FreeRADIUS is TRWTF



  • Among the Easter Eggs I discovered with FreeRADIUS today...

    The upgrade notes for 2.2.x to 3.0.x have multiple different sections that deal with what things need to change for rlm_sql queries. Naturally, the big important one (how the accounting queries need to be changed) is the last section, and is under a sql/dialup.conf header. Granted, the old default query file was named that, but still...

    The change to the aforementioned accounting queries is in itself quite the WTF...

    Before:

    accounting_on_query = "INSERT INTO ${accounting_table} ... "
    accounting_off_query = "INSERT INTO ${accounting_table2} ... "
    

    After:

    accounting {
        reference = "%{tolower:type.${Acct-Status-Type}.query}"
        type {
            accounting-on {
                query = "INSERT INTO ${....accounting_table} ... "
            }
            accounting-off {
                query = "INSERT INTO ${....accounting_table2} ..."
            }
        }
    }
    

    For more fun... when you're running the server in 2.2.x, your standard pattern for defining "clients" (the switches or whatever on your network that will be making RADIUS requests) probably looked something like:

    client A.B.C.D {
        secret = myclientpassword
        name = my-logging-based-reasons-name
        etc...
    }
    

    Wherein A.B.C.D was the source IP (or network range) that your client(s) would be connecting from -- for logging purposes, you'd usually define each client with separate IPs and a unique name. As of 3.0.4 (and presumably earlier 3.0.x versions), you get a warning on startup that inferring the IP from the client definition is deprecated and you need to add ipv4addr= or ipv6addr= to your configuration file. So, naturally, with 3.0.5, they completely broke it unless you have those directives; there's no note in the 3.0.5 update notes indicating that this deprecation has been finalized (and hey, who doesn't expect bug-fix point releases to go ahead and clean up earlier deprecations?)

    The king of today's WTFs though... without me making any changes in my ODBC connection setup, the SQL server itself, or the queries that FreeRADIUS is using for authorization & accounting... upgrading to 3.0.5 completely broke the authorization queries. Resulting in only the nice, verbose error message: "SQL query error getting check attributes".

    So, after about 45 minutes of fighting that (and finally noticing what was causing my accounting queries to not work, which was basically the underlying driver behind me test piloting 3.0.5 to begin with), I rolled back to 3.0.4. Which, of course, wouldn't start, because 3.0.5 had replaced the stock dictionary files with some updates that included new-to-3.0.5 keywords. And re-installing 3.0.4 didn't re-install the 3.0.4 stock dictionary files for reasons.

    About to the point where I'd like to meet a FreeRADIUS dev just so I could punch him in the face....


  • FoxDev

    @izzion said:

    sock dictionary

    Would that be the Dictionary According to SockBot?



  • @izzion said:

    FreeRADIUS

    If you guys want to do some research on what FreeRADIUS is, you can Google their name and you get:

    The FreeRADIUS Project

    FreeRADIUS includes a RADIUS server, a BSD licensed client library, a PAM library, and an Apache module. In most cases, the word FreeRADIUS refers to the RADIUS server.

    FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. It is also widely used in the academic community, including eduroam. The server is fast, feature-rich, modular, and scalable.

    That is so helpful. Only an idiot doesn't know what a RADIUS server is!

    (Is there a single open source project that tells you WHAT THE FUCK IT DOES on their homepage in less than 50,000 words? Jesus.)

    EDIT: oh but don't worry, they explain it in their wiki:

    The FreeRADIUS Server is a daemon for unix and unix like operating systems which allows one to set up a radius protocol server, which can be used for Authentication and Accounting various types of network access.

    SO HELPFUL.


  • FoxDev

    radiusd - Authentication, Authorization and Accounting server  
    

    still no idea what the thing is but i have more words....

    EDIT: to slow. blakey has even more words.



  • Well obviously it's a daemon for unix and unix like (no dash) operating systems which allows one to set up a radius protocol server. DUH!

    After reading like 2,500 words and still having no clue what it actually does, I'm starting to think the guy who wrote the software doesn't even know what it does. Haha. I give up.



  • @blakeyrat said:

    That is so helpful. Only an idiot doesn't know what a RADIUS server is!

    Well, among the target audience for FreeRADIUS (people who run things that need RADIUS -- aka ISPs), it is pretty much the only free as in (watered down, smelly) beer solution.

    So, it's not like the people who are actively looking for the product need an explanations of what it does. But yes, I agree with the sentiment.



  • @izzion said:

    RADIUS

    As far as I can tell, not ONCE on the homepage or wiki (which includes the MAN page, BTW) does this page even spell out what the RADIUS acronym stands for. You, in like 6 words and one HTML tag, are more useful by far than 10,000 words of that website.

    I know people are all like, "well open source projects aren't good at marketing." Well fair enough, but this isn't even fucking marketing, this is basic shit. Extremely basic, "what the hell is this webpage even about?" shit. I can only imagine rain man wrote this webpage.



  • The TL;DR of what it does -- it allows you to perform access control and usage monitoring for devices (or individual users, like at a wireless hotspot) on your network. The "clients" are switches (or wireless access points, or hotspot controllers) who then make a request and the RADIUS server relies on some back end -- generally either a flat file or some sort of database (or another RADIUS server) -- to authenticate & authorize the user, and then to record accounting data regarding usage.

    The protocol was first used on a large scale for dial-up user logins. Hence the somewhat tortured acronym. Nowadays an end user will most commonly run into it at a Wi-Fi hotspot, but it can also be used as an interpretation layer between supported devices and, say, your Active Directory (or other LDAP provider) infrastructure to enable SSO.



  • Well it's all open source-y, you should get on their mailing list (because they're using a 1987-esque mailing list, natch) and say, "hey guys, maybe just an idea here, but maybe not have rain man write the homepage? thanx."



  • I think it can be a reasonable decision to focus your copy writing on "technical" users who are already going to have a certain background understanding of terms. I wouldn't necessarily expect Intel to spell out what a CPU does on the ark.intel.com portion of their web page that contains technical information about their CPUs -- the page is obviously targeted at the technical user who is evaluating which CPU to put in their new gaming rig.

    While I would agree with the sentiment that most open source projects could withstand having better documentation (and documentation that is targeted at a lower level user), they're not exactly wrong to assume that the target user for RedHat or CentOS is more technical than $retirementHomeResident.

    @blakeyrat said:

    Well it's all open source-y, you should get on their mailing list (because they're using a 1987-esque mailing list, natch) and say, "hey guys, maybe just an idea here, but maybe not have rain man write the homepage? thanx."

    To which they'll reply "PR accepted" :P



  • It's the opposite extreme from "We provide industry-leading solutions to create exceptional value in the cloud."



  • @izzion said:

    I think it can be a reasonable decision to focus your copy writing on "technical" users who are already going to have a certain background understanding of terms. I wouldn't necessarily expect Intel to spell out what a CPU does on the ark.intel.com portion of their web page that contains technical information about their CPUs -- the page is obviously targeted at the technical user who is evaluating which CPU to put in their new gaming rig.

    Right; but that's not the homepage, which is exactly my point.

    Even if the page had a big-ass header that says, "if you're not an ISP, this page is not for you" it would be more helpful than it is. Right now, it invites people to read the content and try to figure out what the page is for, but at the same time does not provide nearly enough information to determine what the page is for.

    It's basically just wasting the time of everybody who visits. A total dick move.

    @izzion said:

    While I would agree with the sentiment that most open source projects could withstand having better documentation (and documentation that is targeted at a lower level user),

    Again: we're not talking about documentation, we're talking about their home page.

    EDIT: of course decent documentation would spell-out its acronyms on first-use.

    @hungrier said:

    It's the opposite extreme from "We provide industry-leading solutions to create exceptional value in the cloud."

    I think I'd actually rather have the meaningless buzzwords than the opening paragraph studded with 48,000 acronyms that are never even expanded, much less explained.


  • FoxDev

    @blakeyrat said:

    If you guys want to do some research on what FreeRADIUS is, you can Google their name

    Or you can go to Wikipedia, where the first six words of the article explain what RADIOUS is:

    And fuxck it, I'm leaving the speellliung mistake in there.

    And those ones too.



  • No it don't:

    You had the foreknowledge to know that "RADIUS" is a separate thing from FreeRADIUS, and you knew to look up the correct thing. I did not. You looked up something not mentioned in the post I was trying to make sense of, using psychic powers. (Or, more likely, you've been exposed to it before and I have not.)

    However, to be fair to Wikipedia, unlike FreeRADIUS' homepage, their word "RADIUS" is linked to the page you oneboxed in your post.

    EDIT: BTW I have a special "love" for people who tell me to get my answers by Googling it, but then they themselves only got the answer by Googling something completely different than the thing we were talking about.



  • Can we have a censor that replaces arbitrary common words with ALL CAPS YELLING versions of them?


  • FoxDev

    @blakeyrat said:

    I have a special "love" for people who tell me to get my answers by Googling it, but then they themselves only got the answer by Googling something completely different than the thing we were talking about.

    I went straight to Wikipedia, skipping Google entirely. And I like how RADIUS is completely different from the thing it implements; that's like saying my avatar is completely different to both pink and a hedgehog 😆


  • I survived the hour long Uno hand

    I don't know where you guys keep finding these terrible webpages... if I can't figure out what a thing is for in five minutes, I won't use it.

    Better copy:

    Esprima is a high performance, standard-compliant ECMAScript parser written in ECMAScript (also popularly known as JavaScript).

    Even better:

    Chart.js
    Simple, clean and engaging charts for designers and developers

    What does it do? It makes charts. In javascript. So we'll call it chart dot js. Done.

    Meanwhile I'm still trying to explain to my business-type coworkers what Gherkin means.



  • It's a building.

    Edit: Gah, this is too damn hard on a phone


  • FoxDev

    @Yamikuronue said:

    Meanwhile I'm still trying to explain to my business-type coworkers what Gherkin means.

    Isn't it obvious? It's a lightbulb!
    Gherkin lightbulb & lasagnepod – 01:37
    — Rosie Mason


    [size=8]Shagging horses is entirely optional.[/size]


  • Discourse touched me in a no-no place

    @Yamikuronue said:

    Gherkin means.

    It means it's got such a stupid and obviously-mockable name nobody should use it.

    "Hey, have you installed [dick joke here] yet?"



  • The page says "free RADIUS server" and you can't guess that you may need to know something about what RADIUS is for FreeRADIUS to be useful to you? I know I've said this before, but communication assumes a certain base level of knowledge. You don't have that knowledge. You're not the audience. Educate yourself using tools like Google and Wikipedia or just move on. Not knowing anything about RADIUS, free or not, really won't ruin your life.

    @Yamikuronue said:

    Esprima is a high performance, standard-compliant ECMAScript parser written in ECMAScript (also popularly known as JavaScript).

    Fuck, how do I quote a quote?

    This copy assumes knowledge of what ECMAScript or JavaScript are. Blakey says "What the fuck is JavaScript? I know I hate Java, should I hate JavaScript too? Why won't they tell me what this is???".

    Also what do words like performance and standard-compliant mean?

    @Yamikuronue said:

    Chart.jsSimple, clean and engaging charts for designers and developers

    What's a chart? Who's a designer or developer? Is that me? Am I the audience?



  • OH NOES EVERYBODY MOCK THE BLAKEYRAT

    while ignoring that that is, any blind idiot can see, a fucking terrible website.





  • I didn't even look at the website. It may be terrible. But you haven't shown that, you've just ranted about how reading about stuff you don't know anything about is hard without the background information. Well, yes. That's how knowledge and understanding work.

    Fortunately, you have at your fingertips various tools for accessing the greatest repository of knowledge ever created. We live in exciting times.


  • Discourse touched me in a no-no place

    @another_sam said:

    Fortunately, you have at your fingertips various tools for accessing the greatest repository of knowledge ever created.

    It's too bad he's got flippers or tentacles or something. That must be why he can't look this shit up for himself.


  • Garbage Person

    I was at an IT security con (probably Defcon) about... Oh, almost a decade ago now.

    Attended a panel that was essentially Random Fairly Influential Dude in the field of wireless security research ranting about things that personally irritate him. Might have been one of the dudes who pioneered rainbow tables, don't really remember. One item is paraphrased below.

    "So we've known for a few years that WEP is just straight up fucking broken, and we recently found out that WPA Pre-shared-key can be broken in a couple of minutes, but WPA supports an enterprise configuration with a RADIUS server that actually is still good. Every single access point down to bargain bin consumer stuff has a setting to use it and everything. Managing shared keys sucks anyway, so why not set up a FreeRADIUS server and use real authentication. I mean, why is this not built into access points!? So, I decided to try it. Who here has thought about trying it? [most of room] Who's actually tried it? [a respectable number] How many of you guys succeeded? [nobody] Well, you're not alone. I didn't either. I spent four god damned days trying to set up FreeRADIUS, and I'm pretty sure it's technically possible, but the documentation is just missing."

    I see the situation has not really improved. I presume, however, that somebody wrote a "FreeRADIUS and wifi!" tutorial at some point over the intervening decade, because we're talking about it and I doubt you're working dialup.



  • @another_sam said:

    Educate yourself using tools like Google and Wikipedia

    You can lead a horse to water, but you can't make it stop whinnying "what the fuck is WATER!!?!eleven"


  • Discourse touched me in a no-no place

    @ben_lubar said:

    Can we have a censor that replaces arbitrary common words with ALL CAPS YELLING versions of them?

    Petition the DiscoDevs for one? The current censor doesn't seem to cut it...


  • kills Dumbledore

    That man page is brilliant:

    Always run the server in debugging mode ( radiusd -X ). We cannot emphasize this enough. If you are not running the server in debugging mode, you will not be able to see what is doing, and you will not be able to correct any problems.

     

    If you begin by making large changes to the server configuration, it will never work, and you will never be able to debug it.

     

    Due to the complexities involved in almost starting a RADIUS server, these checks are necessarily incomplete





  • Well, we're not using it with WiFi, but rather with Mikrotik Hotspot/DHCP/APs (so, I guess the wireless access portion of it could be considered WiFi).

    But yeah, setting up FreeRADIUS is like having your teeth pulled while being subjected to a blakeyrant at max volume and having someone drill into your feet. Or something.



  • @izzion said:

    About to the point where I'd like to meet a FreeRADIUS dev just so I could punch him in the face....

    I can lend you a meme-ish GAU-8 if you need one... You'll need to find some TARDIS trousers to carry it around, though.



  • @Yamikuronue said:

    Better copy:
    > [Esprima][1] is a high performance, standard-compliant ECMAScript parser written in ECMAScript (also popularly known as JavaScript).

    That sounds incestuous.


  • Fake News

    @izzion said:

    Easter Eggs

    The more technically correct term would be "Easter Effs".



  • Ehhhh. I think of it more like those dyed (real, hard boiled) eggs that have sat out there since Easter 1999, and now have a bit of a unique aroma to go along with the joyous color scheme and overall "goodness".



  • And on a separate but tangentially related note... while I think most of us have some "good" experiences with open source documentation (if it can even be called that), it's hard to top the documentation that exists for various open source projects that have LDAP plugins. Especially when it comes down to the directives for how to get said plugin to bind to the most common LDAP server in the history of ever (aka: M■■■■soft AD).

    I present without further comment, my candidate for worst of the worst documentation:

    and http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/AD_Configuration_Examples.


  • Discourse touched me in a no-no place

    I thought that all documentation for LDAP usage was always incomplete and confusing. Is there something somewhere that actually says what is going on in a comprehensible way?



  • As an off-the-top-of-my-head example, the LDAP configuration for Cacti doesn't completely suck. Of course, it probably helps that they're a web app and thus have accepted that not all configuration should occur in the depths of a murky text file (though the config options from the admin page wind up getting written out to a murky text file, but as long as I don't have to put the hip waders on and mess with the file directly, I'm happy).

    But man, MediaWiki really goes above and beyond to hit the trifecta of sucky-configuration-that-only-an-enthusiast-could-love (or the original coder).


  • Discourse touched me in a no-no place

    @izzion said:

    But man, MediaWiki really goes above and beyond to hit the trifecta of sucky-configuration-that-only-an-enthusiast-could-love (or the original coder).

    The combination of Maven, Jenkins and Artifactory gets pretty awful too. There are things in there that are just fundamentally not explained anywhere at all, and some parts of the configuration can only be changed by editing XML.



  • @dkf said:

    some parts of the configuration can only be changed by editing XML

    I am completely convinced that only a designer who has never once in their entire miserable existence enjoyed dealing with a well-designed, well-documented config file could ever choose to force a user to hand-edit XML.

    If a worse format for hand-editable config files than XML exists, I remain unaware of it.


  • FoxDev

    @flabdablet said:

    If a worse format for hand-editable config files than XML exists, I remain unaware of it.

    BSON

    technically hand editable, but you're gonna need a hex editor to do it properly.


  • Banned

    @accalia said:

    BSON

    Isn't it essentially zipped JSON?


  • FoxDev

    @Gaska said:

    Isn't it essentially zipped JSON?

    In about the same way as a potato is 😛



  • @accalia said:

    technically hand editable

    By that definition, so are Windows registry hive files.


  • FoxDev

    no, but from a 20km view it could be thought as roughly that.

    It isn't, but that's a convenient metaphor for what it is if we're not planning on looking any deeper than the acronym.

    ;-)


  • FoxDev

    @flabdablet said:

    By that definition, so are Windows registry hive files.

    of course! using RegEdit is cheating! :-P


  • Banned

    Just to clarify:
    JSON is text format, and you can use it to exchange data. It needs to be parsed to be useful for the application, though. ZIP allows for size compression of text data, making JSON smaller. But now to use the data you need to first convert zipped JSON to regular JSON, then from regular JSON to your app's internal format. Having this in mind, is BSON more like ZIP (reading is like BSON->JSON->app), or is it more like a preparsed JSON that's easier for application to digest (but still can't be used as is)?


  • FoxDev

    @flabdablet said:

    By that definition, so are [s]Windows registry hive[/s] files.

    FTFY

    Though how many of those you'd want to hand-edit is another thing entirely...


  • FoxDev

    @Gaska said:

    Just to clarify:
    JSON is text format, and you can use it to exchange data. It needs to be parsed to be useful for the application, though. ZIP allows for size compression of text data, making JSON smaller. But now to use the data you need to first convert zipped JSON to regular JSON, then from regular JSON to your app's internal format. Having this in mind, is BSON more like ZIP (reading is like BSON->JSON->app), or is it more like a preparsed JSON that's easier for application to digest (but still can't be used as is)?

    You could always go to the BSON site that @accalia linked to and find out 😛


  • Banned

    @RaceProUK said:

    You could always go to the BSON site that @accalia linked to and find out

    Oh, right. Let's see...

    BSON blah blah blah bin­ary-en­coded seri­al­iz­a­tion of JSON-like doc­u­ments blah blah blah BSON can be com­pared to blah blah blah Proto­col Buf­fers. BSON is more "schema-less" blah blah blah flex­ib­il­ity but also a slight dis­ad­vant­age in space ef­fi­ciency (BSON has over­head for field names with­in the seri­al­ized data).

    Sounds like kind of very poor ZIP implementation without space nor time efficiency in mind. Definitely not easier to parse than JSON (not counting having numbers as numbers, not text, because one atoi() call less isn't significant enough improvement).


Log in to reply