Yes Ivan, I apologize for pasting an incomplete image command from my test machine.
--- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 > -----Original Message----- Date: Fri, 12 Oct 2007 15:26:50 +0100 From: <[EMAIL PROTECTED]> Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48 To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-2 >> > DEFAULT Freeradius-Proxied-To == 127.0.0.1 >> > Fall-Through = Yes >> >> That entry does nothing. >I agree it does nothing for authentication, but this will be part of >the solution to get accounting records based on the inner identity and >not the outer with TTLS > >Has something changes in recent code that makes this unnecessary? > No. You probably want: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}` Ivan Kalik Kalik Informatika ISP > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of freeradius-users- > [EMAIL PROTECTED] > Sent: Friday, October 12, 2007 12:34 PM > To: freeradius-users@lists.freeradius.org > Subject: Freeradius-Users Digest, Vol 30, Issue 51 > > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Freeradius-Users Digest, Vol 30, Issue 48 (Alan DeKok) > 2. RE: Freeradius-Users Digest, Vol 30, Issue 48 ([EMAIL PROTECTED]) > 3. Re: rlm_realm doesn't strip the username (Tomasz Zieleniewski) > 4. Re: FATAL: Thread create failed: Cannot allocate memory > ([EMAIL PROTECTED]) > 5. Re: Darwin DirectoryServices (warnnings) (Alan DeKok) > 6. Using freeradius and 802.1x for ssign VLAN X > ([EMAIL PROTECTED]) > 7. Re: rlm_realm doesn't strip the username ([EMAIL PROTECTED]) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 12 Oct 2007 16:23:33 +0200 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: Freeradius-Users Digest, Vol 30, Issue 48 > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Reynolds, Walter wrote: > ... > >>> DEFAULT Freeradius-Proxied-To == 127.0.0.1 > >>> Fall-Through = Yes > >> That entry does nothing. > > I agree it does nothing for authentication, but this will be part of > > the solution to get accounting records based on the inner identity > and > > not the outer with TTLS > > I don't see why. > > > http://www.mail-archive.com/freeradius- > [EMAIL PROTECTED]/msg02045.html > > Which doesn't mention an entry like the one quoted above. > > > Has something changes in recent code that makes this unnecessary? > > I would first like to know why that entry does anything. It > certainly > doesn't set the User-Name. So it doesn't have anything to do with > fixing the anonymous accounting issue. > > Alan DeKok. > > > ------------------------------ > > Message: 2 > Date: Fri, 12 Oct 2007 15:26:50 +0100 > From: <[EMAIL PROTECTED]> > Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48 > To: "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-2 > > >> > DEFAULT Freeradius-Proxied-To == 127.0.0.1 > >> > Fall-Through = Yes > >> > >> That entry does nothing. > >I agree it does nothing for authentication, but this will be part of > the solution to get accounting records based on the inner identity and > not the outer with TTLS > > > >Has something changes in recent code that makes this unnecessary? > > > > No. You probably want: > > DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 > User-Name = `%{User-Name}` > > Ivan Kalik > Kalik Informatika ISP > > > > ------------------------------ > > Message: 3 > Date: Fri, 12 Oct 2007 16:51:49 +0200 > From: "Tomasz Zieleniewski" <[EMAIL PROTECTED]> > Subject: Re: rlm_realm doesn't strip the username > To: freeradius-users@lists.freeradius.org > Cc: [EMAIL PROTECTED] > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > Thank you Alan > > I updated to 2.0.0-pre2. But now I have some errors and I can' tcheck > again:) > Now when my NAS sends the Accounting request or I try to run 'radtest' > tool, > the verification fails. > I didn't change anything in the configuration and in the database. I > have > the same NAS configuration. > I get the following error in the debug mode: > > Ignoring request to authentication address * 1812 from unknown client > 127.0.0.1 port 37391 > > Please point me what do I missed:) > > Best regards > tomasz > > Tomasz Zieleniewski wrote: > > > I am using radius version 2.0.0-pre0. > > > I have the following problem that when I receive the Accounting- > Request > > > with the username whose domain part is not checked with any of my > realm > > > defined in the proxy.conf file. The username is not stripped. > > > I use the suffix rule for domain: '[EMAIL PROTECTED]" in my realm > module > > > and I inoke it in preacct in radiusd.conf. > > > I have the DEFAULT realm defined and it doesn't have the nostrip > option > > > activated. > > > So I think when there is no domain match the username should also > be > > > stripped?? > > > > Likely, yes. What does debug mode say? > > > > You could also try running CVS head, which has a number of fixes > over > > 2.0-pre0. > > > > Alan DeKok. > > > > > > ------------------------------ > > > > Message: 10 > > Date: Fri, 12 Oct 2007 10:16:43 -0300 > > From: "Sergio Belkin" <[EMAIL PROTECTED]> > > Subject: Re: TLS fatal access_denied > > To: "FreeRadius users mailing list" > > <freeradius-users@lists.freeradius.org> > > Message-ID: > > <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > 2007/10/11, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > > > How sure are you that you are using EAP-TTLS? > > > > > > > rlm_eap: EAP NAK > > > > rlm_eap: EAP-NAK asked for EAP-Type/peap <== > > > > > > Ivan Kalik > > > Kalik Informatika ISP > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > I am pretty sure because I has default_eap_type = ttls. I've just > > fixed, it was a problem of certificates... > > > > thanks- > > > > -- > > -- > > Sergio Belkin - > > > > > > ------------------------------ > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > End of Freeradius-Users Digest, Vol 30, Issue 49 > > ************************************************ > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <https://lists.freeradius.org/pipermail/freeradius- > users/attachments/20071012/c57ad3d5/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Fri, 12 Oct 2007 16:01:19 +0100 > From: [EMAIL PROTECTED] > Subject: Re: FATAL: Thread create failed: Cannot allocate memory > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > Hi, > > > We had one of our MAC-auth radius server instances hang up with this > > error at about 0200 this morning. > > > > That server receives pretty heavy load, and it's bursty, so we see > this > > a couple of times a day: > > > > The maximum number of threads (32) are active, cannot spawn new > thread > > to handle request > > > > ...but it does not cause problems. An inability to create a new > thread > > is an entirely different matter though; it implies <max threads are > > running, the server tried to create a new one, and the OS couldn't > > allocate a thread. > > > > Any ideas how to resolve this? Version is FreeRadius 1.1.6 (only > reason > > we haven't upgraded is change control, it's due shortly) > > we recently had a similar issue after migrating to using FR for VMPS > handling. the system may deal with many hundreds of requests per second > as with VMPS the switch re-auths all ports at exactly the same time. > with 48 port switches this gets interesting. anyway. the issue was > that we had the following config > > radiusd.conf max_servers = X > experimental.conf - perl, max_clones = Y > > where X != Y > > this is a big problem and you get the above mentioned errors. you ALSO > get the error when X = Y and the load/demand is very high. in this case > the radius thread appears to be trying to launch a new PERL instace > before the old ones have gone. anyway, a rapid increase of the values > helped straight away. as did a proper optimization of the DB to get > much much faster PERL code. > > what you have to ensure in these cases is you dont see these ones: > > Fri Feb 11 16:00:11 2006 : Error: Discarding duplicate request from > client BLAH port 49464 - ID: 10313 due to unfinished request 6 > > as although seemingly okay the client isnt getting an answer from its > requests. > > alan > > > ------------------------------ > > Message: 5 > Date: Fri, 12 Oct 2007 18:07:20 +0200 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: Darwin DirectoryServices (warnnings) > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Arran Cudbard-Bell wrote: > > Hi, > > Running radiusd 2.0pre2 (cvs head) > > > > Just checked the system logs on one of our radius servers, and i'm > > seeing some strange error messages from directory services. > > > > Oct 12 12:02:50 wolverine DirectoryService[54]: Potential VM growth > in > > DirectoryService since client PID: 9179, has 675 open references when > > the warning limit is 500. > > Hmm... the only OpenDirectory code in the server is in rlm_mschap. > If > you set "use_open_directory = no" in the rlm_mschap configuration, this > issue *should* go away. > > Unless, of course, you're actually using OpenDirectory. In which > case, the bug would need fixing. > > > Could this explain the possible memory leak in radiusd, that only > seems > > to appear on Darwin ? > > Yup. > > Alan DeKok. > > > ------------------------------ > > Message: 6 > Date: Fri, 12 Oct 2007 11:27:19 -0500 > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Subject: Using freeradius and 802.1x for ssign VLAN X > To: freeradius-users@lists.freeradius.org > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; > format="flowed" > > Hi, > I use freeradius-1.0.4-1.FC4.1 version in a PC Linux Fedora Core 4. I > form the file uses: > > lucy Auth-Type := EAP, User-Password == "lucy" > Service-Type = Framed-User, > Tunne-type = VLAN, > Tunnel-medium-type = IEEE-802, > Tunnel-Private-Group-Id = 2 > > I have this problem: > The user "lucy" should to access to vlan 2. But for default it user > access to the vlan 1. I don't know how to do for the user "lucy" > access to vlan 2 > > This is the configuration of file eap.conf > ================== > eap { > default_eap_type =tls > timer_expire = 60 > ignore_unknown_eap_types = no > md5 { > } > leap { > } > gtc { > auth_type = PAP > } > tls { > private_key_password = whatever > private_key_file = ${raddbdir}/certs/cert-srv.pem > certificate_file = ${raddbdir}/certs/cert-srv.pem > CA_file = ${raddbdir}/certs/demoCA/cacert.pem > dh_file = ${raddbdir}/certs/dh > random_file = ${raddbdir}/certs/random > fragment_size = 1024 > include_length = yes > } > ttls { > default_eap_type = md5 > use_tunneled_reply = yes > } > peap { > default_eap_type = mschapv2 > } > mschapv2 { > } > } > ============== > > If any know how resolv this, please write me. > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > > > ------------------------------ > > Message: 7 > Date: Fri, 12 Oct 2007 17:34:03 +0100 > From: <[EMAIL PROTECTED]> > Subject: Re: rlm_realm doesn't strip the username > To: "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-2 > > Add this to clients.conf: > > client 127.0.0.1 { > secret = testing123 > shortname = localhost > } > > Ivan Kalik > Kalik Informatika ISP > > > > Dana 12/10/2007, "Tomasz Zieleniewski" <[EMAIL PROTECTED]> pi?e: > > >Thank you Alan > > > >I updated to 2.0.0-pre2. But now I have some errors and I can' tcheck > >again:) > >Now when my NAS sends the Accounting request or I try to run 'radtest' > tool, > >the verification fails. > >I didn't change anything in the configuration and in the database. I > have > >the same NAS configuration. > >I get the following error in the debug mode: > > > >Ignoring request to authentication address * 1812 from unknown client > >127.0.0.1 port 37391 > > > >Please point me what do I missed:) > > > >Best regards > >tomasz > > > >Tomasz Zieleniewski wrote: > >> > I am using radius version 2.0.0-pre0. > >> > I have the following problem that when I receive the Accounting- > Request > >> > with the username whose domain part is not checked with any of my > realm > >> > defined in the proxy.conf file. The username is not stripped. > >> > I use the suffix rule for domain: '[EMAIL PROTECTED]" in my realm > module > >> > and I inoke it in preacct in radiusd.conf. > >> > I have the DEFAULT realm defined and it doesn't have the nostrip > option > >> > activated. > >> > So I think when there is no domain match the username should also > be > >> > stripped?? > >> > >> Likely, yes. What does debug mode say? > >> > >> You could also try running CVS head, which has a number of fixes > over > >> 2.0-pre0. > >> > >> Alan DeKok. > >> > >> > >> ------------------------------ > >> > >> Message: 10 > >> Date: Fri, 12 Oct 2007 10:16:43 -0300 > >> From: "Sergio Belkin" <[EMAIL PROTECTED]> > >> Subject: Re: TLS fatal access_denied > >> To: "FreeRadius users mailing list" > >> <freeradius-users@lists.freeradius.org> > >> Message-ID: > >> > <[EMAIL PROTECTED]> > >> Content-Type: text/plain; charset=ISO-8859-1 > >> > >> 2007/10/11, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > >> > How sure are you that you are using EAP-TTLS? > >> > > >> > > rlm_eap: EAP NAK > >> > > rlm_eap: EAP-NAK asked for EAP-Type/peap <== > >> > > >> > Ivan Kalik > >> > Kalik Informatika ISP > >> > > >> > - > >> > List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > >> > >> I am pretty sure because I has default_eap_type = ttls. I've just > >> fixed, it was a problem of certificates... > >> > >> thanks- > >> > >> -- > >> -- > >> Sergio Belkin - > >> > >> > >> ------------------------------ > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > >> > >> End of Freeradius-Users Digest, Vol 30, Issue 49 > >> ************************************************ > >> > > > > > > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 30, Issue 51 > ************************************************ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html