Re: What does FR 2.2.2 fix?
Hi, If everyone's in favor, I'll release 2.2.2 on Monday. hold request now its monday AM and the load has gone back to higher levels the server is freaking out and freezing witht he last message in the log being Mon Oct 7 07:50:28 2013 : Error: [event.c:2318] Internal sanity check failed (thats it...no other output - the server needs a restart, it doesnt process anything else once it hits this error) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
a.l.m.bu...@lboro.ac.uk wrote: now its monday AM and the load has gone back to higher levels the server is freaking out and freezing witht he last message in the log being Mon Oct 7 07:50:28 2013 : Error: [event.c:2318] Internal sanity check failed At least that's clearer. It would be nice to be able to debug the exact state for that, but the fix should be simple. I'll push something to git later today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, clarification/agreement from Stefan or others? tried the newest GIT this morning and the proxy issues were gone. I haven't seen your Internal sanity check failed just yet (and am not looking forward to it :-/ ). Stefan alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xC0DE6A358A39DC66 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, More debug output would help. The last patch came from output sent by Stefan. The patch seems to help. But there's an underlying issue which is harder to debug. It looks like a Linux specific IPv6 problem. I don't see any issue with v4. interesting..the culprit may have been found. put HEAD onto server this afternoon... the logs had plenty of core messages but look Sun Oct 6 15:13:55 2013 : Error: WARNING: Unresponsive child for request 1821224, in component core module thread Sun Oct 6 15:13:56 2013 : Error: WARNING: Unresponsive child for request 1821229, in component core module thread Sun Oct 6 15:13:56 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:13:57 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:13:58 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:13:58 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:00 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:14:00 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:03 2013 : Info: WARNING: Child is hung for request 1820598 in component core module thread. Sun Oct 6 15:14:04 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:14:04 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:09 2013 : Info: WARNING: Child is hung for request 1821224 in component core module thread. Sun Oct 6 15:14:09 2013 : Info: WARNING: Child is hung for request 1821229 in component core module thread. Sun Oct 6 15:14:18 2013 : Info: Ready to process requests. no 'bad logs' since that restart logged. clarification/agreement from Stefan or others? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
a.l.m.bu...@lboro.ac.uk wrote: interesting..the culprit may have been found. put HEAD onto server this afternoon... the logs had plenty of core messages but look ... no 'bad logs' since that restart logged. Good. It's the problem I thought it was, but the earlier fixes weren't complete The odd thing is that code hadn't changed from 2.2.0. So it looks like there were two bugs. One which hid the second one. When I fixed the first one, the second one caused this issue. clarification/agreement from Stefan or others? If everyone's in favor, I'll release 2.2.2 on Monday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does FR 2.2.2 fix?
Hi, Yesterday caught an email about the release of FR 2.2.2 on Monday to fix a proxy problem. As I've just migrated 2 of my servers from 2.2.0 to 2.2.1 the sudden release of 2.2.2 sounds important. What does 2.2.2 fix? Rgds Ale x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 4 Oct 2013, at 10:19, Alex Sharaz alex.sha...@york.ac.uk wrote: Hi, Yesterday caught an email about the release of FR 2.2.2 on Monday to fix a proxy problem. As I've just migrated 2 of my servers from 2.2.0 to 2.2.1 the sudden release of 2.2.2 sounds important. What does 2.2.2 fix? Issue with workers not marking requests are being done correctly. Workers appear to get hung, leading to issues. I would upgrade to latest 2.x.x HEAD to avoid disruption if the proxying functionality is heavily used. There were also quite a few issues with the policy language. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 4 Oct 2013, at 10:37, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 4 Oct 2013, at 10:19, Alex Sharaz alex.sha...@york.ac.uk wrote: Hi, Yesterday caught an email about the release of FR 2.2.2 on Monday to fix a proxy problem. As I've just migrated 2 of my servers from 2.2.0 to 2.2.1 the sudden release of 2.2.2 sounds important. What does 2.2.2 fix? Issue with workers not marking requests are being done correctly. Workers appear to get hung, leading to issues. I would upgrade to latest 2.x.x HEAD to avoid disruption if the proxying functionality is heavily used. Eek! that's what I'm seeing on our outward facing eduroam servers that do nothing but proxy stuff. Time to fix it methinks There were also quite a few issues with the policy language. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, a couple of logic issues that meant case/switch and if() worked different to 2.x - thats been fixed. ..and an issue if your server does a lot of proxying work - in which worker threads arent dealt with properly - your log file will be full of core and module messages if you are being hit. this *MIGHT* be fixed in HEAD. we are testing at the moment (looking good). if you arent doing the former and not hit by the latter you dont need to worry. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hmm like these then? Fri Oct 4 11:24:12 2013 : Info: WARNING: Child is hung for request 17630 in com ponent core module thread. Fri Oct 4 11:24:13 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:14 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:17 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Fri Oct 4 11:24:44 2013 : Info: WARNING: Child is hung for request 17633 in com ponent core module thread. Fri Oct 4 11:24:52 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:53 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:55 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Reverted back to 2.2.0 as I never saw these errors with it Rgs A On 4 Oct 2013, at 11:53, a.l.m.bu...@lboro.ac.uk wrote: Hi, a couple of logic issues that meant case/switch and if() worked different to 2.x - thats been fixed. ..and an issue if your server does a lot of proxying work - in which worker threads arent dealt with properly - your log file will be full of core and module messages if you are being hit. this *MIGHT* be fixed in HEAD. we are testing at the moment (looking good). if you arent doing the former and not hit by the latter you dont need to worry. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What does FR 2.2.2 fix?
Yep, those are the ones. :-) Stefan Hmm like these then? Fri Oct 4 11:24:12 2013 : Info: WARNING: Child is hung for request 17630 in com ponent core module thread. Fri Oct 4 11:24:13 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:14 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:17 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Fri Oct 4 11:24:44 2013 : Info: WARNING: Child is hung for request 17633 in com ponent core module thread. Fri Oct 4 11:24:52 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:53 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:55 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Reverted back to 2.2.0 as I never saw these errors with it Rgs A -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 4 Oct 2013, at 12:00, Alex Sharaz alex.sha...@york.ac.uk wrote: Hmm like these then? Fri Oct 4 11:24:12 2013 : Info: WARNING: Child is hung for request 17630 in com ponent core module thread. Fri Oct 4 11:24:13 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:14 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:17 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Fri Oct 4 11:24:44 2013 : Info: WARNING: Child is hung for request 17633 in com ponent core module thread. Fri Oct 4 11:24:52 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:53 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:55 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Those would be the ones. Reverted back to 2.2.0 as I never saw these errors with it If I asked particularly nicely, and promised you a beer at the next networkshop we were both in attendance at, would you be willing to try git head? I'll roll a v2.2.2_rc0 if it sweetens the deal any? It'd just be really good to know that that particular issue was fixed before rolling out 2.2.2 and then finding it was something else and having to roll 2.2.3 a few weeks later. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 04/10/13 13:46, Arran Cudbard-Bell wrote: If I asked particularly nicely, and promised you a beer at the next networkshop we were both in attendance at, would you be willing to try git head? I'll roll a v2.2.2_rc0 if it sweetens the deal any? It'd just be really good to know that that particular issue was fixed before rolling out 2.2.2 and then finding it was something else and having to roll 2.2.3 a few weeks later. I for one will be happy to run git head and see what it does. I'm building as we speak. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi, If I asked particularly nicely, and promised you a beer at the next networkshop we were both in attendance at, would you be willing to try git head? I'll take the beer - am running HEAD since last night on one server :-) (as I said to Alan, i'll report at end of day) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Woah! that's getting g to be lots of beer. I'll run it on one of my outward facing servers. Point me at something I can build and run A On 4 Oct 2013, at 14:33, a.l.m.bu...@lboro.ac.uk wrote: Hi, If I asked particularly nicely, and promised you a beer at the next networkshop we were both in attendance at, would you be willing to try git head? I'll take the beer - am running HEAD since last night on one server :-) (as I said to Alan, i'll report at end of day) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
Hi early report :( 2.2.2 HEAD still showing: Fri Oct 4 13:20:43 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:45 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:47 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:51 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:52 2013 : Info: WARNING: Child is hung for request 3766906 in component core module thread. Fri Oct 4 13:20:56 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:03 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:15 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:17 2013 : Info: WARNING: Child is hung for request 3766906 in component core module thread. Fri Oct 4 13:21:32 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:57 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:27:32 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. Fri Oct 4 13:27:40 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. Fri Oct 4 13:27:51 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 10/04/2013 06:53 AM, a.l.m.bu...@lboro.ac.uk wrote: a couple of logic issues that meant case/switch and if() worked different to 2.x - thats been fixed. I need a clarification. Do you mean worked differently ONLY IN 2.2.1? But 2.2.2 is 100% logic consistent with all 2.x, except 2.2.1? -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Some things started acting differently in 2.2.1 compared to previous releases of 2.x 2.2.2 should revert that so things behave the same - so far that seems to be true but we are still seeing stalled module in core messages that we did not see with 2.2.0 alan - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJO8E8yHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC4v6wCcDkljo+wc582+s9TDOJEr Zz7YKAoAnjM3sq4jiTOJdOn7sKwLN83aycJh =/vny -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 4 Oct 2013, at 17:43, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Some things started acting differently in 2.2.1 compared to previous releases of 2.x 2.2.2 should revert that so things behave the same - so far that seems to be true but we are still seeing stalled module in core messages that we did not see with 2.2.0 Any chance you could connect to one of the running processes and generate a core? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
More debug output would help. The last patch came from output sent by Stefan. The patch seems to help. But there's an underlying issue which is harder to debug. It looks like a Linux specific IPv6 problem. I don't see any issue with v4. Alan DeKok. On 2013-10-04, at 9:41 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi early report :( 2.2.2 HEAD still showing: Fri Oct 4 13:20:43 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:45 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:47 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:51 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:20:52 2013 : Info: WARNING: Child is hung for request 3766906 in component core module thread. Fri Oct 4 13:20:56 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:03 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:15 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:17 2013 : Info: WARNING: Child is hung for request 3766906 in component core module thread. Fri Oct 4 13:21:32 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:21:57 2013 : Info: WARNING: Child is hung for request 3767589 in component core module thread. Fri Oct 4 13:27:32 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. Fri Oct 4 13:27:40 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. Fri Oct 4 13:27:51 2013 : Info: WARNING: Child is hung for request 3797280 in component core module thread. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_PERL mysql disconnect : what is the preferred handling ?
itquestioner wrote: We've found in the freeradius wiki, that the correct way to manage connection to mysql is to initiate the connection in the CLONE function. But where should we put $dbh-disconnect() to be sure that any connection will also be closed ? Whatever the result of the request treatment, and the stage in which the module may exit. You should be able to disconnect the database at any time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_PERL mysql disconnect : what is the preferred handling ?
Hi, First question from beginners We've found in the freeradius wiki, that the correct way to manage connection to mysql is to initiate the connection in the CLONE function. But where should we put $dbh-disconnect() to be sure that any connection will also be closed ? Whatever the result of the request treatment, and the stage in which the module may exit. Thank you best regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the strongest encryption of password Jradius can support?
Sample client that I wrote on Solaris using JRadius APIs is able to get authenticated from a FreeRadius server running on Linux. However, the password was passed as clear text? What is the strongest encryption supported in JRadius for password encrypting / hashing? Is there a document that I can refer to for settings required in FreeRadius server and APIs that can be used in JRadius? Thanks, Rama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What cert import to Windows Clients
Hi,
Thanks guys, I have done test imported only certificate of the Root CA
to windowS 7 and seem it's working
but now I fall in other old question as follow bellow.
I'm using PEAP on Wireless configuration and the client machine is a Windows 7
that user: d1am is on LDAP/SAMBA with attributes LM-Password and NT-Password
Why does complain about No Cleartext-Password configured. Cannot
create LM-Password
What I have do in my system ( FreeRadius, LDAP or Client machine ) to
work that integration ?
I should like my Wireless users ( Windows 7, XP and MAC OS ) were
authenticate on LDAP through FreeRadius.
any tip is welcome
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: d1am
[mschap] Told to do MS-CHAPv2 for d1am with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
thanks!
2013/3/14 freeradius-users-requ...@lists.freeradius.org
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: errors when check with huntgroup (a.l.m.bu...@lboro.ac.uk)
2. What cert import to Windows Clients (Usu?rio do Sistema)
3. Re: What cert import to Windows Clients (Alan DeKok)
4. Re: What cert import to Windows Clients (a.l.m.bu...@lboro.ac.uk)
5. Re: How to use checkval (Danny Kurniawan)
6. Re: How to use checkval (Fajar A. Nugraha)
--
Message: 1
Date: Thu, 14 Mar 2013 19:51:38 +
From: a.l.m.bu...@lboro.ac.uk
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: errors when check with huntgroup
Message-ID: 20130314195138.gc31...@lboro.ac.uk
Content-Type: text/plain; charset=us-ascii
hi,
you've edited a whole lot of stuff out of your debug log...including
the stuff which actually matters where the failure actually occurs
(you just kept the part where the end result was recorded).
alan
--
Message: 2
Date: Thu, 14 Mar 2013 17:27:18 -0300
From: Usu?rio do Sistema maico...@ig.com.br
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: What cert import to Windows Clients
Message-ID:
CAMTjHryiBvaQuDFcK4Ysf+ybk1=4nd7umrgc+jlkyojkyvz...@mail.gmail.com
Content-Type: text/plain; charset=ISO-8859-1
Hello everyone,
I have just deploy a Freeradius on CentOS 5.9 Linux machine.
I should like use EAP method with TLS so I have genetated the certs. I
had just ran bootstrap script from /etc/raddb/certs and it generated
many files as follow
01.pem
ca.der
ca.key
ca.pem
dh
server.crt
server.csr
server.key
server.p12
server.pem
What are that files I have import to windows clients machine ?
I have installed ca.der on an windows XP but unseccessfull. I can't to
connect at the network Wireless.
I wonderful any tip about how to generate certs on freeradius and
import they to windows machine.
thanks
--
Message: 3
Date: Thu, 14 Mar 2013 16:40:37 -0400
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: What cert import to Windows Clients
Message-ID: 514235c5.7050...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Usu?rio do Sistema wrote:
I should like use EAP method with TLS so I have genetated the certs. I
had just ran bootstrap script from /etc/raddb/certs and it generated
many files as follow
...
What are that files I have import to windows clients machine ?
Just the ca.der and client certificate.
I have installed ca.der on an windows XP but unseccessfull. I can't to
connect at the network Wireless.
Well... there's more to it than that.
I wonderful any tip about how to generate certs on freeradius and
import they to windows machine.
Read this:
http://deployingradius.com/
It has a detailed set of instructions.
Or click on the documentation link on www.freeradius.org. There's
an EAP-TLS Howto.
This is all very well documented.
Alan
What cert import to Windows Clients
Hello everyone, I have just deploy a Freeradius on CentOS 5.9 Linux machine. I should like use EAP method with TLS so I have genetated the certs. I had just ran bootstrap script from /etc/raddb/certs and it generated many files as follow 01.pem ca.der ca.key ca.pem dh server.crt server.csr server.key server.p12 server.pem What are that files I have import to windows clients machine ? I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. I wonderful any tip about how to generate certs on freeradius and import they to windows machine. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What cert import to Windows Clients
Usuário do Sistema wrote: I should like use EAP method with TLS so I have genetated the certs. I had just ran bootstrap script from /etc/raddb/certs and it generated many files as follow ... What are that files I have import to windows clients machine ? Just the ca.der and client certificate. I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. Well... there's more to it than that. I wonderful any tip about how to generate certs on freeradius and import they to windows machine. Read this: http://deployingradius.com/ It has a detailed set of instructions. Or click on the documentation link on www.freeradius.org. There's an EAP-TLS Howto. This is all very well documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What cert import to Windows Clients
Hi, 01.pem ca.der ca.key ca.pem dh server.crt server.csr server.key server.p12 server.pem What are that files I have import to windows clients machine ? for EAP-TLS ? as thats a certificate authentication method you need to generate client certificatesthe standard provided script will make client.* files and you'll need the client.der or client.cer file. I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. doing what if you only have ca.der installed - and you put it into the correct certificate store as per microsoft docs (or various correct online resources) then you can only be doing PEAP with that windows XP client - so ensure its using a username/password that is known to the RADIUS server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what about mac spoofing
Hello all ! Please tell me, does radius auth over wifi (wpa2) affected by mac spoofing attack ? I think not because after successfull auth, exchange key mechanism is performed and all traffic become crypted. But my wifi laptop can already be disconnected by spoofed packet ? Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what about mac spoofing
802.1X authentication ? (WPA2-RADIUS) If so , system is authenticated by user/pass and/or a certificate and the client and AP have a unique encryption key.. no other device can just come along with the same MAC and just start using the network. For WPA2 PSK, another client would need to know the shared key to authenticate and associate with the AP. you could have MAC control ...and so if the attacker knows the PSK then yes, they could get online by spoofing the MAC of an allowed client alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what about mac spoofing
On 23 Nov 2012, at 17:17, pideil matthew matthew.pid...@free.fr wrote: But my wifi laptop can already be disconnected by spoofed packet ? Not if you use protected management frames IEEE 802.11w regards Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrade or migration away from VMPS - what are my options?
Hi, since I've been having issues with the latest Cisco OS (version 15) and VMPS not connecting properly what are my alternatives? Sure I can stay on version 12.x if need be however, if we purchase some new kit that **only** comes with version 15 I will have the same issue as previously had with IP phones not registering etc I have been Google'ing a bit to attempt try to understand the difference as I was told that VMPS was a subset of FreeRADIUS; the only thing is that I'm quite new to this and just need some advice and/or to be pointed in the right direction as of to what material to start reading - additionally what I should be looking for. So really to summarize, since VMPS is old and I have been told to move away from it which system should I be looking at to automate vlan distribution throughout the network and is there any chance of using the already built MySQL VMPS database?? Regards, Kaya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade or migration away from VMPS - what are my options?
On 06/18/2012 08:10 AM, Kaya Saman wrote: Hi, since I've been having issues with the latest Cisco OS (version 15) and VMPS not connecting properly what are my alternatives? The equivalent, RADIUS-based Cisco feature is called MAB. It more or less does exactly the same thing as VMPS, but with a RADIUS packet instead. You just need to configure MAB on the IOS ports (it's a bit more typing, unfortunately) and configure FreeRADIUS for MAC auth, which is well documented in the wiki. A more involved alternative is 802.1x which, unlike MAC-based auth, involves credentials, and is therefore more secure as it's harder to fool. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade or migration away from VMPS - what are my options?
On Mon, Jun 18, 2012 at 8:19 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 06/18/2012 08:10 AM, Kaya Saman wrote: Hi, since I've been having issues with the latest Cisco OS (version 15) and VMPS not connecting properly what are my alternatives? The equivalent, RADIUS-based Cisco feature is called MAB. It more or less does exactly the same thing as VMPS, but with a RADIUS packet instead. You just need to configure MAB on the IOS ports (it's a bit more typing, unfortunately) and configure FreeRADIUS for MAC auth, which is well documented in the wiki. A more involved alternative is 802.1x which, unlike MAC-based auth, involves credentials, and is therefore more secure as it's harder to fool. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the response! I have checked out: http://www.booches.nl/2008/06/mac-authentication-bypass-continued/ http://wiki.freeradius.org/Mac-Auth To get a bit of an idea of what awaits and how things fit together. Basically it seems that I need to be running 802.1x as MAB according to the articles is: Mac-based authentication which needs 802.1x to function?? Or did I misunderstand? Regards, Kaya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade or migration away from VMPS - what are my options?
On 18/06/12 08:52, Kaya Saman wrote: Basically it seems that I need to be running 802.1x as MAB according to the articles is: Mac-based authentication which needs 802.1x to function?? Or did I misunderstand? This is IOS-version dependent. In some versions of IOS, MAB is only available as a fallback for 802.1x. In later versions of IOS, they added MAB as an independent configuration; you don't need to configure 802.1x, just MAB. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the problem??
Erick Rojas Bastidas wrote: I'm doing tests using authentication eap-tls and freeradius response with Acces-Accept, but internet connectivity is practically nil.. Which can be the problem? Your access point is broken. This isn't a RADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the problem??
I'm doing tests using authentication eap-tls and freeradius response with Acces-Accept, but internet connectivity is practically nil.. Which can be the problem? Previously had a warning compatibility certificate.. And I'm doing the tests from the same machine you configure freeradius.. Help please!! Thanks.. Enviado desde mi dispositivo movil BlackBerry® de Digitel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confused what to do next~How to understand FreeRadius
Hello Everyone: Thank you very much for opening this topic. I have worked on FreeRadius for almost 2 monthes,my purpose is to set up a Radius server which could be used for authentication , authority and accounting for my WLAN. Right now, I guess i have finished the Authentication Step. I installed the Radius server + MySQL on my FC 14 host,there is a client AP connect to this radius server, the users hold Windows XP laptop could get authentication from radius server via PEAP or EAP-TLS. Here is a first little problem.Right now i could add and delete user in the radcheck table of MySQL,but all the passwords were stored in cleartext?is this the only way to store this password? is it safe enough?is it could be store in the format of ** like what we set in the wpa-psk mode? Most Seriously, I am confused how to implement the Authority Step and Accounting Step. For the Authority Step,in my thought, I should create several different GROUPs, each GROUP has different authority,and then divide the users into different GROUPs and get different authority. Is that correct? For the Accounting Step,i used DaloRadius,but found out there are few help for this web base management system online, and the MANUAL will cost $250.And also the additional mySQL tables makes me more confused. I want to know if there is a example that set up the authority and accounting features of FreeRadius?or just give me a little hints about where to start it step by step.I know there is a really big question. Any hints will be really help,any useful docments and links will be really appreciate. For example, there are 9 tables in the defalut mysql scheme, like radcheck,radacct,nas,radgroup,radgroupreply etc, is there a document to describe these features? I read all the .conf files couple of times ,but still confused about this stuff. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Confused-what-to-do-next-How-to-understand-FreeRadius-tp4844643p4844643.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused what to do next~How to understand FreeRadius
On Tue, Sep 27, 2011 at 4:25 PM, snan4love snan4l...@hotmail.com wrote: Here is a first little problem.Right now i could add and delete user in the radcheck table of MySQL,but all the passwords were stored in cleartext? Depending on which tutorial you follow, yes. is this the only way to store this password? Nope is it safe enough? Depends. See faq, start from http://wiki.freeradius.org/FAQ#PAP+authentication+works+but+CHAP+fails You should be able to store passwords as NT-Password instead of Cleartext-Password if you only use pap and chap. Considering your level of knowledge, I don't recommend doing so at this stage though. is it could be store in the format of ** like what we set in the wpa-psk mode? Just because you can't SEE it (i.e. *) doesn't mean windows or the AP store it in encrypted format. So your question is not relevant. Most Seriously, I am confused how to implement the Authority Step and Accounting Step. For the Authority Step,in my thought, I should create several different GROUPs, each GROUP has different authority,and then divide the users into different GROUPs and get different authority. Is that correct? For the Accounting Step,i used DaloRadius,but found out there are few help for this web base management system online, and the MANUAL will cost $250. Sorry, your question makes me confused. At this moment I suggest you write which tutorial/manual you're following, and ask the author/community list/forums. For example, there are 9 tables in the defalut mysql scheme, like radcheck,radacct,nas,radgroup,radgroupreply etc, is there a document to describe these features? Start with doc/rlm_sql. The docs are there for a purpose you know. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused what to do next~How to understand FreeRadius
snan4love wrote: Thank you very much for opening this topic. I have worked on FreeRadius for almost 2 monthes,my purpose is to set up a Radius server which could be used for authentication , authority and accounting for my WLAN. That should be pretty straightforward. Right now, I guess i have finished the Authentication Step. I installed the Radius server + MySQL on my FC 14 host,there is a client AP connect to this radius server, the users hold Windows XP laptop could get authentication from radius server via PEAP or EAP-TLS. Here is a first little problem.Right now i could add and delete user in the radcheck table of MySQL,but all the passwords were stored in cleartext?is this the only way to store this password? is it safe enough?is it could be store in the format of ** like what we set in the wpa-psk mode? You will need to store the passwords in cleartext. It really is the best way. Most Seriously, I am confused how to implement the Authority Step and Accounting Step. Not authority, but authorization. For the Authority Step,in my thought, I should create several different GROUPs, each GROUP has different authority,and then divide the users into different GROUPs and get different authority. Is that correct? For authorization, yes. For the Accounting Step,i used DaloRadius,but found out there are few help for this web base management system online, and the MANUAL will cost $250.And also the additional mySQL tables makes me more confused. Why? What is confusing about them? Ask a question. Saying I'm confused means we don't know how to help you. The documentation exists, and should be clear. See doc/rlm_sql, among others. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate realm no matter what username is
Same thing unfortunately…
Users file
DEFAULT User-Name =~ .*\\.xnet\\.co\\.nz$
Auth-Type := Accept,
Pool-Name := un-auth,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco-Avpair += ip:vrf-id=Suspended,
Cisco-Avpair += ip:ip-unnumbered=Loopback 1000,
root@radius01-new:~# radtest ba...@adsl.xnet.co.nz password localhost:1812
1812 testing123
Sending Access-Request of id 77 to 127.0.0.1 port 1812
User-Name = ba...@adsl.xnet.co.nz
User-Password = password
NAS-IP-Address = 120.136.0.21
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=77, length=20
Debug
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 48547, id=77, length=73
User-Name = ba...@adsl.xnet.co.nz
User-Password = password
NAS-IP-Address = 120.136.0.21
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm adsl.xnet.co.nz for User-Name =
ba...@adsl.xnet.co.nz
[suffix] Found realm DEFAULT
[suffix] Adding Realm = DEFAULT
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} - ba...@adsl.xnet.co.nz
[files] users: Matched entry DEFAULT at line 236
++[files] returns ok
expand: %{User-Name} - ba...@adsl.xnet.co.nz
[sql] sql_set_user escaped user -- 'ba...@adsl.xnet.co.nz'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id,
username, attribute, value, op FROM radcheck WHERE username
= 'ba...@adsl.xnet.co.nz' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'ba...@adsl.xnet.co.nz'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User ba...@adsl.xnet.co.nz not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [ba...@adsl.xnet.co.nz/password] (from client localhost port
1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - ba...@adsl.xnet.co.nz
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 77 to 127.0.0.1 port 48547
Waking up in 4.9 seconds.
Cleaning up request 1 ID 77 with timestamp +34
Ready to process requests.
Thanks
Barry
From: Arran Cudbard-Bell
a.cudba...@freeradius.orgmailto:a.cudba...@freeradius.org
Reply-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Date: Fri, 26 Aug 2011 11:26:52 +0200
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Re: authenticate realm no matter what username is
On 26 Aug 2011, at 11:16, Barry Murphy wrote:
Hey guys,
We're an ISP providing ADSL services ourselves and on behalf of our
wholesalers. I have a bunch of realms that are LOCAL and proxied which work
with no issues. I'm trying to add realms of competitors to our radius so when
customers are migrated from our competitors to our network they get
authenticated and I drop them into a VRF displaying to them they need to change
their login details. I've already got the VRF working, the forwarder page etc,
I just can't seem to get users to authenticate with a wildcard
*@dsl.competitor.co.nzmailto:*@dsl.competitor.co.nz
I have tried the following varies in users file…
DEFAULT User-Name =~ ~*\\.xnet\\.co\\.nz$
Surely you want
User-Name =~ .*\\.xnet\\.co\\.nz$ ?
Arran Cudbard-Bell
a.cudba...@freeradius.orgmailto:a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticate realm no matter what username is
Hey guys, We're an ISP providing ADSL services ourselves and on behalf of our wholesalers. I have a bunch of realms that are LOCAL and proxied which work with no issues. I'm trying to add realms of competitors to our radius so when customers are migrated from our competitors to our network they get authenticated and I drop them into a VRF displaying to them they need to change their login details. I've already got the VRF working, the forwarder page etc, I just can't seem to get users to authenticate with a wildcard *@dsl.competitor.co.nz I have tried the following varies in users file… DEFAULT User-Name =~ ~*\\.xnet\\.co\\.nz$ Auth-Type := Accept, Pool-Name := un-auth, Service-Type = Framed-User, Framed-Protocol = PPP, Cisco-Avpair += ip:vrf-id=Suspended, Cisco-Avpair += ip:ip-unnumbered=Loopback 1000, Cisco-Avpair += ip:dns-servers=14.1.33.1 120.136.0.25 DEFAULT Realm == ihug.co.nz, Auth-Type := Accept None work and all look for a username. So in the above scenarios I want anyth...@dsl.xnet.co.nz or whate...@ihug.co.nz to authenticate and be assigned an IP address from the pool and dropped into the vrf Suspended where I do my tricks based on their IP address to display a splash page advising the customer its time to modify their username password on their router. I've found many examples based on MAC authentication but none that work unfortunately. Any help would be much appreciated Thanks Barry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate realm no matter what username is
On 26 Aug 2011, at 11:16, Barry Murphy wrote: Hey guys, We're an ISP providing ADSL services ourselves and on behalf of our wholesalers. I have a bunch of realms that are LOCAL and proxied which work with no issues. I'm trying to add realms of competitors to our radius so when customers are migrated from our competitors to our network they get authenticated and I drop them into a VRF displaying to them they need to change their login details. I've already got the VRF working, the forwarder page etc, I just can't seem to get users to authenticate with a wildcard *@dsl.competitor.co.nz I have tried the following varies in users file… DEFAULT User-Name =~ ~*\\.xnet\\.co\\.nz$ Surely you want User-Name =~ .*\\.xnet\\.co\\.nz$ ? Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is purpose of TNC-VLAN-Access/TNC-VLAN-Isolate?
Hi. What is purpose of TNC-VLAN-Access/TNC-VLAN-Isolate attributes? These attributes are included into dictionary.freeradius.internal. Can I use these attributes for saving vlan's name or id when updating requests? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is purpose of TNC-VLAN-Access/TNC-VLAN-Isolate?
George wrote: What is purpose of TNC-VLAN-Access/TNC-VLAN-Isolate attributes? They're for TNC. If you're not doing TNC, they're not used. Can I use these attributes for saving vlan's name or id when updating requests? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what does the attribute PW_DIGEST_NONCE represent in the rlm_digest module?
maximus wrote: I would like to know what does the attribute PW_DIGEST_NONCE (1064) represent in rlm_digest module in radius server? Read doc/draft-sterman... In my setup, the radius client uses SIP. I want to know whether the PW_DIGEST_NONCE in the digest attributes can be used as a Session ID of the SIP call or the Call-Reference of the authentication packet? No. Ignore the digest nonce. It means nothing for you. This is when I have the following issues: a) I can not just integrate 'rlm_digest' module source to the existing radius server source to work since the changes are quite a lot. That's why customizing an open source project is a *terrible* idea. There's just no need for it. b)I have very limited or no details about how the radius client with the SIP works. Well, ask the manufacturers. We don't have that information, either. This is why I wanted to get more information about the role of rlm_digest module and how to handle it in my situation. Use the stock version of FreeRADIUS. If you're using a customized version and getting paid to add features, well... good luck with that. We don't support your software, and we don't support commercial software for free. And it's not nice to ask. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what does the attribute PW_DIGEST_NONCE represent in the rlm_digest module?
Duly moving freeradius2. Thanks Alan! ./maximus -- View this message in context: http://freeradius.1045715.n5.nabble.com/what-does-the-attribute-PW-DIGEST-NONCE-represent-in-the-rlm-digest-module-tp4312363p4312735.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what does the attribute PW_DIGEST_NONCE represent in the rlm_digest module?
Duly moving to FreeRadius2 Thanks Alan. ./maximus -- View this message in context: http://freeradius.1045715.n5.nabble.com/what-does-the-attribute-PW-DIGEST-NONCE-represent-in-the-rlm-digest-module-tp4312363p4312737.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what does the attribute PW_DIGEST_NONCE represent in the rlm_digest module?
Hi, I would like to know what does the attribute PW_DIGEST_NONCE (1064) represent in rlm_digest module in radius server? My radius log information is given here. --the radius log information for the authentication packet starts here-- Received radius packet: NAS-Identifier = localhost.localdomain Digest-Attributes = \003\010INVITE Digest-Attributes = \006\005MD5 Digest-Attributes = \002*60d9d2b7b8ab7b4da4014bcdac1724b7320068d6 Digest-Attributes = \n\014659970 User-Name = 659970@192.168.104.239 Digest-Attributes = \004 sip:659508@192.168.104.240 Digest-Response = 1ee3c49572b6fcd4a9e0438bba8810dc Digest-Attributes = \001\021192.168.104.239 rlm_sql in rlm_sql_authenticate --the radius log information ends here-- The Digest-Attributes = \002*60d9d2b7b8ab7b4da4014bcdac1724b7320068d6 is the PW_DIGEST_NONCE with 60d9d2b7b8ab7b4da4014bcdac1724b7320068d6 as the value. In my setup, the radius client uses SIP. I want to know whether the PW_DIGEST_NONCE in the digest attributes can be used as a Session ID of the SIP call or the Call-Reference of the authentication packet? Or, only after receiving the RLM_MODULE_OK for the digest request, the radius client will send the further SIP call information in the next packet? A little background about the problem I face: I have a customized radius source(taken from freeradius few years back) to work with radius clients to perform authentication and accounting with only rlm_detail, rlm_preprocess, rlm_sql (with unixodbc) modules. Now, I have a requirement for the radius server to work with a radius client which has SIP. And I have found that radius client with SIP uses 'rlm_digest' module as part of authentication. This is when I have the following issues: a) I can not just integrate 'rlm_digest' module source to the existing radius server source to work since the changes are quite a lot. b)I have very limited or no details about how the radius client with the SIP works. This is why I wanted to get more information about the role of rlm_digest module and how to handle it in my situation. Thanks. ./maximus -- View this message in context: http://freeradius.1045715.n5.nabble.com/what-does-the-attribute-PW-DIGEST-NONCE-represent-in-the-rlm-digest-module-tp4312363p4312363.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In what file are enlisted to users?
Hello friends my name´s Jesus I have a problem, I am using freeradius on my virual machine to the ubuntu version 9.10 and want to add clients for my freeradius detect the mac address that I enter. The question is: Is there any easy way to add clients? Yo I have installed: The virtualbox version 3.2.10 Ubuntu version 9.10 Freeradius version 1.2.1910 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What Next??
Thanks for your reply, Fajar. In your example, is the wireless access point the client that I've seen referred to in some of the FreeRADIUS documentation? If yes, then I would have these three clients: 1. Apache web server 2. Open-Xchange server (java-based) 3. Postfix + Dovecot mail server So, my clients should pass a userid/password to FreeRADIUS and receive back an accept or reject from FreeRADIUS? Thomas -Original Message- From: freeradius-users-bounces+thomas_reeves=verizon@lists.freeradius.org [mailto:freeradius-users-bounces+thomas_reeves=verizon@lists.freeradius. org] On Behalf Of Fajar A. Nugraha Sent: Monday, July 05, 2010 1:44 AM To: FreeRadius users mailing list Subject: Re: What Next?? On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves thomas_ree...@verizon.net wrote: I have a FreeBSD-based gateway server running pfSense software. I want to authenticate and authorize all incoming http(s) requests before allowing access to any back-end services. However, I seemed to have missed something fundamental about the FreeRADIUS server what do I do next?? How do I attach FreeRADIUS to the inbound TCP stream to accept/reject requests?? That question would be better addressed to pfSense support/discussion list. radius does not really care what the end usage is, it simply provides Authentication, Authorization, and Accounting (AAA). Here's a similar example: you can limit which users are allowed to use wireless network on your office by listing the users and their respective password on a radius server. But to get the actual limitation to work, you need to configure your wireless access point to ask radius whether a particular user/password combination is allowed. Does this make sense so far? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What Next??
Greetings, All I have a FreeBSD-based gateway server running pfSense software. This is the only server directly connected to the internet. It distributes (port forwards) all incoming internet requests to about five back-end servers based on static IP address and/or ports. I have a new FreeRADIUS/MySQL server among the five back-end servers. I just completed installation, configuration and testing of this server. I want to authenticate and authorize all incoming http(s) requests before allowing access to any back-end services. However, I seemed to have missed something fundamental about the FreeRADIUS server - what do I do next?? How do I attach FreeRADIUS to the inbound TCP stream to accept/reject requests?? Where does the accept/reject response go?? The available documentation did not discuss deployment... Any links or tips would be appreciated. Cheers, Rubix Cube - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What Next??
On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves thomas_ree...@verizon.net wrote: I have a FreeBSD-based gateway server running pfSense software. I want to authenticate and authorize all incoming http(s) requests before allowing access to any back-end services. However, I seemed to have missed something fundamental about the FreeRADIUS server – what do I do next?? How do I “attach” FreeRADIUS to the inbound TCP stream to accept/reject requests?? That question would be better addressed to pfSense support/discussion list. radius does not really care what the end usage is, it simply provides Authentication, Authorization, and Accounting (AAA). Here's a similar example: you can limit which users are allowed to use wireless network on your office by listing the users and their respective password on a radius server. But to get the actual limitation to work, you need to configure your wireless access point to ask radius whether a particular user/password combination is allowed. Does this make sense so far? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : What is the Class attribute for?
Yes, the attribute you need to return Back to your NAS, might be vendor specific (take a look at the dictionnaries). Sending this Attr in Access-Accept, should do the trick but I suggest you still use accounting cause It's always helpfull, and because It's one A in AAA! Sent from my HTC. - Reply message - De : weiwei fang fan...@gmail.com Date : Lun, mai 24, 2010 15:09 Objet : Re : What is the Class attribute for? Pour : Arran Cudbard-Bell a.cudba...@gmail.com Cc : FreeRadius users mailing list freeradius-users@lists.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the Class attribute for?
Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the Class attribute for?
weiwei fang wrote: Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? No. See your NAS documentation for how to configure QoS. The Class attribute is for something else. If you don't know how to use it, don't worry. You're not supposed to use it. It's intended for use in certain unusual situations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : What is the Class attribute for?
I personnally use it for QoS definition. It works as expected but i can't garantee this is the regular use for this attribute. What's special with the class attribute is that if you send It in Access-Accept, It should be added in later accounting packets. This can be very usefull and if you don't nées this features i suggest you use another attribute. Sent from my HTC. - Reply message - De : weiwei fang fan...@gmail.com Date : Dim, mai 23, 2010 23:15 Objet : What is the Class attribute for? Pour : freeradius-users@lists.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : What is the Class attribute for?
On May 24, 2010, at 1:36 PM, Alexandre Chapellon wrote: I personnally use it for QoS definition. It works as expected but i can't garantee this is the regular use for this attribute. What's special with the class attribute is that if you send It in Access-Accept, It should be added in later accounting packets. This can be very usefull and if you don't nées this features i suggest you use another attribute. The use of the 'Class' attribute is site specific; you can use it to carry any value you want. If you're setting client QoS settings dynamically then the attribute is User-Priority-Table as described in RFC 4674. Personally I think the best way to use the Class attribute is to link Authentication and Accounting sessions. All other session attributes can be stored in a database. -Arran Sent from my HTC. - Reply message - De : weiwei fang fan...@gmail.com Date : Dim, mai 23, 2010 23:15 Objet : What is the Class attribute for? Pour : freeradius-users@lists.freeradius.org Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : What is the Class attribute for?
Thanks for your kindly reply. Now our company has bought the WiMAX products. We want to use freeradius as the AAA server. However, the vendor told us that we need to return back the user's qos service level back to AGW after authenticating this user. I looked up the documents and found this attribute. And as the WiMAX network will be used only for our company, we don't want to use the accounting part in freeradius(btw: how can I get rid of this part and don't let this part start)? So maybe we need to define a vendor-specific attribute for our purpose? Thanks again for your help! 2010/5/25 Arran Cudbard-Bell a.cudba...@gmail.com On May 24, 2010, at 1:36 PM, Alexandre Chapellon wrote: I personnally use it for QoS definition. It works as expected but i can't garantee this is the regular use for this attribute. What's special with the class attribute is that if you send It in Access-Accept, It should be added in later accounting packets. This can be very usefull and if you don't nées this features i suggest you use another attribute. The use of the 'Class' attribute is site specific; you can use it to carry any value you want. If you're setting client QoS settings dynamically then the attribute is User-Priority-Table as described in RFC 4674. Personally I think the best way to use the Class attribute is to link Authentication and Accounting sessions. All other session attributes can be stored in a database. -Arran Sent from my HTC. - Reply message - De : weiwei fang fan...@gmail.com Date : Dim, mai 23, 2010 23:15 Objet : What is the Class attribute for? Pour : freeradius-users@lists.freeradius.org Hello, all! I noticed that RFC 2865 defined an attribute called Class, but I don't know its meaning and usage. Can I use it as the QoS classfication for the user? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : What is the Class attribute for?
weiwei fang wrote: Now our company has bought the WiMAX products. We want to use freeradius as the AAA server. It should work without a problem. However, the vendor told us that we need to return back the user's qos service level back to AGW after authenticating this user. I looked up the documents and found this attribute. Uh.. how about reading the documentation for the AGW, or asking the vendor which attribute their product needs for QoS service level? And as the WiMAX network will be used only for our company, we don't want to use the accounting part in freeradius(btw: how can I get rid of this part and don't let this part start)? Don't configure accounting on the AGW? So maybe we need to define a vendor-specific attribute for our purpose? Go ask the vendor how their product works. Then, configure FreeRADIUS to send the data needed by that product. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does a good example look like
Hello again, I have a few questions that may or may not be related to each other. First, I know radtest works fine for testing the basic functions of freeradius (i.e. it will authenticate with no encryption) but I would like to know if radtest can be used to test authentication using one of the various types of encryptions and protocols. Question two has to do with said protocols. Is there a clear and concise page that will define all of the protocols (PEAP, EAP, TLS, TTLS, MSCHAP, MSCHAPv2, LEAP, WPA(1/2)-PSK, etc) how they differ from each other and what exactly happens during the authentication process. Illustrations would be nice. Question three: I have come to conclude that some protocols are the same thing with different names, can anyone clarify which protocols are the same or are at least compatible, and which are different? Lastly, what does a successful authentication look like for each type of protocol. What should I be looking for in my freeradius output, and what can I compare it too. Possibly if I saw where stuff was going haywire I could determine for myself what the issue is. ~Huckle Berry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does a good example look like
Hi, I have a few questions that may or may not be related to each other. First, I know radtest works fine for testing the basic functions of freeradius (i.e. it will authenticate with no encryption) but I would like to know if radtest can be used to test authentication using one of the various types of encryptions and protocols. eapol_test from the wpa_supplicant package is a good toolas is a real client. Question two has to do with said protocols. Is there a clear and concise page that will define all of the protocols (PEAP, EAP, TLS, TTLS, MSCHAP, MSCHAPv2, LEAP, WPA(1/2)-PSK, etc) how they differ from each other and what exactly happens during the authentication process. Illustrations would be nice. www.google.com there are hundreds of reosurces out there that explain what each of these are, how they work etc...i dont know why FreeRADIUS should have to reinvent the documentation wheel Question three: I have come to conclude that some protocols are the same thing with different names, can anyone clarify which protocols are the same or are at least compatible, and which are different? all of them are different. some are inner-types that get tunnelled in the EAP tunnel... EAP = framework PEAP, EAP-TLS, LEAP, EAP-TTLS are all forms of EAP MSCHAP, PAP, MSCHAPv2 are all methods that can be inside the EAP tunnel WPA-PSK/WPA2-PSK/WPA-Enterprise/WPA2-Enterprise etc are forms of AP to client communication TKIP or AES being method of encryption/cipher-stream handling for the AP to client Lastly, what does a successful authentication look like for each type of protocol. What should I be looking for in my freeradius output, and what can I compare it too. Possibly if I saw where stuff was going haywire I could determine for myself what the issue is. what does it look like? the client gets online and can eg DHCP for an address. usually a supplicant will have a pretty green button, tick or such. using a tool such as eapol_test the last line of output will say SUCCESS freeradius output will say things like [ok] or [reject] - in debug mode you'll get so much more ...and its something that will depend on what modules and ocnfig you have - just get some successful auths and some unsuccessful and compare/contrast alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does a good example look like
On 05/06/2010 06:29 PM, Huckle Berry wrote: Hello again, I have a few questions that may or may not be related to each other. First, I know radtest works fine for testing the basic functions of freeradius (i.e. it will authenticate with no encryption) but I would like to know if radtest can be used to test authentication using one of the various types of encryptions and protocols. No. You'll probably also need eapol_test (http://deployingradius.com/scripts/eapol_test). I'm not sure how much coverage epol_test gives or if there are better test clients, Alan might know. Question two has to do with said protocols. Is there a clear and concise page that will define all of the protocols (PEAP, EAP, TLS, TTLS, MSCHAP, MSCHAPv2, LEAP, WPA(1/2)-PSK, etc) how they differ from each other and what exactly happens during the authentication process. Illustrations would be nice. Not that I'm aware of. I've often thought it would be a nice thing to do. If I ever have free time I might, but considering I never have free time, oh well ... You might want to consult: http://deployingradius.com/documents/protocols/compatibility.html http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol for starters Question three: I have come to conclude that some protocols are the same thing with different names, can anyone clarify which protocols are the same or are at least compatible, and which are different? There are no redundant overlaps that I'm aware of. It would be kind of pointless. What is true is some protocols encapsulate others, e.g. they wrap them, although after unwrapping the mechanism is the same, at the top level the protocol is different. Lastly, what does a successful authentication look like for each type of protocol. What should I be looking for in my freeradius output, and what can I compare it too. Possibly if I saw where stuff was going haywire I could determine for myself what the issue is. seeing Access-Accept sent from the server in the debug output. While debugging you might want to try Alan's most excellent public debugging tool for radius debug output whose link I'm sorry to say I've misplaced :-( -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does a good example look like
Hi, While debugging you might want to try Alan's most excellent public debugging tool for radius debug output whose link I'm sorry to say I've misplaced :-( http://networkradius.com/freeradius.html theres a link on left hand side on the main page http://networkradius.com/ alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What nastype for Extreme switch?
Hi, all. I installed the AAA model Radius on my Extreme's switch and I am already able to log in into it, but I just enter in this device through the non-privileged mode ( ). I was taking a look at http://linux.die.net/man/5/clients.conf and it says: nastype The nastype attribute is used to tell the checkrad.pl script which NAS-specific method it should use when checking simultaneous use. The following values are currently recognized: cisco computone livingston max40xx multitech netserver pathras patton portslave tc usrhiper other Which of these nastype values I must to use for Extreme devices? Thanks. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Tel. (11) 3091-8901 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What nastype for Extreme switch?
Hi, Not sure this answers your question but.. I use the following setup for extreme switches.. # Access layer admin NAS-IP-Address == 192.168.0.9, Auth-Type = System Service-Type = Administrative-User Administrative-User = Read/Write Login-User = Read only Best Regards Mats Blomgren B -Original Message- From: freeradius-users-bounces+mats.b.blomgren=ericsson@lists.freeradius.org [mailto:freeradius-users-bounces+mats.b.blomgren=ericsson@lists.freeradius.org] On Behalf Of Wagner Pereira Sent: den 15 april 2010 16:26 To: FreeRadius users mailing list Subject: What nastype for Extreme switch? Hi, all. I installed the AAA model Radius on my Extreme's switch and I am already able to log in into it, but I just enter in this device through the non-privileged mode ( ). I was taking a look at http://linux.die.net/man/5/clients.conf and it says: nastype The nastype attribute is used to tell the checkrad.pl script which NAS-specific method it should use when checking simultaneous use. The following values are currently recognized: cisco computone livingston max40xx multitech netserver pathras patton portslave tc usrhiper other Which of these nastype values I must to use for Extreme devices? Thanks. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Tel. (11) 3091-8901 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What nastype for Extreme switch?
Hi, Mats. Thanks for the answer.
Well, my clients.conf seems like the below:
--
client 10.0.0.2/32 {
secret = test
shortname = device_test
Auth-Type = System
Service-Type = Administrative-User
}
--
I added your suggested lines into the file, but, after I restart
freeradius, my device's connection remains the same, I mean,
non-privileged mode:
Device:1
What's next?
--
Wagner Pereira
PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
Tel. (11) 3091-8901
Em 15/4/2010 11:32, Mats Blomgren B escreveu:
Hi,
Not sure this answers your question but..
I use the following setup for extreme switches..
# Access layer
admin NAS-IP-Address == 192.168.0.9, Auth-Type = System
Service-Type = Administrative-User
Administrative-User = Read/Write
Login-User = Read only
Best Regards
Mats Blomgren B
-Original Message-
From:
freeradius-users-bounces+mats.b.blomgren=ericsson@lists.freeradius.org
[mailto:freeradius-users-bounces+mats.b.blomgren=ericsson@lists.freeradius.org]
On Behalf Of Wagner Pereira
Sent: den 15 april 2010 16:26
To: FreeRadius users mailing list
Subject: What nastype for Extreme switch?
Hi, all.
I installed the AAA model Radius on my Extreme's switch and I am already able to
log in into it, but I just enter in this device through the non-privileged mode
( ).
I was taking a look at http://linux.die.net/man/5/clients.conf and it says:
nastype
The nastype attribute is used to tell the checkrad.pl script which NAS-specific
method it should use when checking simultaneous use.
The following values are currently recognized:
cisco
computone
livingston
max40xx
multitech
netserver
pathras
patton
portslave
tc
usrhiper
other
Which of these nastype values I must to use for Extreme devices?
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What nastype for Extreme switch?
Wagner Pereira wrote:
Well, my clients.conf seems like the below:
--
client 10.0.0.2/32 {
secret = test
shortname = device_test
Auth-Type = System
Service-Type = Administrative-User
Huh? Nothing in the documentation or examples indicates that it's a
good idea to put Auth-Type or Service-Type here.
I added your suggested lines into the file, but, after I restart
freeradius, my device's connection remains the same, I mean,
non-privileged mode:
Device:1
What's next?
$ man users
And read raddb/users
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does the NAS-Port mean?
Hello! See the packet info below: rad_recv: Access-Request packet from host 168.2.8.28 port 5001, id=142, length=121 User-Name = licheng EAP-Message = 0x0201000c016c696368656e67 Message-Authenticator = 0xb11d9a0d22d86cfb58038fe5832a9f9a NAS-IP-Address = 168.2.8.28 NAS-Identifier = 000fe281c738 NAS-Port = 268517377 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 0006-5b28-47aa Notice the NAS-Port = 268517377. It should represent the ID of the port, from which the packet is sent. But when I look up the MIB info of the switch, I can't find such an ID of the port. Instead, the base port number is another integer. How can I get this number (say 268517377) by SNMP? Thank you! _ SkyDrive电子画册,带你领略精彩照片,分享“美”时“美”刻! http://www.windowslive.cn/campaigns/e-magazine/ngmchina/?a=c- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does the NAS-Port mean?
CaiMuzhang wrote: Notice the NAS-Port = 268517377. It should represent the ID of the port, from which the packet is sent. But when I look up the MIB info of the switch, I can't find such an ID of the port. Instead, the base port number is another integer. How can I get this number (say 268517377) by SNMP? Thank you! Call the vendor and ask them what the NAS-Port means. We don't know which NAS you bought, or what the vendor was thinking. Also, note that 268517377 == 0x4001. Maybe they're packing multiple pieces of information into the NAS-Port attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does the module rlm_krb5 do?
Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that the AS proxies the Kerberos authentication request from the access point to the Kerberos KDC and the access point grants access to the wired network upon successful authentication. I googled about the subject and found the following article about the module rlm_krb5 :- http://wiki.freeradius.org/Rlm_krb5 http://archives.free.net.ph/message/20060104.153134.68c5be76.en.html Is there anyone knows what the module rlm_krb5 does? Whether it is the module I need to use to do the job? Thanks a lot. John Mok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does the module rlm_krb5 do?
John Mok wrote: I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that the AS proxies the Kerberos authentication request from the access point The AP sends a kerberos authentication request? to the Kerberos KDC and the access point grants access to the wired network upon successful authentication. If that happened, then RADIUS would not be involved. Only Kerberos. Is there anyone knows what the module rlm_krb5 does? Whether it is the module I need to use to do the job? The Kerberos module takes a username password, and validates it against a Kerberos KDC. I would suggest clarifying what technology is being used before trying to come up with a solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does the module rlm_krb5 do?
Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that the AS proxies the Kerberos authentication request from the access point to the Kerberos KDC and the access point grants access to the wired network upon successful authentication. can the AP do kerberos? if so, why the RADIUS? what you probably mean is that you will take a user/pass from a client as their login - PAP/captive portal? or EAP-TTLS/PAP ? what rlm_krb5 is take those details and use the system kerberos (eg stuff all done via /etc/krb5.conf etc) so auth against your kerberos KDC system - MS AD or whatever it is. so long as your krb5 environment is fine - eg 'kinit someuser' works, then rlm_krb5 does its job very well thanks - we've got 3 different installations doing that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS ? What is the best option
I know that this list is not connected with any hardware vendor but I see that every couple days someone cries here NAS problems... I use Mikrotik and I'm not satisfied (duplicated packets, does not support POD correctly , etc) Also, yesterday I see that Cisco can be pain in the a*** too :) So, dear friends... What is the best solution for ISP (PPPoE)? There is no problem with using Cisco for PPPoE termination. That chap doesn't know the difference between duplicated (packet re-sent with same id) and confilicting packet (packet with same port/user etc. but different id). With default settings Cisco will send duplicated packets every 2 seconds (if there is no reply from radius server); after 30 seconds it will discard the original request and try to mark the radius server as dead (and fail over to secondary radius server). If there have been responses from radius server to other requests it won't mark it as dead (or fail over - it can be debated if that is the correct pathway; prehaps second request should go to secondary server anyway; freeradius now implements this when working in proxy mode) but send the new request (with same user/port etc.). In response to recieving this conflicting packet (user/port etc. matches but not id) freeradius will discard the original packet correctly assuming that NAS has abandoned it. For some reason user in thread you have mentioned can't comprehend that this is the correct action. He would continue processing original requests which will then get discarded by the NAS. With default settings that would extend processing time some 30 times in his example (perl processing that takes 1 second per request). So, Cisco and freeradius work fine there. Problem is his perl script. I assume he is using it to connect to the database and get data from there. Connecting to the database is very expensive. If he would offload data gathering to sql module and use perl just for calculation chances are that request processing would take 100 time shorter and his problems would vanish. But he is adamant that Cisco is broken (sending new requests every few seconds, not 30 seconds or 2 minutes that are defaults known to me; repeating same request defaults are 2 and 5 seconds on various devices). All in all, don't worry about using Cisco and freeradius for broadband aggregation. They work fine together. Just don't trust Cisco claims about numbers device can handle. Divide it by 10. If brochure says device can handle 10,000 connections it will handle about 1,000 in a realistic case. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS ? What is the best option
Hi, I am using MikroTik and I am vry satisfied. However, it is not a easy device to configura and understand all its different configurations. I do not understand why you have to ue POD packets. If you do correctly the configurations and you have you want to offer your users, I think you needn't it. Think twice what you want to offer! The best device are Cisco ones, but you have to prepare a good quantity of money. Not 200-300€ which a mikrotik cost. Sincerely, Santiago Date: Tue, 13 Oct 2009 01:29:40 +0200 From: mangi...@gmail.com To: freeradius-users@lists.freeradius.org Subject: NAS ? What is the best option I know that this list is not connected with any hardware vendor but I see that every couple days someone cries here NAS problems... I use Mikrotik and I'm not satisfied (duplicated packets, does not support POD correctly , etc) Also, yesterday I see that Cisco can be pain in the a*** too :) So, dear friends... What is the best solution for ISP (PPPoE)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ ¿Estás fuera de temporada? Entra ya en Nueva Temporada y entérate antes que nadie de sobre famosos, moda, belleza y el look que se lleva este otoño. http://events.es.msn.com/entretenimiento/nueva-temporada/vuelta-al-cole/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS ? What is the best option
I know that this list is not connected with any hardware vendor but I see that every couple days someone cries here NAS problems... I use Mikrotik and I'm not satisfied (duplicated packets, does not support POD correctly , etc) Also, yesterday I see that Cisco can be pain in the a*** too :) So, dear friends... What is the best solution for ISP (PPPoE)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What problem does the FreeRADIUS wiki have?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As per title. - -Arran - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqlOikACgkQcaklux5oVKIRFQCdGqivLhNy//pWHpvssxSdrHUz X+IAniTNY3WhpKjAF8m+50IEWTqeZvJ5 =JNcr -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What problem does the FreeRADIUS wiki have?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/09/2009 17:51, Arran Cudbard-Bell wrote: As per title. -Arran Whatever it was seems to have resolved itself. - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqlO5MACgkQcaklux5oVKLZggCfWKOHbCfGgc+PDqzZo7r+uHbv OOkAnR9ggTOkZkD4PLYqFO8zDfPIwz1Z =AaUv -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What can cause the Exiting normally without prompting
sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ 上Windows Live 中国首页,下载最新版 MSN! http://im.live.cn/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What can cause the Exiting normally without prompting
Just in case this can help you, take a look at http://linux-mm.org/OOM_Killer Basically the linux kernel has mechanism to kill processes when it runs out of memory. In this case kill signal should not be SIGTERM but googling I found it may be possible in some cases the kernel use this signal. Search in your kernel logs (/var/log/dmesg) to see if you have something like invoked oom-killer Regards Luciano 2009/3/31 韩枫 switchp...@hotmail.com: sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 ! POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 微软地图实时路况,为您节省的不仅仅是时间! 立即查看! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What can cause the Exiting normally without prompting
thanks, logs (dmesg, messages, radius.log) does not have any special tips. Date: Tue, 31 Mar 2009 16:02:01 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org Just in case this can help you, take a look at http://linux-mm.org/OOM_Killer Basically the linux kernel has mechanism to kill processes when it runs out of memory. In this case kill signal should not be SIGTERM but googling I found it may be possible in some cases the kernel use this signal. Search in your kernel logs (/var/log/dmesg) to see if you have something like invoked oom-killer Regards Luciano 2009/3/31 韩枫 switchp...@hotmail.com: sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 ! POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 微软地图实时路况,为您节省的不仅仅是时间! 立即查看! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ 梦幻K图,百变造型,让你的照片与众不同,快来MClub试试吧! http://club.msn.cn/?form=3- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What can cause the Exiting normally without prompting
2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size(512 bytes, -p) 8 POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What can cause the Exiting normally without prompting
hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size(512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Live Search视频搜索,快速检索视频的利器! http://www.live.com/?scope=video- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What can cause the Exiting normally without prompting
hi, i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. the testing freeradius have pgsql module. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What can cause the Exiting normally without prompting
switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What does 'radius -C' do? (2.1.3)
According to the documentation, radiusd -C is supposed to Check configuration and exit. I was assuming that would catch errors in the configuration that might prevent it from restarting. However, if I intentionally mangle the configuration to the point it won't start, the -C check still returns nothing. What am I missing? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
Mike Diggins wrote: According to the documentation, radiusd -C is supposed to Check configuration and exit. I was assuming that would catch errors in the configuration that might prevent it from restarting. However, if I intentionally mangle the configuration to the point it won't start, the -C check still returns nothing. What am I missing? Could you give *examples* of what doesn't work? And which version are you running? 1.1.x might have -C, but it definitely doesn't work. 2.1.x should be a lot better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
Hi, Mike Diggins wrote: According to the documentation, radiusd -C is supposed to Check configuration and exit. I was assuming that would catch errors in the configuration that might prevent it from restarting. However, if I intentionally mangle the configuration to the point it won't start, the -C check still returns nothing. What am I missing? Could you give *examples* of what doesn't work? And which version are you running? 1.1.x might have -C, but it definitely doesn't work. 2.1.x should be a lot better. 2.1.3 was mentioned in the subject title... radiusd -XC does most things okay here... radiusd: Skipping IP addresses and Ports Configuration appears to be OK. though i did note from its reintroduction into the code that it skips the listening stuff. ponder if thats where his config is borked? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
a.l.m.bu...@lboro.ac.uk wrote: 2.1.3 was mentioned in the subject title... Maybe I should read the messages. radiusd -XC does most things okay here... radiusd: Skipping IP addresses and Ports Configuration appears to be OK. though i did note from its reintroduction into the code that it skips the listening stuff. ponder if thats where his config is borked? It checks: a) if the configuration files are formatted correctly b) if some modules can be loaded If more things need to be checked, we will need a patch to add that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
Hi, It checks: a) if the configuration files are formatted correctly b) if some modules can be loaded If more things need to be checked, we will need a patch to add that functionality. much as thought. is it also the case that it only checks stuff that can be 'HUP'd' ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
a.l.m.bu...@lboro.ac.uk wrote: much as thought. is it also the case that it only checks stuff that can be 'HUP'd' ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
Just as a quick example, I added this line to radius.conf: $INCLUDE dsdfsdf/ # bogus line radiusd -C doesn't complain: [r...@rad01 raddb]# /usr/local/freeradius/sbin/radiusd -C [r...@rad01 raddb]# But: Radius -XC does: including files in directory /usr/local/freeradius/etc/raddb/dsdfsdf/ /usr/local/freeradius/etc/raddb/radiusd.conf[96]: Error reading directory /usr/local/freeradius/etc/raddb/dsdfsdf/: No such file or directory Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf [r...@prad01 raddb]# Basically I just wanted to do a quick syntax check to ensure radius will start, in case I mangle something in the config. -Mike On Mon, 9 Mar 2009, Alan DeKok wrote: a.l.m.bu...@lboro.ac.uk wrote: much as thought. is it also the case that it only checks stuff that can be 'HUP'd' ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
Mike Diggins wrote: Just as a quick example, I added this line to radius.conf: $INCLUDE dsdfsdf/# bogus line radiusd -C doesn't complain: [r...@rad01 raddb]# /usr/local/freeradius/sbin/radiusd -C [r...@rad01 raddb]# Err.. try echo $? after that. It doesn't print out log messages to stdout unless you also do -X. But: Radius -XC does: including files in directory /usr/local/freeradius/etc/raddb/dsdfsdf/ /usr/local/freeradius/etc/raddb/radiusd.conf[96]: Error reading directory /usr/local/freeradius/etc/raddb/dsdfsdf/: No such file or directory Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf [r...@prad01 raddb]# Basically I just wanted to do a quick syntax check to ensure radius will start, in case I mangle something in the config. radiusd -C if [ $? eq 0 ]; then echo OK else echo FAILED something fi Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
On Mon, 9 Mar 2009, Alan DeKok wrote: Mike Diggins wrote: Just as a quick example, I added this line to radius.conf: $INCLUDE dsdfsdf/# bogus line radiusd -C doesn't complain: [r...@rad01 raddb]# /usr/local/freeradius/sbin/radiusd -C [r...@rad01 raddb]# Err.. try echo $? after that. It doesn't print out log messages to stdout unless you also do -X. But: Radius -XC does: including files in directory /usr/local/freeradius/etc/raddb/dsdfsdf/ /usr/local/freeradius/etc/raddb/radiusd.conf[96]: Error reading directory /usr/local/freeradius/etc/raddb/dsdfsdf/: No such file or directory Errors reading /usr/local/freeradius/etc/raddb/radiusd.conf [r...@prad01 raddb]# Basically I just wanted to do a quick syntax check to ensure radius will start, in case I mangle something in the config. radiusd -C if [ $? eq 0 ]; then echo OK else echo FAILED something fi Alan DeKok. Ah, ok, So it just returns an error level. That will do. Thanks. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does 'radius -C' do? (2.1.3)
Hi, Err.. try echo $? after that. It doesn't print out log messages to stdout unless you also do -X. I was about to say the same thing - the man page clearly states that it fails with a value - this is a shell fail, not a human readble fail - exit value isnt 0 therefore something is wrong. many many daemons work in the same way - radiusd -C if [ $? eq 0 ]; then echo OK else echo FAILED something fi - and have this sort of wrapper or logic. :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what is this ?
Have some error in freeradius log: Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Can anybody talk what is this ? What is the reason and how to solve ? Thx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: what is this ?
Freeradius Mail List пишет: Have some error in freeradius log: Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Can anybody talk what is this ? What is the reason and how to solve ? Thx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry. Fixed. P.S. max_request_time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What Have I missed out?
Hi there,
Im trying to get a basic radius set-up working and could do with
a sanity check as it is not working?
Steps taken so far
1) Default radius install on Unbuntu server (apt-get install freeradius
freeradius-ldap)
2) In radiusd.conf - configure LDAP server properties in the modules
section
ldap {
server = ldap-master.london.edu
identity = cn=NetworkAuth,ou=People,o=london.edu,o=lbs
password = *
basedn = ou=People,o=london.edu,o=lbs
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
Uncommented the following line:
# ldap
File: /etc/freeradius/radiusd.conf - Authentication Section.
Uncommented the following three lines:
# Auth-Type LDAP {
# ldap
# }
File: /etc/freeradius/users
Find:
DEFAULT Auth-Type = System
Fall-Through = 1
Replace with:
DEFAULT Auth-Type = LDAP
Fall-Through :=1
File: /etc/freeradius/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype= other
}
Now when I try to test I get the following error
radclient: no response from server for ID 80
Looking in the radius.log - I get no output at all from a tail -f
command
Putting the server into debug mode I get
[EMAIL PROTECTED]:/etc/freeradius# radiusd -X
The program 'radiusd' can be found in the following packages:
* radiusd-livingston
* yardradius
* xtradius
Try: apt-get install selected package
bash: radiusd: command not found
This is now making me thing I have not installed it properly?
Any pointers gratefully received :-)
Thanks
Martin
Martin Macleod-Brown | Infrastructure Engineer - Networks Security
Infrastructure Team
London Business School | Regent's Park | London NW1 4SA | United Kingdom
Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 7772 |
Mobile +44 (0)796 690 7772 | Email [EMAIL PROTECTED]
www.london.edu | London experience. World impact.
Please consider the environment before printing this email
__
This email has been scanned by the MessageLabs Email Security System
on behalf of the London Business School community.
For more information please visit http://www.messagelabs.com/email
__
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What Have I missed out?
DEFAULT Auth-Type = LDAP Fall-Through :=1 Don't do that. You can configure ldap module to set auth type itself. Putting the server into debug mode I get [EMAIL PROTECTED]:/etc/freeradius# radiusd -X The program 'radiusd' can be found in the following packages: * radiusd-livingston * yardradius * xtradius Try: apt-get install selected package bash: radiusd: command not found Find radiusd belonging to freeradius and run it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What Have I missed out?
Martin MacLeod-Brown wrote: File: /etc/freeradius/users Find: DEFAULT Auth-Type = System Fall-Through = 1 Replace with: DEFAULT Auth-Type = LDAP Don't do that. Just delete that entry. Now when I try to test I get the following error radclient: no response from server for ID 80 Looking in the radius.log - I get no output at all from a tail -f command Because the server isn't running. Putting the server into debug mode I get [EMAIL PROTECTED]:/etc/freeradius# radiusd -X The program 'radiusd' can be found in the following packages: * radiusd-livingston * yardradius * xtradius Try: apt-get install selected package bash: radiusd: command not found This is now making me thing I have not installed it properly? Debian has re-named the server to freeradiusd, or maybe freeradius. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM_auth active directory - what is wrong?
Hi Santiago,
I would suggest you to first try with radtest to see ntlm_auth BIND AS
USER is working or not.
Have a User entry in Users file with Auth-Type := ntlm_auth
Add *ntlm_auth* in Authenticate section of default and inner-tunnel files in
/sites-enabled directory.
Then if radtest returns NT Success Ok or ntlm_auth is being done by Server.
Then Try for RADIUS requests from actual NAS.
I have done this way as of now to check ntlm_auth Bind.
The Experts can show you more light in your problem.
Regards,
SYED
On Tue, Oct 7, 2008 at 2:36 PM, Santiago Matiz V [EMAIL PROTECTED]wrote:
Hi all
I follow the instructions of Alan :
http://deployingradius.com/documents/configuration/active_directory.html
to authenticate ntlm_auth with radius but appers the following message:
WARNING: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
what is wrong?
Please help.
Santiago
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Sep 3 2008
at 15:55:02
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/local/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 192.100.16.11 {
require_message_authenticator = no
secret = 123
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm DOMAIN.LOC {
authhost = LOCAL
accthost = LOCAL
}
realm DOMAIN {
authhost = LOCAL
accthost = LOCAL
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_expr
Module: Instantiating expr
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain:-DOMAIN}
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating realmslash
realm realmslash {
format = prefix
delimiter = \
ignore_default = no
ignore_null = no
}
Module: Instantiating suffix
realm suffix {
format = suffix
