Issues with Freeradius crashing after a sighup

Alex Sharaz alex.sharaz at york.ac.uk
Fri Feb 8 18:22:33 CET 2013


| See the changelog for 2.2.0.  The "passwd" module had issues with
|older versions of the server.
|
|You can also reload individual modules.  That will be less likely to
|have issues.  i.e.
|
|$ radmin -e "hup passwd"
|

And from the control-socket code

#
#       Control socket interface.
#
#       HIGHLY experimental!  It should NOT be used in production
#       environments.
#
The servers are in a production environment. I'd really like to try just reloading the passwd module to see if it makes any difference to the server stability but not at the detriment to any security  type issues
A

On 8 Feb 2013, at 16:09, freeradius-users-request at lists.freeradius.org wrote:

> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok)
>   2. RE: [EAP/TLS] Authenfication through a certificate
>      (vazoumana fofana)
>   3. Re: Session-Timeout anomalies (Bill Isaacs)
>   4. Re: Session-Timeout anomalies (Alan DeKok)
>   5. Any interoperability issues with Aruba and Freeradius
>      (Alex Sharaz)
>   6. Re: MAc-Auth with EAP (Tunde Ogedengbe)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 08 Feb 2013 10:10:05 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Issues with Freeradius crashing after a sighup
> Message-ID: <5115154D.5070804 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Alex Sharaz wrote:
>> Firstly the 2.1 servers
> 
>  <shrug>  Upgrade.
> 
>> password files are updated every 15 mins and are followed by a "service freeradius reload" command to bring them on line. 
> 
>  See the changelog for 2.2.0.  The "passwd" module had issues with
> older versions of the server.
> 
>  You can also reload individual modules.  That will be less likely to
> have issues.  i.e.
> 
> $ radmin -e "hup passwd"
> 
>> Anyone else seen serve crashes on a reload?
> 
>  Unfortunately I've seen this before.  I haven't seen enough
> information to track it down and fix it, though.
> 
>  Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 8 Feb 2013 15:24:53 +0000
> From: vazoumana fofana <zoumlander at hotmail.com>
> To: "freeradius-users at lists.freeradius.org"
> 	<freeradius-users at lists.freeradius.org>
> Subject: RE: [EAP/TLS] Authenfication through a certificate
> Message-ID: <SNT137-W406D40D7E02D3B5D51A487D2050 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> 
> i begin setting up configuration. bit i got two problems : 
> 
> client with good certificate can be authenticated even if they're not in "users" file.
> I assume it's due to my code. Here is under authenticate section of default : 
> 
> Auth-Type eap {
>        eap
>                if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxx\// ) {
>                        if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxxxxx\// ) {
>                              ok
>                        }
>                        else {
>                                fail
>                        }
> It's like when condition is checked, it bypassed "users" file.
> 
> Maybe, i must move these lines under authorize ?
> anyone to confirm it ?
> 
> cheers
> 
> 
>> Date: Mon, 4 Feb 2013 10:32:22 -0500
>> From: aland at deployingradius.com
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: [EAP/TLS] Authenfication through a certificate
>> 
>> vazoumana fofana wrote:
>>> i've got question about EAP/TLS and authentification for a client
>>> through a certificate ?
>>> I succeed setting up. But , i notice that freeradius matches client
>>> login with certificate CNAME.
>>> Is it possible to change it in order to match email instead of CNAME ?
>> 
>>  Yes.
>> 
>>  Read the eap.conf file, and the raddb/sites-available/default.  This
>> is documented.
>> 
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 		 	   		  
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 08 Feb 2013 09:35:59 -0600
> From: Bill Isaacs <bill.isaacs at island-wifi.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Session-Timeout anomalies
> Message-ID: <51151B5F.6060208 at island-wifi.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> 
> Ok so the question then is: where the hell is radclient getting the
> notion that the account has 2366393 seconds left?
> 
>>   That is *entirely* the wrong question.  It's why you haven't solved
>> the problem yet.
>> 
>>   Look at the *radius server* debug output.  It's the one sending the
>> Session-Timeout.  You should be able to figure out where the
>> session-timeout is coming from.
>> 
>>> Where is
>>> "Session-Timeout" getting this information? Why is it only doing it on
>>> some accounts and not others?
>>   Look at the debug output.
>> 
>>   Honestly.
>> 
>>   We say this DAILY on this list.  There is no excuse for refusing to do
>> that.
>> 
>> 
> Alan, take a deep breath.  Of course I've looked at the debug output.  
> Note my opening sentence, ol' pardner.  ;)
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 08 Feb 2013 10:50:17 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Session-Timeout anomalies
> Message-ID: <51151EB9.404 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Bill Isaacs wrote:
>> Ok so the question then is: where the hell is radclient getting the
>> notion that the account has 2366393 seconds left?
> 
>  From the RADIUS server.  This isn't magic.  radclient doesn't invent
> attributes in reply packets.  It receives them from the RADIUS server.
> 
>> Alan, take a deep breath.  Of course I've looked at the debug output. 
>> Note my opening sentence, ol' pardner.  ;)
> 
>  Well... your question about "where does radclient get that value from"
> is entirely missing the point.  It gets it from the RADIUS server.  I've
> said this.  I have no idea how to convince you it's true.
> 
>  And the *only* way to debug the RADIUS server is to look at the debug
> output.
> 
>  And no, your original message did *not* say you had run the server in
> debugging mode.  There's only a reference to creating an account for
> debugging purposes.  There's no "radiusd -X" output.
> 
>  My frustration here is that the documentation and my messages cannot
> possibly be any more clear.  Yet you're wandering around doing
> everything *but* what the documentation says, and then wondering why I'm
> getting annoyed.
> 
>  Run the server in debugging mode.  Really.  Do it.  I mean it.
> 
>  If you want to track down the issue to a specific module, update the
> config to do:
> 
> 	update reply {
> 		Reply-Message += "A %{reply:Session-Timeout}"
> 	}
> 
>  Cut & paste that through various pieces of authorize, post-auth, etc.
> Change the "A" to "B", "C", etc.  You should see 10-20 Reply-Messages
> in the Access-Accept.  Each with a value for Session-Timeout.  That lets
> you track *what* the value is, and *where* in the config the value is
> coming from.
> 
>  Then once you know it's a particular module, you can figure out how to
> fix that module.
> 
>  Right now, you're staring at the radclient output, wondering why the
> server isn't working.  That's a mistake.
> 
>  Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 8 Feb 2013 16:08:22 +0000
> From: Alex Sharaz <alex.sharaz at york.ac.uk>
> To: "freeradius-users at lists.freeradius.org"
> 	<freeradius-users at lists.freeradius.org>
> Subject: Any interoperability issues with Aruba and Freeradius
> Message-ID: <33B79501-6775-4442-B14E-DA574F637459 at york.ac.uk>
> Content-Type: text/plain; charset=us-ascii
> 
> Hi All,
> 
> I'm sure the answer to this is nope, but ...
> 
> At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). 
> 
> The surprising bit was the fact that there was a "No" against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS.
> 
> Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of "tweaking" for Aruba? I really can't imaging that it would be the case, but just thought I'd check.
> 
> Rgds
> Alex
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Fri, 8 Feb 2013 16:09:34 +0000
> From: Tunde Ogedengbe <tunde at xtracomonline.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: MAc-Auth with EAP
> Message-ID:
> 	<CACXXqacFDThXBDnzPbseQnZv=VYGkQ0PD6OXkXV+Q_S3nKqBgg at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Ok. Can you pls help with procedure for configuring pre-login on Windows
> for 802.1x? Windows is sending packets to RADIUS as
> host/machine-name.domain. I would like to have a dedicated userid/password
> configured on windows for pre-login machine authentication.
> 
> 'Tunde Ogedengbe
> On 8 Feb 2013 13:18, "Phil Mayers" <p.mayers at imperial.ac.uk> wrote:
> 
>> On 08/02/13 12:52, Tunde Ogedengbe wrote:
>> 
>> see from the log that the MAC addresses is checked and OK.  But there is
>>> an [eap] returns reject just after the mac address was successfully
>>> checked.  I guess I need a way to get radius to force an EAP accept
>>> after successful checking of the MAC addresses.
>>> 
>> 
>> This doesn't work. You can't "force accept" of an EAP session. The
>> protocol is challenge/response and must complete correctly at both ends.
>> 
>> Your approach won't work.
>> 
>> Instead, you must configure pre-login 802.1x authentication correct on the
>> Windows side, either using machine credentials or user creds.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html <http://www.freeradius.org/list/users.html>
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/6504bf9e/attachment.html>
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> End of Freeradius-Users Digest, Vol 94, Issue 19
> ************************************************



More information about the Freeradius-Users mailing list