Re: Radius Died Message
Junaid Saeed Uppal wrote: I am new to configuring radius , but i got it working , now the problem is that when i run the radius deamon , it keeps dying and sending emails to root with subject Radius Died , Restarting after about every 20 seconds ... i can't figure out whats wrong ... please help .. i am using free radius ... Have you tried running it in debug-mode? If not, try to do that with the -X switch, it will probably tell you why it dies. -- We tend to meet any new situation by reorganising; and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency and demoralisation.-- Gaius Petronius, 60 AD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling pam_radius module on HP-UX
Hi, Does anybody have some experience or hints on how to get the pam_radius module compiled on HP-UX (10.20 and 11) ? Thanks, Walter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mysql core dumped
Hello freeradius-users, My config Linux Redhat 7 Linux 2.4.18 #3 SMP Fri Apr 5 14:07:36 MSD 2002 i686 unknown mysql Ver 3.22.32 for pc-linux-gnu on i686 freeradius-snapshot-20020417 If I set num_sql_socks 1, i have core dumped ;( With num_sql_socks = 1 it work fine What changes i must do and where??? #gdb radiusd (gdb) set args -X (gdb) run Starting program: /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1814 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = 192.168.200.1 sql: port = sql: login = radius sql: password = radpass sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = no sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: deletestalesessions = yes sql: num_sql_socks = 2 sql: sql_user_name = %{User-Name} sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: authenticate_query = SELECT Value,Attribute FROM radcheck WHERE UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' OR Attribute = 'NT-Password') ORDER BY Attribute DESC sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_times[New Thread 1024 (LWP 25018)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 25018)] 0x401085bc in chunk_free (ar_ptr=0x401aace0, p=0x80c1eb0) at malloc.c:3117 (gdb) bt #0 0x401085bc in chunk_free (ar_ptr=0x401aace0, p=0x80c1eb0) at malloc.c:3117 #1 0x40107d12 in chunk_alloc (ar_ptr=0x401aace0, nb=88) at malloc.c:2601 #2 0x401077e6 in __libc_malloc (bytes=84) at malloc.c:2703 #3 0x401f1993 in my_malloc () from /usr/lib/libmysqlclient.so.10 (gdb) q The program is running. Exit anyway? (y or n) -- Best regards, rust
RE: Question about redundant/failover accounting.
Alan de Kok wrote: When a NAS fails the telco will failover the the other NAS when a Radius server fails the NAS will select it's twin-sister. The only thing this doesn't work for is Accounting. You might want to take a look at 'radrelay', from the Cistron distribution. It's the preferred method for replicating accounting data. If you can come up with a patch to add it to FreeRADIUS, that would help a lot. Then an accounting loop start that adds about 220KB to the detail file for every packet received from a NAS. Probably the loop ends when a packet get too large. (Some Proxy- fields are added to every hop). Yes. And you can't rely on the Proxy-State attribute to discover loops, as some RADIUS servers destroy the Proxy-State attribute. I believe that radrelay *should* take care of a lot of these issues. When is Client-IP-Address added to the packet? (probably too late) It's not. It's a server-side attribute that's adding to the REQUEST data structure, but rlm_preprocess. Aha. Then the patch is in radiusd.conf: from old: preacct { files preprocess } to new: preacct { preprocess files } And get Client-IP-Address from the rlm_acct_unique spec. Why can't Client-IP-Address be used as a check-item? (if it is in the request) It can. If the preprocess is done before the files, otherwise the attribute just isn't there. I've a patched freeradius to get it to work on AIX and I not aware that the patches sent to the list have been incorporated or not. They haven't been incorporated. Quite frankly, I'm reluctant to do so. Well for radius the basic problem is the complaints about the missing strings.h. (well the complaints are missing templates for routines like bzero and strcasecmp etc..) BTW There is a difference when trying to compile --disable-shared or not manu modules will only compile using --enable-shared. Therefore linking with modules preloaded seems to be best. A test in configure the strings.h file will probably solve the most. One problem was the order of includes (missing.h from radius.h was included before some other ones) The problem is I'am a VMS Programmer/systems manager/systemprogrammer and I don't normally use tools like autoconf etc. Had things been more my way the radius server would have run on an available VMS-cluster using VMSRadius anyway. (It would have been be a LOT simpler then). And the amount of time available won't allow learning to use them with all their intricacies. Although AIX is problably an interesting platform to learn things on as a lot of things are done quite differently with respect to other UNICES. If you just patched it to *add* functionality or include files specifically for AIX, then I would have applied the patch. However, the patch *removes* functionality and include files which are currently used on other platforms. I'm not going to break the build on many platforms just to make it work on another one. Agreed, I just supplied the differences to show what was needed to get up running. auto* are beyond my interests/capabilities. The basic problem is described above. So until I get time to edit the patch to fix it, or until you can supply a better patch, it won't get committed. No problem this is probably a one-off for many years to come unless a problem should arise from radiusd from the next few weeks. The server does what it should do and new functionality can be nice but is not needed as currently foreseen. Regards, Nico Baggus - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional Proxy
Hi, I have posted a patch for this on the developers list, but there has been no response yet so I'm wondering if this patch would be as useful to others as it is for me. Basically it allows one to specify a check list in the realm config which would then be checked before a request is proxied. e.g.: realm company.com { authhost = 10.0.0.1:1645 accthost = 10.0.0.1:1646 secret = mysecret check= Called-Station-Id == 1234,NAS-Port-Type = 2 } If the incoming request for realm mycompany.com does not match the items in 'check', rlm_realm will not set the Proxy-To-Realm attribute and the request will not be proxied. Omitting 'check' from the config would allow realms to be proxied as usual. Any Comments? Eddie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
At 02:08 PM 4/26/2002 -0200, Eddie Stassen wrote: Hi, I have posted a patch for this on the developers list, but there has been no response yet so I'm wondering if this patch would be as useful to others as it is for me. Basically it allows one to specify a check list in the realm config which would then be checked before a request is proxied. e.g.: realm company.com { authhost = 10.0.0.1:1645 accthost = 10.0.0.1:1646 secret = mysecret check = Called-Station-Id == 1234,NAS-Port-Type = 2 } If the incoming request for realm mycompany.com does not match the items in 'check', rlm_realm will not set the Proxy-To-Realm attribute and the request will not be proxied. Omitting 'check' from the config would allow realms to be proxied as usual. Any Comments? Why is not possible to simply do this in the 'users' file with: DEFAULT Called-Station-Id == 1234, Proxy-To-Realm := company.com Fall-Through = No -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP nt-lnPasswords on LDAP
3APA3A [EMAIL PROTECTED] wrote: mschap in authorize is only required if you store cleartext password, in this case it produces NT/LM hashes from cleartext. That work can be done in the 'authenticate' code, can't it? I don't see why it's required to be in the 'authorize' section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dial_up admin question
On Tue, 23 Apr 2002, Juan Hernandez wrote: can I get it off the web? I've never used the cvs repositry You can either get it through the web (http://sourceforge.net/projects/dialup-admin) or find it in the latest cvs snapshots. The cvs snapshots can be found in the ftp site in the CVS-snapshots diarectory. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
At 04:30 PM 4/26/2002 -0200, Eddie Stassen wrote: At 08:47 AM 02/04/26 -0500, you wrote: At 02:08 PM 4/26/2002 -0200, Eddie Stassen wrote: Hi, I have posted a patch for this on the developers list, but there has been no response yet so I'm wondering if this patch would be as useful to others as it is for me. Basically it allows one to specify a check list in the realm config which would then be checked before a request is proxied. e.g.: realm company.com { authhost = 10.0.0.1:1645 accthost = 10.0.0.1:1646 secret = mysecret check = Called-Station-Id == 1234,NAS-Port-Type = 2 } If the incoming request for realm mycompany.com does not match the items in 'check', rlm_realm will not set the Proxy-To-Realm attribute and the request will not be proxied. Omitting 'check' from the config would allow realms to be proxied as usual. Any Comments? Why is not possible to simply do this in the 'users' file with: DEFAULT Called-Station-Id == 1234, Proxy-To-Realm := company.com Fall-Through = No The problem is when you use the files method in conjunction with rlm_realm it would still be possible to be proxied without the checks being done. If for example you had: authorize { suffix files } and in users: DEFAULT Suffix == @company.com,Called-Station-Id == 1234, Proxy-To-Realm := company.com Fall-Through = No then the Proxy-To-Realm attribute for '[EMAIL PROTECTED]' would be set by rlm_realm before the users file got hold of it and the request would be sent on. Then simply change the order of the 'authorize' block, so that files is called first. Or better have a separate 'fastusers' instance that uses a different 'users' file without a DEFAULT entry ( so that it return NOTFOUND if nothing matches ). One way of getting past this is to simply not use rlm_realm and have DEFAULT entries for all your realms, including the various combinations of Prefixes/suffixes etc. Seems that the rlm_realm was designed to deal with realms and therefore checks should be done there. Not a big deal, just a little tidier IMO. Perhaps, though I'd rather not duplicate functionality that's already there. I'm a minimalist, so I prefer to keep the modules simple in what they do unless there isn't another way already of doing what you want. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
Chris Parker [EMAIL PROTECTED] wrote: Perhaps, though I'd rather not duplicate functionality that's already there. I'm a minimalist, so I prefer to keep the modules simple in what they do unless there isn't another way already of doing what you want. I tend to agree. Although I supposed I could put the patch into the 'pub/radius/contrib/' directory, on the FTP site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client-IP-Address occasionally incorrect
Running FreeRADIUS 0.4 under Solaris 8/SPARC. When I enabled Simultaneous-Use check for some user classes, I've got the same problem as Mervyn Jack - invalid packets with fake Client-IP-Address. This is such typical packet: Fri Mar 22 14:49:03 2002 Acct-Status-Type = Stop NAS-IP-Address = xx.xx.xx.xx Acct-Delay-Time = 0 User-Name = atuser NAS-Port = 20211 Acct-Session-Id = 74886441 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = xx.xx.xx.xx Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Client-IP-Address = 70.114.105.32 [FAKE !] Hint = ATPPP Service-Type = Framed-User Framed-Protocol = PPP Timestamp = 1016797743 Request-Authenticator = Verified These packets arrived only when user with Simultaneuos-Use (atuser in this case) tried to login and checkrad returned OK (this user already exists on NAS). NAS-es: Ascend MAX 6060, Cisco AS5800 (IOS 12.0(13)S). Any suggestions ? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Oleg Derevenetz [EMAIL PROTECTED] wrote: When I enabled Simultaneous-Use check for some user classes, I've got the same problem as Mervyn Jack - invalid packets with fake Client-IP-Address. That's really weird. The Client-IP-Address is taken from request-packet-src_ipaddr, which is taken directly from the recv_from() system call. So if the address is wrong, then it sounds to me like the OS is lying to the server about where the packet came from. Client-IP-Address = 70.114.105.32 [FAKE !] Does this address have *any* relation to addresses on your network, or is it random (and changing) garbage? These packets arrived only when user with Simultaneuos-Use (atuser in this case) tried to login and checkrad returned OK (this user already exists on NAS). I find it *really* bizarre that the NAS is sending fake accounting records when it's queried via checkrad. Have you used 'tcpdump' from another machine, to verify that the packet is sent on the wire, and isn't some artifact of the server and/or OS? If the packet *is* coming from the NAS, have you asked Ascend/Cisco for support? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
At 11:46 AM 02/04/26 -0400, you wrote: Chris Parker [EMAIL PROTECTED] wrote: Perhaps, though I'd rather not duplicate functionality that's already there. I'm a minimalist, so I prefer to keep the modules simple in what they do unless there isn't another way already of doing what you want. I tend to agree. Although I supposed I could put the patch into the 'pub/radius/contrib/' directory, on the FTP site. Alan DeKok. I agree with the minimalist approach, but if we apply that to the rlm_realm module, then it should not be required at all, since all its functionality can already be achieved in another way. My understanding of the DEFAULT directive in the users file has always been that it is there to: a. provide a default policy for a number of users b. apply a policy for some very special conditions that cannot be done through other methods or modules (yet) as looping through a large number of DEFAULT statements can be expensive. I don't believe that conditional proxy falls into either of these cases as it is quite a common requirement (where I come from at least), hence my idea of doing this in the rlm_realm module. Anyway, I won't drag this matter out any longer if nobody agrees with me (I'll just sulk all weekend) Eddie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
I actually saw this same problem way back in the post 0.3 CVS days (and before), and I wasn't even involving checkrad. I would turn on Simultaneous-Use, and I would immediately begin to get completely bogus Client-Ip-Addresses in my accounting packets...IPs that had nothing to do with my network (I remember 0.0.0.0 being one of the examples). And I would get them from my MAX TNTs, my PM3s, my Cisco AS5200s, and the various RADIUS servers that proxied to me. Some packets would be fine, others would be bogus. It was so weird and pervasive I just canned the implementation and didn't really troubleshoot past isolating Simultaneous-Use as the cause. I've actually been meaning to revisit this now that .5 is out and see if life is better. Although it is reassuring to see that it didn't only bite me. :) Chris Kalin - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 26, 2002 11:32 AM Subject: Re: Client-IP-Address occasionally incorrect Oleg Derevenetz [EMAIL PROTECTED] wrote: When I enabled Simultaneous-Use check for some user classes, I've got the same problem as Mervyn Jack - invalid packets with fake Client-IP-Address. That's really weird. The Client-IP-Address is taken from request-packet-src_ipaddr, which is taken directly from the recv_from() system call. So if the address is wrong, then it sounds to me like the OS is lying to the server about where the packet came from. Client-IP-Address = 70.114.105.32 [FAKE !] Does this address have *any* relation to addresses on your network, or is it random (and changing) garbage? These packets arrived only when user with Simultaneuos-Use (atuser in this case) tried to login and checkrad returned OK (this user already exists on NAS). I find it *really* bizarre that the NAS is sending fake accounting records when it's queried via checkrad. Have you used 'tcpdump' from another machine, to verify that the packet is sent on the wire, and isn't some artifact of the server and/or OS? If the packet *is* coming from the NAS, have you asked Ascend/Cisco for support? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Chris A. Kalin [EMAIL PROTECTED] wrote: I actually saw this same problem way back in the post 0.3 CVS days (and before), and I wasn't even involving checkrad. I would turn on Simultaneous-Use, and I would immediately begin to get completely bogus Client-Ip-Addresses in my accounting packets...IPs that had nothing to do with my network (I remember 0.0.0.0 being one of the examples). Hmm... after quickly rooting through the code, the only thing I can come up with is the session_zap() function in src/main/session.c, and it's only called from the radutmp module. If removing 'radutmp' from the list of modules makes these packets stop, then the problem is the session_zap() routine. (Which may not initialize all of the data structures it creates) I haven't looked at it for a while, but it calls rad_process(), which is the main request processing function. Unfortunately, rad_process() is designed to be called ONLY from the main thread handler, and NOT from any child thread. Arg... On closer examination of the packet in the previous message, I think the problem *is* session_zap. It SHOULD initialize all of the entries in the data structures it creates. It SHOULD NOT call rad_process(). rad_respond() is safe, and better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
ãÉÔÉÒÕÀ Chris A. Kalin [EMAIL PROTECTED]: I actually saw this same problem way back in the post 0.3 CVS days (and before), and I wasn't even involving checkrad. I would turn on Simultaneous-Use, and I would immediately begin to get completely bogus Client-Ip-Addresses in my accounting packets...IPs that had nothing to do with my network (I remember 0.0.0.0 being one of the examples). And I would get them from my MAX TNTs, my PM3s, my Cisco AS5200s, and the various RADIUS servers that proxied to me. Some packets would be fine, others would be bogus. It was so weird and pervasive I just canned the implementation and didn't really troubleshoot past isolating Simultaneous-Use as the cause. I've actually been meaning to revisit this now that .5 is out and see if life is better. Although it is reassuring to see that it didn't only bite me. :) So, there is a piece of code in rlm_radutmp.c/radutmp_checksimul(): radutmp_unlock(fd); rcode = rad_check_ts(u.nas_address, u.nas_port, login, session_id); radutmp_lock(fd); if (rcode == 1) { ++request-simul_count; /* * Does it look like a MPP attempt? */ if (strchr(SCPA, u.proto) ipno u.framed_address == ipno) request-simul_mpp = 2; else if (strchr(SCPA, u.proto) call_num !strncmp(u.caller_id,call_num,16)) request-simul_mpp = 2; } else { /* * False record - zap it. */ session_zap(u.nas_address, u.nas_port, login, session_id, u.framed_address, u.proto, 0); } If rad_check_ts() returns 1 (dup found), and no multilink is there, this code simply increments request-simul_count, but if not, it does session_zap() (and generates fake Accounting-Stop record with fields such in my case). So it seems to be a problem in rad_process(). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
ãÉÔÉÒÕÀ Alan DeKok [EMAIL PROTECTED]: Arg... On closer examination of the packet in the previous message, I think the problem *is* session_zap. It SHOULD initialize all of the entries in the data structures it creates. It SHOULD NOT call rad_process(). rad_respond() is safe, and better. Hm-m... But I don't understand, how it can call session_zap() in such case (checkrad.log): Fri Apr 26 21:30:41 2002 checkrad ascend xx.xx.xx.xx 20219 atuser 74981341 No SNMP answer from ascend. user at port S20219: atuser (dec) Returning 1 (double detected) There is dup, so rad_check_ts() must return 1, and session is valid. There is no reason to call session_zap(), is'nt it ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Client-IP-Address occasionally incorrect
Dear Alan DeKok, I wrote about cause of this problem a month ago: --This is a forwarded message From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Monday, April 1, 2002, 6:48:12 PM Subject: radutmp bugs ===8==Original message text=== Dear [EMAIL PROTECTED], First bug is in radutmp_checksimul. In call to session_zap (then user record found in radutmp but there is no active user with this name on NAS) we send request-packet-sockfd. sockfd will be socket for authentication, but later rad_process called from session_zap does the check: if (request-packet-sockfd != acctfd) { it makes an error in log like Accounting-Request packet sent to a non-accounting port from client and session_zap fails to remove this hanging session. I bet either session_zap(request-packet-sockfd, should be changed to session_zap(acctfd, or code should be rewritten without session_zap at all, because session_zap in this implementation will cause problems, for example in case of improper NAS or Radius server shutdown user can be billed the time between two logons... So, at least radius must clean up radutmp on startup. Second problem is that ip address of NAS saved in radutmp is PW_NAS_IP_ADDRESS. Existence of this attrbiute is never checked and if this attribute isn't present any garbage may be instead of it. I think we should add in radutmp_accounting nas_address = request-packet-src_ipaddr; ut.nas_address = request-packet-src_ipaddr; as either default value or replacement to case PW_NAS_IP_ADDRESS: nas_address = vp-lvalue; ut.nas_address = vp-lvalue; break; because this attribute is also used for session_zap() call. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html ===8===End of original message text=== -- ~/ZARAZA Íî âåäü êîìó óãîäíî ìîãóò ïðèéòè â ãîëîâó ÿéöà, ïÿòêè è åïèñêîïû. (Ëåì) --Friday, April 26, 2002, 9:34:42 PM, you wrote to [EMAIL PROTECTED]: AD Chris A. Kalin [EMAIL PROTECTED] wrote: I actually saw this same problem way back in the post 0.3 CVS days (and before), and I wasn't even involving checkrad. I would turn on Simultaneous-Use, and I would immediately begin to get completely bogus Client-Ip-Addresses in my accounting packets...IPs that had nothing to do with my network (I remember 0.0.0.0 being one of the examples). AD Hmm... after quickly rooting through the code, the only thing I can AD come up with is the session_zap() function in src/main/session.c, and AD it's only called from the radutmp module. AD If removing 'radutmp' from the list of modules makes these packets AD stop, then the problem is the session_zap() routine. (Which may not AD initialize all of the data structures it creates) AD I haven't looked at it for a while, but it calls rad_process(), AD which is the main request processing function. Unfortunately, AD rad_process() is designed to be called ONLY from the main thread AD handler, and NOT from any child thread. AD Arg... On closer examination of the packet in the previous message, AD I think the problem *is* session_zap. AD It SHOULD initialize all of the entries in the data structures it AD creates. AD It SHOULD NOT call rad_process(). rad_respond() is safe, and AD better. AD Alan DeKok. AD - AD List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Íî Ãàððè... ÿ áåçóñëîâíî îòäàþ ïðåäïî÷òåíèå åìó, çà âûñîêóþ ïèòàòåëüíîñòü è êàêîå-òî îñîáåííî íåæíîå ìÿñî. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Oleg Derevenetz [EMAIL PROTECTED] wrote: If rad_check_ts() returns 1 (dup found), and no multilink is there, this code simply increments request-simul_count, but if not, it does session_zap() (and generates fake Accounting-Stop record with fields such in my case). So it seems to be a problem in rad_process(). No, it looks like it's in session_zap(). Try editing src/main/session.c, function session_zap(). Change code from: ... rad_process(stopreq, ...) ... to: ... rad_accounting(stopreq); request_free(stopreq); ... That should *help*, at least. I'll try to edit commit a slightly larger fix to the code today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compiling error on FreeBSD-4.5?
I am trying to compile the latest freeradius snapshot on a FreeBSD 4.5. With just basic ./configure and make, it stopped at ltdl.lo (see below). If I disable libltdl with ./configure --disable-ltdl-install, it stopped at *** [rlm_attr_rewrite.lo] Error 1 I suspect there might be something missing in FreeBSD? gmake[1]: Entering directory `/usr/local/src/freeradius-snapshot-20020426' Making all in libltdl... gmake[2]: Entering directory `/usr/local/src/freeradius-snapshot-20020426/libltdl' /bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -pthread -D_THREAD_SAFE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -c ltdl.c mkdir .libs gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -pthread -D_THREAD_SAFE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -c ltdl.c -fPIC -DPIC -o .libs/ltdl.lo ltdl.c:140: warning: function declaration isn't a prototype ltdl.c:263: warning: function declaration isn't a prototype ltdl.c:280: warning: function declaration isn't a prototype ltdl.c:295: warning: function declaration isn't a prototype ltdl.c:725: warning: function declaration isn't a prototype ltdl.c:757: warning: function declaration isn't a prototype ltdl.c: In function `presym_open': ltdl.c:774: warning: cast discards qualifiers from pointer target type ltdl.c: At top level: ltdl.c:787: warning: function declaration isn't a prototype ltdl.c:796: warning: function declaration isn't a prototype ltdl.c:910: warning: function declaration isn't a prototype ltdl.c:959: warning: function declaration isn't a prototype ltdl.c:1034: warning: function declaration isn't a prototype ltdl.c:1110: warning: function declaration isn't a prototype ltdl.c:1123: warning: function declaration isn't a prototype ltdl.c:1133: warning: function declaration isn't a prototype ltdl.c:1160: warning: function declaration isn't a prototype gcc: Internal compiler error: program as got fatal signal 4 gmake[2]: *** [ltdl.lo] Error 1 gmake[2]: Leaving directory `/usr/local/src/freeradius-snapshot-20020426/libltdl' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/usr/local/src/freeradius-snapshot-20020426' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Client-IP-Address occasionally incorrect
3APA3A [EMAIL PROTECTED] wrote: I wrote about cause of this problem a month ago: Yes, but... I bet either session_zap(request-packet-sockfd, should be changed to session_zap(acctfd, Both of these are completely wrong, now that I look further at the code. The problem is that the 'sockfd' in session_zap() isn't used by *anything* in that function. Sure, it's placed into stoppkt-sockfd, but that is completely wrong. The stop packet is a FAKE packet, generated internally by the server. It MUST NOT be associated with any real socket, so that there is NO possibility of a NAS getting a reply packet to the fake request (which the NAS never sent) The real problem is that session_zap() is calling rad_process(). The rad_process() function assumes that it's being called ONLY from the main thread, so calling it from a child thread handling a request is completely wrong, and may cause the server to do unexpected things. Second problem is that ip address of NAS saved in radutmp is PW_NAS_IP_ADDRESS. Existence of this attrbiute is never checked and if this attribute isn't present any garbage may be instead of it. I think we should add in radutmp_accounting nas_address = request-packet-src_ipaddr; ut.nas_address = request-packet-src_ipaddr; as either default value or replacement to case PW_NAS_IP_ADDRESS: nas_address = vp-lvalue; ut.nas_address = vp-lvalue; break; because this attribute is also used for session_zap() call. That's already done in radutmp: /* * If we didn't find out the NAS address, use the * originator's IP address. */ if (nas_address == 0) { nas_address = request-packet-src_ipaddr; ut.nas_address = nas_address; } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling error on FreeBSD-4.5?
Paul S. Puth [EMAIL PROTECTED] wroreL I am trying to compile the latest freeradius snapshot on a FreeBSD 4.5. With just basic ./configure and make, it stopped at ltdl.lo (see below). ... gcc: Internal compiler error: program as got fatal signal 4 gmake[2]: *** [ltdl.lo] Error 1 Your system appears to be broken. If I disable libltdl with ./configure --disable-ltdl-install, it stopped at *** [rlm_attr_rewrite.lo] Error 1 Reading the rest of the messages associated with that build should help figure out *why* that build failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
ãÉÔÉÒÕÀ Oleg Derevenetz [EMAIL PROTECTED]: Hm-m... But I don't understand, how it can call session_zap() in such case (checkrad.log): Fri Apr 26 21:30:41 2002 checkrad ascend xx.xx.xx.xx 20219 atuser 74981341 No SNMP answer from ascend. user at port S20219: atuser (dec) Returning 1 (double detected) There is dup, so rad_check_ts() must return 1, and session is valid. There is no reason to call session_zap(), is'nt it ? Oh-oh. I have error in this case: Fri Apr 26 21:30:52 2002 : Error: Check-TS: timeout waiting for checkrad So rad_check_ts() returned 2. But is there a reason to zap session record ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
i need to update 2 database with the data of the radius. y test to put this in the sql file: accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into A LOT OF DATA when i use it with update work fine, but in a insert say /etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format any idea to update, and insert in 2 diferent database as the same time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
At 08:17 PM 4/26/2002 +0200, Victor Sanchez wrote: i need to update 2 database with the data of the radius. y test to put this in the sql file: accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into A LOT OF DATA when i use it with update work fine, but in a insert say /etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format any idea to update, and insert in 2 diferent database as the same time Use two instances of the sql module. sql one { foo = bar } sql two { foo = baz } authorize { one two } accounting { one two } -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Victor Sanchez [EMAIL PROTECTED] wrote: accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into A LOT OF DATA when i use it with update work fine, but in a insert say /etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format any idea to update, and insert in 2 diferent database as the same time Grab the latest CVS snapshot. The buffers used internally in the configuration file reader have been increased in size. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling error on FreeBSD-4.5?
Paul S. Puth [EMAIL PROTECTED] wroreL I am trying to compile the latest freeradius snapshot on a FreeBSD 4.5. With just basic ./configure and make, it stopped at ltdl.lo (see below). ... gcc: Internal compiler error: program as got fatal signal 4 gmake[2]: *** [ltdl.lo] Error 1 Your system appears to be broken. It appears to be just his system too. Make ran just fine for freeradius-snapshot-20020426 on my FreeBSD matchbox.toybox.ca 4.5-RELEASE-p4 FreeBSD 4.5-RELEASE-p4 #0: Tue Apr 23 15:18:48 EDT 2002 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 just now. If I disable libltdl with ./configure --disable-ltdl-install, it stopped at *** [rlm_attr_rewrite.lo] Error 1 Reading the rest of the messages associated with that build should help figure out *why* that build failed. I would suggest a memory test or some other form of system stability test. This is not a FreeBSD-4.5 problem. Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
insert and update 2 database
i need to update 2 database with the data of the radius. y test to put this in the sql file: accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into A LOT OF DATA but don't work, /etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format any idea to update, and insert in 2 diferent database as the same time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Oleg Derevenetz [EMAIL PROTECTED] wrote: There is dup, so rad_check_ts() must return 1, and session is valid. There is no reason to call session_zap(), is'nt it ? The session should be zapped ONLY if checkrad decides that the user is not logged in on that port. Fri Apr 26 21:30:41 2002 checkrad ascend xx.xx.xx.xx 20219 atuser 7498134= 1 No SNMP answer from ascend. user at port S20219: atuser (dec) Returning 1 (double detected) And the radutmp module does NOT zap the session if the check for duplicate logins returns '1' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert and update 2 database
any idea to update, and insert in 2 diferent database as the same time You can done this by using replication. Or configure radius like this: --radiusd.conf-- accounting{ ... sql1 sql2 ... } --radiusd.conf-- --- Aleksandr Kuzminsky,AK476-RIPE System Administrator, AK16-UANIC ISP NBI. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html