Freeradius-Users Digest, Vol 26, Issue 52 (Out of Office)

BRETT WEEAST LPPWEEAB at gw.njsp.org
Wed Jun 13 16:03:46 CEST 2007 

I will be out of the office from June 15 to June 25, 2007.  If your
request can not wait until my return on June 26, please email
R035 at gw.njsp.org or call 609-882-2000 x.6688.

>>> freeradius-users 06/13/07 09:54 >>>

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: Problem with WLAN-MAC authentication (Alan Dekok)
   2. Re: Statistics tool? (Alan Dekok)
   3. Re: Problem with WLAN-MAC authentication (tnt at kalik.co.yu)
   4. Re: 2.0.0 documentation for radiusd.conf. (Arran Cudbard-Bell)
   5. Re: 2.0.0 documentation for radiusd.conf. (Alan Dekok)
   6. Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
      (Colleen C. Morrissey)
   7. freeradius-jradius-pam (lisa laam)
   8. DB handles and radius.log errors (Irina)


----------------------------------------------------------------------

Message: 1
Date: Wed, 13 Jun 2007 14:35:33 +0200
From: Alan Dekok <aland at deployingradius.com>
Subject: Re: Problem with WLAN-MAC authentication
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <466FE495.9080402 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Klaus.Albers at wavin.de wrote:
> Here is the output from the debug screen... The authorization process
as 
> below loops when I switch on the encryption. Without any encryption it

> works quite perfect.
> 
> Or is it 'not' possible to use mac authentication and WEP/WPA with 
> preshared key at the same time?

  That's really up to your AP.

...
> Sending Access-Accept of id 188 to 172.19.0.11 port 1261

  FreeRADIUS is telling the AP that the MAC is OK.  If the AP tries to
authenticate again with the same MAC address, it's broken.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog


------------------------------

Message: 2
Date: Wed, 13 Jun 2007 14:36:39 +0200
From: Alan Dekok <aland at deployingradius.com>
Subject: Re: Statistics tool?
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <466FE4D7.2010304 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Graham Beneke wrote:
> Does anyone know of any system that could be used to remotely monitor
if
> a radius server is up?

  radclient?  Send the server a Status-Server request, and it should
respond.  See radiusd.conf for more.

> Something along the lines of radtest and then you would add a
nasclient
> line for each testing location and dummy users entry that can be
queried
> by the test location.

  That's not needed.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog


------------------------------

Message: 3
Date: Wed, 13 Jun 2007 13:49:56 +0100
From: <tnt at kalik.co.yu>
Subject: Re: Problem with WLAN-MAC authentication
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID: <H17XCPE4.1181738996.7142300.tnt at kalik.co.yu>
Content-Type: text/plain; charset=ISO-8859-2

OK. So your client gets accepted. You will need to look at NAS logs to
see where the connection breaks. Radius is working fine.

Ivan Kalik
Kalik Informatika ISP


Dana 13/6/2007, "Klaus.Albers at wavin.de" <Klaus.Albers at wavin.de> pi?e:

>Here is the output from the debug screen... The authorization process
as 
>below loops when I switch on the encryption. Without any encryption it 
>works quite perfect.
>
>Or is it 'not' possible to use mac authentication and WEP/WPA with 
>preshared key at the same time?
>
>*NoIdeaWhatHappens*
>
>- - - - - - - - - 
>
>Module: Instantiated detail (reply_log)
>Listening on authentication *:1812
>Listening on accounting *:1813
>Ready to process requests.
>rad_recv: Access-Request packet from host 172.19.0.11:1261, id=188, 
>length=73
>        User-Name = "00-19-d2-2a-61-50"
>        User-Password = 00-19-d2-2a-61-50"
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>radius_xlat: 
>'../var/log/radius/radacct/172.19.0.11/auth-detail-20070613.log'
>rlm_detail: 
>.../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.lo
>g expands to 
>.../var/log/radius/radacct/172.19.0.11/auth-detail-20070613.log
>  modcall[authorize]: module "auth_log" returns ok for request 0
>    rlm_realm: No '@' in User-Name = "00-19-d2-2a-61-50", looking up
realm 
>NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>    users: Matched entry 00-19-d2-2a-61-50 at line 3
>  modcall[authorize]: module "files" returns ok for request 0
>rlm_pap: Found existing Auth-Type, not changing it.
>  modcall[authorize]: module "pap" returns noop for request 0
>modcall: leaving group authorize (returns ok) for request 0
>  rad_check_password:  Found Auth-Type Accept
>  rad_check_password: Auth-Type = Accept, accepting the user
>Login OK: [00-19-d2-2a-61-50/00-19-d2-2a-61-50] (from client wlanedv
port 
>0)
>  Processing the post-auth section of radiusd.conf
>modcall: entering group post-auth for request 0
>radius_xlat: 
>'../var/log/radius/radacct/172.19.0.11/reply-detail-20070613.log'
>rlm_detail: 
>.../var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d.l
>og expands to 
>.../var/log/radius/radacct/172.19.0.11/reply-detail-20070613.log
>  modcall[post-auth]: module "reply_log" returns ok for request 0
>modcall: leaving group post-auth (returns ok) for request 0
>Sending Access-Accept of id 188 to 172.19.0.11 port 1261
>Finished request 0
>Going to the next request
>- - - - - - - -
>
>
>
>Wavin GmbH - Sitz der Gesellschaft: 49767 Twist - Registergericht: AG
Osnabr?ck Abt. B 120003 - Gesch?ftsf?hrung: J?rgen Frei, Maarten Roef -
Vors.d. Aufsichtsrates: Henk ten Hove   



------------------------------

Message: 4
Date: Wed, 13 Jun 2007 13:51:36 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>
Subject: Re: 2.0.0 documentation for radiusd.conf.
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <466FE858.6040709 at sussex.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

>        switch
>               Evaluate  the given string, and choose the first
matching "case"
>               statement inside of the current block.  No statement
other  than
>               "case" can appear in a "switch" block.
> 
>                    switch "string" {
>                         ...
>                    }
> 

These work now ? :D

>        case
>               Define  a static string to match a parent "switch"
statement.  A
>               "case" statement cannot appear outside of a "switch"
block.
> 
>                    case string {
>                         ...
>                    }
> 
>        update
>               Update a particular attribute  list,  based  on  the 
attributes
>               given in the current block.
> 
>                    update <list> {
>                         attribute = value
>                         ...
>                    }
> 
>               The  <list>  can  be one of "request", "reply",
"proxy-request",
>               "proxy-reply", or "control".  The "control" list is the
list  of
>               attributes  maintainted  internally  by the server that
controls
>               how the server processes the request.  Any attribute 
that  does
>               not  go  in  a packet on the network will generally be
placed in
>               the "control" list.
> 

Control instead of config ?


Cool , very nice work :)



------------------------------

Message: 5
Date: Wed, 13 Jun 2007 14:59:00 +0200
From: Alan Dekok <aland at deployingradius.com>
Subject: Re: 2.0.0 documentation for radiusd.conf.
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <466FEA14.7030604 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Arran Cudbard-Bell wrote:
>>        switch

> These work now ? :D

  Yes.  I just added a "default" to the switch statements, too.  See the
updated "man unlang".

> Control instead of config ?

  Yes.  "config" is already used for configuration-file stuff.

> Cool , very nice work :)

  Thanks.  I think it's nearly time for a -pre2.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog


------------------------------

Message: 6
Date: Wed, 13 Jun 2007 09:34:07 -0400
From: "Colleen C. Morrissey" <morric at rpi.edu>
Subject: Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <466FF24F.7090002 at rpi.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Thanks!  I had ldap returning Password-with-Header for GTC deployment 
and then added NT-Password for ms-chapv2.  Commenting out the 
password-with-header for userpassword in ldap.attrmap seems to allow 
both to work.  Which makes my life much easier :)

Alan Dekok wrote:
> Colleen C. Morrissey wrote:
>> My question is can I somehow support both simultaneously with the
same 
>> freeradius daemon (I know I can simply run a second daemon on
different 
>> port supporting the other but that will require me to do lots of work
on 
>> infrastructure/ssids to point to different servers)?  Does anybody 
>> happen to have this working and be willing to post config?  Or any
other 
>> ideas?
> 
>   Yes.  If you configure the server to know about the users clear-text
> password or NT-hashed password, then PEAP/GTC should "just work".
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> 



------------------------------

Message: 7
Date: Wed, 13 Jun 2007 15:38:32 +0200
From: "lisa laam" <laam.lisa at gmail.com>
Subject: freeradius-jradius-pam
To: freeradius-users at lists.freeradius.org,
	freeradius-devel-request at lists.freeradius.org
Message-ID:
	<b60805e90706130638q73397eacudc7841f01130c358 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi,


I have a trainee.
-I have to write a module witch should be able to authenticate users
with
username and password concatenated to OTP (One Time Password) rather
than
only password.
- this module should be able to authenticate first the user within
Active
Directory and then validate the OTP.
-The module that validate the OTP is Servlet (JAVA module). and i should
call this programme from my module to do OTP validation.

- I propose to use Freeradius to integrate this module for remote 
access.
-For web access I proposed writting a module (PAM module) for an Apache
Server./ your comment?

-The probleme is that i have only two months left to implement one of
the
two solution (Apache or Radius) so I should choose rapidly. Witch of the
two
is easiest to implement??  ( note this is that this is the first time I
deal
with Freeradius, PAM, Apache)

my questions are :

2- if i used Freeradius, then what would be easy and rapid to implement
a
PAM module or using JRadius (I tried to install Jradius patch, but
didn't
succeed)?
 Did you recommend me JRadius (I thougt about JRadius because the OTP
validation programme is written in JAVA) ?

3- about PAM modules, I understand that we could use this independently
from
Freeradius Server. Is this true. would it be easier and faster to
implement
a standalone PAM?

please need your advice. help me to decide :

- write a PAM for Freeradius or wwhat a module ?
- use Jradius with Freeradius or
- write PAM for Apache
- standalone PAM ?? or
- what ?

thanks in advance

Lisa.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070613/b8769fa9/attachment-0001.html


------------------------------

Message: 8
Date: Wed, 13 Jun 2007 09:54:12 -0400
From: "Irina" <irina at nas.net>
Subject: DB handles and radius.log errors
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID: <012f01c7adc2$52838480$0f01010a at netaccess1.nas.net>
Content-Type: text/plain;	charset="iso-8859-1"

First, thanks to Ivan for help with Simultaneous and to Dennis with
indexing.

I am new to radius, please bear with me.  I will try to describe the
problem
as much as I can.

I need to ask if anybody has experienced a problem with DB handles. 
Here is
what we have experienced a couple of times.

Both NASes Cisco talk to 1 radius (there is another radius, but it was
set
up on NASes as a secondary radius).

Many connections drop at the same time on 1 or both NASes and try to
reconnect.  Radius did not get a proper disconnection, therefore sees
many
users connected with Stop = 0.  All Simultaneous Logins are set to 1, so
radius checks if users are connected on NAS.

Below is what I find in radius.log.

Mon Jun 11 14:48:28 2007 : Error: Discarding duplicate request from
client
aleph:1645 - ID: 95 due to unfinished request 28856
Mon Jun 11 14:48:33 2007 : Error: Discarding duplicate request from
client
aleph:1645 - ID: 95 due to unfinished request 28856
Mon Jun 11 14:48:33 2007 : Error: Check-TS: timeout waiting for checkrad

Mon Jun 11 14:48:48 2007 : Info: rlm_sql (sql): There are no DB handles
to
use! skipped 0, tried to connect 0
Mon Jun 11 14:48:48 2007 : Info: rlm_sql (sql): There are no DB handles
to
use! skipped 0, tried to connect 0

Also see logouts with no Login record
Mon Jun 11 14:48:52 2007 : Error: rlm_radutmp: Logout for NAS aleph port
1401, but no Login record
Mon Jun 11 14:48:52 2007 : Info: rlm_sql (sql): There are no DB handles
to
use! skipped 0, tried to connect 0
Mon Jun 11 14:48:52 2007 : Error: rlm_radutmp: Logout for NAS aleph port
854, but no Login record

I also see few of the following for different usernames
Mon Jun 11 14:50:11 2007 : Error: rlm_sql (sql) in sql_accounting: stop
packet with zero session length. [user 'user at nas.net', nas
'216.145.96.1']

Then
Mon Jun 11 14:50:16 2007 : Error: rlm_sql_getvpdata: database query
error
Mon Jun 11 14:50:16 2007 : Error: rlm_sql (sql): SQL query error;
rejecting
user


Also, radius.log has quite few lines (could be not related to only the
problem I described above, because I see the following lines in
radius.log
constantly, with empty string instead of a username)

Wed Jun 13 09:39:26 2007 : Error: rlm_radutmp: Logout for NAS heh port
1099,
but no Login record
Wed Jun 13 09:39:26 2007 : Error: rlm_sql (sql) in sql_accounting: stop
packet with zero session length. [user '', nas '216.145.96.1']


I have increased num_sql_socks to 10.  Is it a reasonable number?  Or
this
does not help with this problem and I need to look more into finding and
fixing it.

And/or NASes problem?


Any suggestion is welcome.  Thank you for your help in advance.

Irina
====================



------------------------------

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 26, Issue 52
************************************************

More information about the Freeradius-Users mailing list