, like
"Orange", for example/


Thank you,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.2.0 - binaries not being installed ???

2013-09-06 Thread Ben 

On 05/09/2013 22:31, Alan Buxey wrote:

But if you'd installed the debian/Ubuntu package version then it is
'freeradius' ;)

alan


Indeed, and that was the source of my problem.

I had spent the best part of the day troubleshooting the older Ubuntu 
packaged version.


So when I threw in the towel and uninstalled it and compiled from 
source, I didn't realise that FreeRadius's "real name" was not 
"freeradius"  ;-)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously

2013-09-05 Thread Chris Decker 
Arran - Ignore my 'What would happen to the FreeRADIUS processes…" question - I 
meant to delete that before sending my message.


On Sep 5, 2013, at 9:34 PM, Chris Decker  wrote:

> Arran,
> 
> Thank you for taking the time to so clearly lay things out - it seems like 
> rlm_replicate will do exactly what we want!
> 
> I'm going to look into using redis, as it is supported by logstash 
> out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed 
> delivery'.  What would happen to the FreeRADIUS processes should my client be 
> unable to connect back to the redis 'server' (for whatever reason) for an 
> extended period of time?  Also, should I be nervous about using the redis 
> module in production given the 'Experimental' redis module description in the 
> 2.1.1 changelog?
> 
> 
> 
> 
> Thanks,
> Chris
> 
> 
> P.s. My apologies for replying via the digest - you replied before I had time 
> to switch off of digests.
> 
> 
> 
>> Date: Thu, 5 Sep 2013 19:11:35 +0100
>> From: Arran Cudbard-Bell 
>> To: FreeRadius users mailing list
>>  
>> Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations
>>  Simultaneously
>> Message-ID: 
>> Content-Type: text/plain; charset=us-ascii
>> 
>> 
>> On 5 Sep 2013, at 18:29, Chris Decker  wrote:
>> 
>>> All,
>>> 
>>> I could use some help in understanding my options for the following 
>>> scenario:
>>> In our environment, FreeRADIUS currently writes its Accounting logs to the 
>>> local drive - one file per authorized client.  In addition to the local 
>>> logging, the Security group wants the Accounting logs sent to their logging 
>>> cluster (in real-time) so they can put them in their elasticsearch database 
>>> and respond to incidents.
>> 
>> Well you don't want the main log file from the daemon which makes it easier. 
>>  That can only go to one place.
>> 
>> There are four types modules you could use for this:
>>  - linelog
>>  - detail
>>  - replicate
>>  - the db modules (ldap, sql, redis)
>> 
>> Linelog can log to files or syslog, you construct the format lines using 
>> static text and attributes.
>> Detail can only log to files, it just dumps the contents of an attribute 
>> list to a file.
>> Replicate fires and forgets a copy of the Accounting-Request to a remote 
>> server.
>> The DB modules just log to a table.
>> 
>> You can list any combination of those modules in the accounting section of 
>> the server to write to multiple destinations.
>> 
>> It's generally sensible to log one copy of the accounting packets to disk on 
>> the box it was received, most people use the detail module for this.
>> 
>> For the other consumers, if they want off-box logging and don't want syslog, 
>> forward them a copy of the packet using rlm_replicate.  This copies the 
>> incoming packet to another destination.  It doesn't block, and doesn't wait 
>> for a response, meaning it will be affected by packet loss.  But that 
>> shouldn't be an issue on a campus network if you set the QoS priorities 
>> correctly, and hey, at least no congestive failure.
>> 
>> For consuming those packets at the other end, you can use another instance 
>> of FreeRADIUS (and configure it to not responsd), or radsniff can be used to 
>> pick them off the wire with libpcap, and output them in something very 
>> similar to detail format.
>> 
>> I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is 
>> released (were currently in feature freeze, so I needed something to hack 
>> on).  So if you want additional features like outputting packet 'signatures' 
>> to syslog, and are willing to test the code then I'd be happy to add it in.
>> 
>>> My question: What is the best way to make both the Ops and Security groups 
>>> happy given the below limitations:
>>> - The Security group does not want to pull the logs from MySQL, as they 
>>> want to use logstash/elasticsearch and this would just complicate things.
>> 
>> Yeah and who wants to manage SQL tables with millions of rows, eww.
>> 
>>> - The Ops group wants to avoid syslog because they fear syslog could block, 
>>> causing their production FreeRADIUS servers to eventually stop responding 
>>> to requests.
>> 
>> 
>> Ok.
>> 
>>> The options we are exploring, in order of preference:
>>> 1. "

Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously

2013-09-05 Thread Chris Decker 
Arran,

Thank you for taking the time to so clearly lay things out - it seems like 
rlm_replicate will do exactly what we want!

I'm going to look into using redis, as it is supported by logstash 
out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed delivery'.  
What would happen to the FreeRADIUS processes should my client be unable to 
connect back to the redis 'server' (for whatever reason) for an extended period 
of time?  Also, should I be nervous about using the redis module in production 
given the 'Experimental' redis module description in the 2.1.1 changelog?




Thanks,
Chris


P.s. My apologies for replying via the digest - you replied before I had time 
to switch off of digests.



> Date: Thu, 5 Sep 2013 19:11:35 +0100
> From: Arran Cudbard-Bell 
> To: FreeRadius users mailing list
>   
> Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations
>   Simultaneously
> Message-ID: 
> Content-Type: text/plain; charset=us-ascii
> 
> 
> On 5 Sep 2013, at 18:29, Chris Decker  wrote:
> 
>> All,
>> 
>> I could use some help in understanding my options for the following scenario:
>> In our environment, FreeRADIUS currently writes its Accounting logs to the 
>> local drive - one file per authorized client.  In addition to the local 
>> logging, the Security group wants the Accounting logs sent to their logging 
>> cluster (in real-time) so they can put them in their elasticsearch database 
>> and respond to incidents.
> 
> Well you don't want the main log file from the daemon which makes it easier.  
> That can only go to one place.
> 
> There are four types modules you could use for this:
>   - linelog
>   - detail
>   - replicate
>   - the db modules (ldap, sql, redis)
> 
> Linelog can log to files or syslog, you construct the format lines using 
> static text and attributes.
> Detail can only log to files, it just dumps the contents of an attribute list 
> to a file.
> Replicate fires and forgets a copy of the Accounting-Request to a remote 
> server.
> The DB modules just log to a table.
> 
> You can list any combination of those modules in the accounting section of 
> the server to write to multiple destinations.
> 
> It's generally sensible to log one copy of the accounting packets to disk on 
> the box it was received, most people use the detail module for this.
> 
> For the other consumers, if they want off-box logging and don't want syslog, 
> forward them a copy of the packet using rlm_replicate.  This copies the 
> incoming packet to another destination.  It doesn't block, and doesn't wait 
> for a response, meaning it will be affected by packet loss.  But that 
> shouldn't be an issue on a campus network if you set the QoS priorities 
> correctly, and hey, at least no congestive failure.
> 
> For consuming those packets at the other end, you can use another instance of 
> FreeRADIUS (and configure it to not responsd), or radsniff can be used to 
> pick them off the wire with libpcap, and output them in something very 
> similar to detail format.
> 
> I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is 
> released (were currently in feature freeze, so I needed something to hack 
> on).  So if you want additional features like outputting packet 'signatures' 
> to syslog, and are willing to test the code then I'd be happy to add it in.
> 
>> My question: What is the best way to make both the Ops and Security groups 
>> happy given the below limitations:
>> - The Security group does not want to pull the logs from MySQL, as they want 
>> to use logstash/elasticsearch and this would just complicate things.
> 
> Yeah and who wants to manage SQL tables with millions of rows, eww.
> 
>> - The Ops group wants to avoid syslog because they fear syslog could block, 
>> causing their production FreeRADIUS servers to eventually stop responding to 
>> requests.
> 
> 
> Ok.
> 
>> The options we are exploring, in order of preference:
>> 1. "Robust Accounting" - the Ops team believes there is a way to have the 
>> logs written to two locations simultaneously - locally and remotely, and if 
>> the remote connection is lost it does not impact operations.  Is this 
>> possible?  Does anyone have a sample config they could share?
> 
> Um, that's a pretty basic feature of the server, just list multiple modules 
> in the accounting section.
> 
>> 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly.  
>> A script would then essentially 'tail -f' the log file and stream the logs 
>>

Re: Freeradius 2.2.0 - binaries not being installed ???

2013-09-05 Thread Alan Buxey 
But if you'd installed the debian/Ubuntu package version then it is 
'freeradius' ;)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.2.0 - binaries not being installed ???

2013-09-05 Thread Ben 

On 05/09/2013 18:19, Arran Cudbard-Bell wrote:


On 5 Sep 2013, at 18:08, Ben  wrote:


Hi,

Am I being stupid or what ?


Yes.  The main binary is called radiusd, not freeradius.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Too long staring at my computer screeen today ;-(

I blame the bugs in an earlier version of Freeradius.  ;-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously

2013-09-05 Thread Chris Decker 
All,

I could use some help in understanding my options for the following scenario:
In our environment, FreeRADIUS currently writes its Accounting logs to the 
local drive - one file per authorized client.  In addition to the local 
logging, the Security group wants the Accounting logs sent to their logging 
cluster (in real-time) so they can put them in their elasticsearch database and 
respond to incidents.

My question: What is the best way to make both the Ops and Security groups 
happy given the below limitations:
- The Security group does not want to pull the logs from MySQL, as they want to 
use logstash/elasticsearch and this would just complicate things.
- The Ops group wants to avoid syslog because they fear syslog could block, 
causing their production FreeRADIUS servers to eventually stop responding to 
requests.

--

The options we are exploring, in order of preference:
1. "Robust Accounting" - the Ops team believes there is a way to have the logs 
written to two locations simultaneously - locally and remotely, and if the 
remote connection is lost it does not impact operations.  Is this possible?  
Does anyone have a sample config they could share?
2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly.  A 
script would then essentially 'tail -f' the log file and stream the logs to the 
Security group (and would handle the hourly filename changes obviously).
3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local 
file AND send remotely to the Security group.  The Ops group wants to avoid 
syslog if at all possible.
4. Re-configure FreeRADIUS to also log to MySQL.  The Security group would then 
have to figure out a way to pull the data out in near-real time and insert it 
into their own database, which they would like to avoid.



Any comments or suggestions are welcome.




Thanks,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.2.0 - binaries not being installed ???

2013-09-05 Thread Ben 

On 05/09/2013 18:32, Fajar A. Nugraha wrote:

./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
--exec-prefix=/usr --mandir=/usr/share/man --libdir=/usr/lib/freeradius
--datadir=/usr/share


Thank you Fajar.  I'm up and running now though.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.2.0 - binaries not being installed ???

2013-09-05 Thread Fajar A. Nugraha 
On Fri, Sep 6, 2013 at 12:08 AM, Ben  wrote:

> Hi,
>
> Am I being stupid or what ?
>
> 3.5.0-26-generic #42~precise1-Ubuntu
>
> Downloaded ftp://ftp.freeradius.org/pub/**freeradius/freeradius-server-**
> 2.2.0.tar.gz<ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.2.0.tar.gz>
>
> Ran "./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr
> --exec-prefix=/usr --mandir=/usr/share/man --libdir=/usr/lib/freeradius
> --datadir=/usr/share"
>
>
If you simply want FR 2.2.0, you can just use my ppa (
https://launchpad.net/~freeradius/+archive/stable ) and pretty much have
most things similar to the way Ubuntu package it (including the main binary
name)

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously

2013-09-05 Thread Alan Buxey 
The default install comes with a few accounting virtual servers that you can 
use.  I'd strongly advise one of the or of band asynchronous ones.

If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you 
might lose packets if you have congested links or a disruption between source 
and destination.  For security throw a VPN tunnel between the hosts.

At the end is whatever floats your boat and is maintainable. . you had a big 
list some of which seem prone to issues and overworked. And why not think of it 
the other way around? Let security have all the logs and then give ops access 
to the data via their system. ..ops then no longer need to worry about data 
retention, the legal issues, disk space etc. ..they just run a radius daemon ;)

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously

2013-09-05 Thread CHRISTOPHER SHELDON DECKER 
Alan,

Thanks for responding. 

I'm from the Security group so I'm not intimately familiar with FreeRADIUS - 
can you please elaborate on how it would work off we set up a Virtual 
Accounting server?

Sent from my iPhone

> On Sep 5, 2013, at 5:53 PM, Alan Buxey  wrote:
> 
> The default install comes with a few accounting virtual servers that you can 
> use.  I'd strongly advise one of the or of band asynchronous ones. 
> 
> If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you 
> might lose packets if you have congested links or a disruption between source 
> and destination.  For security throw a VPN tunnel between the hosts.  
> 
> At the end is whatever floats your boat and is maintainable. . you had a big 
> list some of which seem prone to issues and overworked. And why not think of 
> it the other way around? Let security have all the logs and then give ops 
> access to the data via their system. ..ops then no longer need to worry about 
> data retention, the legal issues, disk space etc. ..they just run a radius 
> daemon ;)
> 
> alan
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  1   2   3   4   5   6   7   8   9   10   >