I have configured a freeradius proxy (3.0.16) on Ubuntu (4.15.0-47-generic). It receives the radius accounting packets from another radius server running on Ubuntu and writes those to another radius server on running on Fortigate.
Radius Server ---> Proxy Radius Server ---> Fortigate Radius Server
I have configured copy-acct-to-home-server to include the Realm in proxy.conf
proxy.conf ( Realm definition )
home_server myFortigate {
type = acct
ipaddr = <IP address of Fortigate Interface Running Radius>
port = 1813
secret = superSecret
}
home_server_pool myFortigatePool {
type = fail-over
home_server = myFortigate
}
realm myFortigateRealm {
acct_pool = myFortigatePool
nostrip
}
copy-acct-to-home-server entry
preacct {
preprocess
update control {
Proxy-To-Realm := myFortigateRealm
}
suffix
}
After I run the freeradius -X, I also run tcpdump from a new session
tcpdump -ni eth01 port 1812 or port 1813
and get the following log
15:03:40.225570 IP RADIUS_PROXY_IP.56813 > FORTIGATE_INTERFACE_IP.1813: RADIUS, Accounting-Request (4), id: 0x31 length: 371
15:03:40.236155 IP FORTIGATE_INTERFACE_IP.1813 > RADIUS_PROXY_IP.56813: RADIUS, Accounting-Response (5), id: 0x31 length: 27
Which basically shows it is sending the account request to fortigate radius server and receiving the accounting response.
But strangely freeradius -X debug output shows a request time out for the same radius server on Fortigate and it ultimately tags the server as zombie
Starting proxy to home server FORTIGATE_INTERFACE_IP port 1813
(14) Proxying request to home server FORTIGATE_INTERFACE_IP port 1813 timeout 30.000000
Waking up in 0.3 seconds.
(14) Expecting proxy response no later than 29.667200 seconds from now
Waking up in 3.5 seconds.
and Finally it gives up
25) accounting {
(25) [ok] = ok
(25) } # accounting = ok
(25) ERROR: Failed to find live home server: Cancelling proxy
(25) WARNING: No home server selected
(25) Clearing existing &reply: attributes
(25) Found Post-Proxy-Type Fail-Accounting
(25) Post-Proxy-Type sub-section not found. Ignoring.
So the situation is the Radius proxy is sending accounting packets to Fortigate Radius server (could be seen in both freeradius and fortigate logs)
tcpdump shows that Radius proxy is receiving accounting response from the fortigate, but for some reason freeradius process doesn't recognize (or can not read) accounting response. It may be some interoperability issue or I have missed to set some flag. Requesting help from the experts to isolate and rectify the issue.
Related
I am using the docker image of guacamole (oznu/guacamole:amd64). When I try to connect to a RDP host, I get the message "You have been disconnected".
In the configuration, I set the following parameters:
Protocol = RDP
Network/Hostname = ...
Network/Port = 3389
Authentication/Username = ...
Authentication/Password = ...
Authentication/Security mode = any (also tried all the others)
Authentication/Ignore server certificate = Checked
When I look into the logs of the docker container after a failed connection attempt, I see the following error:
17:54:40.256 [http-nio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "1".
guacd[533]: INFO: Loading keymap "base"
guacd[533]: INFO: Loading keymap "en-us-qwerty"
guacd[533]: INFO: Connected to RDPDR 1.13 as client 0x0002
*** Error in `guacd': munmap_chunk(): invalid pointer: 0x000055d216529840 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f5f2e172bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f5f2e178fc6]
/usr/lib/x86_64-linux-gnu/libwinpr2.so.2(Stream_Free+0x2f)[0x7f5f2974577f]
/usr/lib/x86_64-linux-gnu/libfreerdp2.so.2(+0x7840d)[0x7f5f29d2c40d]
/usr/lib/x86_64-linux-gnu/libfreerdp2.so.2(+0x78a25)[0x7f5f29d2ca25]
/usr/lib/x86_64-linux-gnu/libfreerdp2.so.2(freerdp_channels_check_fds+0x35)[0x7f5f29d2d5f5]
/usr/lib/x86_64-linux-gnu/libfreerdp2.so.2(freerdp_check_event_handles+0x48)[0x7f5f29d2b128]
/usr/local/lib/libguac-client-rdp.so(guac_rdp_client_thread+0x287)[0x7f5f2a01e927]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x74a4)[0x7f5f2f6fb4a4]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f5f2e1ead0f]
======= Memory map: ========
...
The RDP host machine is running Windows 10. I tested it with another machine also running Windows 10.
I also verified:
Other machines can connect to that RDP host using the same hostname, port, username and password as supplied
The host can be pinged from within the docker container
If the credential are not correct I get a different error saying the log in has failed, so the credentials are actually verified by the RDP host
In Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp "UserAuthentication" is 0 and "SecurityLayer" is 1
I expected the RDP connection to work
I'm a novice setting up a server for the first time to implement WebRTC
Linux is using Centos7 and has set up KMS and Coturn.
However, there is one problem.
The client and server are not connected on the screen, so I checked the logs of kms
docker logs --follow kms
0:00:01.206579656 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:90:ServerMethods: Using above 80% of system limits will throw NOT_ENOUGH_RESOURCES exception
0:00:01.206607827 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:109:ServerMethods: System limits: unlimited threads, 32768 files
0:00:01.206902099 1 0x56191aac5010 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:00:01.207158442 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:144:ServerMethods: RPC Request Cache is ENABLED
0:00:01.207351433 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:187:initWebSocket: WebSocket server (ws://) listening on address '::', port 8888
0:00:01.207411744 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:88:WebSocketTransport: Secure WebSocket server (wss://) not enabled
0:00:01.208078290 1 0x56191aac5010 INFO KurentoMediaServer main.cpp:259:main: Kurento Media Server started
0:02:29.095818552 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:164:generateDefaultCertificates: Unable to load the RSA certificate from file. Using the default certificate.
0:02:29.284074137 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:174:generateDefaultCertificates: Unable to load the ECDSA certificate from file. Using the default certificate.
0:02:29.290405426 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint0> Removing not supported codec 'AMR/8000'
0:02:29.515589312 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint0> Media 'video' has REMB
0:02:29.515721223 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> Creating REMB for session ID 0 (kmswebrtcendpoint0-sess0) and remote video SSRC 3653849939
0:02:29.515746113 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1089:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> REMB: Set RTCP min interval to 500 ms
0:02:29.519063004 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:823:kms_webrtc_session_set_stun_server_info:<kmswebrtcsession0> STUN server not configured! NAT traversal requires STUN or TURN
0:02:29.519107324 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:843:kms_webrtc_session_set_relay_info:<kmswebrtcsession0> TURN relay server not configured! NAT traversal requires STUN or TURN
0:02:29.522346434 1 0x7f50700054f0 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:02:40.930306053 1 0x7f5050001630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint1> Removing not supported codec 'AMR/8000'
0:02:40.951376487 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint1> Media 'video' has REMB
0:02:40.951898082 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint1> Creating REMB for session ID 0 (kmswebrtcendpoint1-sess0) and remote video SSRC 3442416509
"NAT traversal requires STUN or TURN."
I don't know how to solve this part.
This is because the STUN server results from Trickle ICE were also successful.
If you know what I need to do, I'd appreciate it if you could tell me all the actions.
And please let me know if there is anything else I need to fill out!
STUN and TURN
You dont have to have coturn if you are doing local testing. The warning is saying if you want to go outside of your network (out of your router and to the web) you will need a STUN or TURN server.
Docker
Docker doesn't open the port 8888 by itself. You may need to open that port manually. To do this, add this -p 8888:8888 when creating your container.
Or if you are using the Desktop version you can enter it into Host port under the Optional settings when you first run it.
I've looked through the list of possible solutions, but I don't see this problem, here it is.
I had been using smtp for years for my crontab entry to provide status updates via email. Then it quit this week, and I was unable to fix it. Then I saw that it had become orphaned, and the suggestion was to move to msmtp. So I downloaded and installed it on my Ubuntu 18.10 system.
I'm trying to send email to my myaccount#gmail.com account.
It appears that I'm communicating properly with the gmail smtp server, as the debug below show. But it always gets a TLS Timeout.
I also don't understand why I have multiple EHLO entries. My system does not have a DNS domain name, so that I'm not sure what to put here; localhost seems to be working OK. Also, my Thunderbird emailer is working correctly with gmail.
Here's the debug output:
echo "Hello there" | msmtp --debug myaccount#gmail.com >/tmp/msmtpOut.txt
ignoring system configuration file /etc/msmtprc: No such file or directory
loaded user configuration file /home/myhome/.msmtprc
falling back to default account
using account default from /home/myhome/.msmtprc
host = smtp.gmail.com
port = 587
proxy host = (not set)
proxy port = 0
timeout = off
protocol = smtp
domain = localhost
auth = choose
user = myaccount
password = *
passwordeval = (not set)
ntlmdomain = (not set)
tls = on
tls_starttls = on
tls_trust_file = /etc/ssl/certs/ca-certificates.crt
tls_crl_file = (not set)
tls_fingerprint = (not set)
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = on
tls_min_dh_prime_bits = (not set)
tls_priorities = (not set)
auto_from = off
maildomain = (not set)
from = myaccount#gmail.com
add_missing_from_header = on
dsn_notify = (not set)
dsn_return = (not set)
logfile = (not set)
syslog = (not set)
aliases = (not set)
reading recipients from the command line
<-- 220 smtp.gmail.com ESMTP 4sm116524ywc.22 - gsmtp
--> EHLO localhost
<-- 250-smtp.gmail.com at your service, [71.56.87.81]
<-- 250-SIZE 35882577
<-- 250-8BITMIME
<-- 250-STARTTLS
<-- 250-ENHANCEDSTATUSCODES
<-- 250-PIPELINING
<-- 250-CHUNKING
<-- 250 SMTPUTF8
--> STARTTLS
<-- 220 2.0.0 Ready to start TLS
TLS certificate information:
Owner:
Common Name: smtp.gmail.com
Organization: Google LLC
Locality: Mountain View
State or Province: California
Country: US
Issuer:
Common Name: Google Internet Authority G3
Organization: Google Trust Services
Country: US
Validity:
Activation time: Tue 21 May 2019 04:48:45 PM EDT
Expiration time: Tue 13 Aug 2019 04:32:00 PM EDT
Fingerprints:
SHA256: C7:78:B6:D6:4E:3E:2B:2F:08:6D:A4:84:E6:1D:87:8E:A1:DF:54:D2:AB:79:AC:A6:BB:50:E5:5D:EC:B4:20:4C
SHA1 (deprecated): 39:C5:E5:40:64:37:17:25:17:7F:E8:BA:20:F4:70:F4:FE:22:70:22
--> EHLO localhost
msmtp: cannot read from TLS connection: the operation timed out
msmtp: could not send mail (account default from /home/myhome/.msmtprc)
Build msmtp using --with-tls=openssl to solve the problem.
As regards as the EHLO command sent twice the RFC3207 states:
The server MUST discard any knowledge
obtained from the client, such as the argument to the EHLO command,
which was not obtained from the TLS negotiation itself. The client
MUST discard any knowledge obtained from the server, such as the list
of SMTP service extensions, which was not obtained from the TLS
negotiation itself. The client SHOULD send an EHLO command as the
first command after a successful TLS negotiation.
So that is the normal behaviour.
I installed FreeRADIUS , Mysql inside docker Container
I exposed ports 1812 , 1813 , 3306 outside .
I imported Database to mysql .
I inserted this rows to databases
INSERT INTO nas VALUES (NULL , '0.0.0.0/0', 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');
INSERT INTO radcheck (username, attribute, op, value) VALUES ('thisuser', 'User-Password', ':=', 'thispassword');
INSERT INTO radusergroup (username, groupname, priority) VALUES ('thisuser', 'thisgroup', '1');
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('thisgroup', 'Service-Type', ':=', 'Framed-User'), ('thisgroup', 'Framed-Protocol', ':=', 'PPP'), ('thisgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
and i stopped freeradius ==> service freeradius stop
and iam using debug mode ==> freeradius -X
And when using this Command in another terminal for the same container ==> radtest thisuser thispassword 127.0.0.1 0 mysecret
Output: Server Accepted the request
But When the previous Command in another machine
Server does not see the request and output in the other machine is " No response "
Notes in the IN etc IN freeradius IN radiusd.conf file :
listen {
type = auth
ipaddr = *
port = 0 }
listen {
ipaddr = *
port = 0
type = acct }
How can i fix it ?
Adding the rows to the sql database is insufficient. You need to configure your sql instance in mods-available/sql to match your local database, uncomment read_clients in mods-available/sql, and list the sql module in the instantiate section in radiusd.conf to ensure it's loaded if it's not referenced elsewhere in one of the virtual servers.
After making these changes, restart the server. The SQL module should then read the clients list in on startup. Check the debug output freeradius -X to ensure the SQL module can connect to your database, and read the NAS entries in successfully.
The reason why your local connections work is because there's a client entry included for localhost in the clients.conf file that ships with the server.
I fixed this Issue by expose Ports in UDP Protocol -p 1813:1813/udp -p 1812:1812/udp
We are implementing HDR (High Availability Data Replication) on Windows 2012 R2 Server.
Steps done:
1) Two new Windows 2012 R2 Servers.
IDS 12.10FC8 installed and created the instance manually using Server Instance
Manager.
Server A details:
DBSERVERNAME: hdr_primary
Host Name: winhdr
IP Address: 199.166.155.195
Port Number: 50005
Server B details:
DBSERVERNAME: hdr_secondary
Host Name: winhdr2
IP Address: 199.166.155.196
Port Number: 50005
2) We have only one instance with one database in Server A (Primary).
No database in Server B (Secondary).
3) We have made changes required for HDR in ONCONFIG, Sqlhosts file on both server.
ONCONFIG parameters Server A:
DBSERVERNAME hdr_primary
ROOTPATH C:\IFMXDATA\hdr_primary\rootdbs_dat.000
ROOTSIZE 204800
DRAUTO 0
DRINTERVAL 0
HDR_TXN_SCOPE FULL_SYNC
DRTIMEOUT 30
ONCONFIG parameters Server B:
DBSERVERNAME hdr_primary
ROOTPATH C:\IFMXDATA\hdr_primary\rootdbs_dat.000
ROOTSIZE 204800
DRAUTO 0
DRINTERVAL 0
HDR_TXN_SCOPE FULL_SYNC
DRTIMEOUT 30
SQL hosts at both servers: placed in %INFORMIXDIR%\etc
hdr_secondary onsoctcp winhdr2 hdrsecport
hdr_primary onsoctcp winhdr hdrpriport
host file at both servers: placed in C:\Windows\System32\drivers\etc
199.166.155.195 winhdr
199.166.155.196 winhdr2
winhdr 199.166.155.195
winhdr2 199.166.155.196
host.equvi file # both servers: placed in C:\Windows\System32\drivers\etc
winhdr informix
winhdr2 informix
services file # both servers: placed in C:\Windows\System32\drivers\etc
hdrpriport 50005/tcp #hdr_primary
hdrsecport 50005/tcp #hdr_secondary
4) After all configuration setting has done we have take ontape backup at
Server A.
Server A status: On-Line
ontape -s -L 0
5) Moved the L0 backup to server B and restored with ontape. Cold restore.
ontape -p
Server B status: Fast Recovery
6) On Server A we had run the below command:
onmode -d primary hdr_secondary
Server A status: On-Line(Prim)
7) On Server B we had run the below command:
onmode -d secondary hdr_primary**
Server B status: Fast Recovery(sec).
Till here we have done.
From here we are facing an issue.
The output at server B of onstat -g dri:
Data Replication at 0000000080CEC030:
Type---------------State-------- Paired server -----------Last DR CKPT (id/pg)
Supports Proxy Writes
HDR Secondary off hdr_primary -1 / -1 N
DRINTERVAL 0
DRTIMEOUT 30
DRAUTO 0
DRLOSTFOUND C:\PROGRA~1\IBMINF~1\etc\dr.lostfound
DRIDXAUTO 1
ENCRYPT_HDR 0
Backlog 0
Nothing Sent
Nothing Received
No Pings
Last log page applied(log id,page): 0,0
Issue: Primary and Secondary are not Paired.
Error in Online log is:
Server A
DR: Trying to connect to secondary server = hdr_secondary
DR: Cannot connect to secondary server
DR: Turned off on primary server
Server B
DR: Trying to connect to primary server = hdr_primary
DR: Cannot connect to primary server
DR: Turned off on secondary server
A good practice to test communication between the two servers, is opening dbaccess -> connect -> and choose the remote server alias.
If you cannot connect through dbaccess, you have a network/communication issue that must be investigated. Open a PMR with IBM support.
Make sure your UPDATABLE_SECONDARY onconfig is set to 0, if you don't have licensed your secondary instance as a read/write, just in case.