Re: Duplicated sessions in MySQL DB
hi, same here. RadAcctId was declared as "primary key" and "auto_increment", so whenever duplicate accounting packets from the NASes make it through the radius server, it would be inserted into the table because no duplicate record will be matched. altering the radacct table to make the AcctSessionId be the PRIMARY KEY will make desirable results, IMHO. any duplicates will not be recorded since the PRIMARY key should be UNIQUE. just my 0.2 cents, ronald On Sun, 1 Dec 2002, Kliment Toshkov wrote: > I have figured it out that simply changing AcctSessionId key to UNIQUE would > fix the problem. Probably you would like to change that key in mysql.schema > in next release? > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting acknowledgement & radius proxy
hi guys, i have the following setup: cistron radius -> forwarding server (proxy) freeradius -> remote server for certain realms + mysql accounting i have thousands of users on the freeradius server which is proxied by cistron radius. prior to upgrading to the current 0.8 release from the aug. 29 snapshot, accounting packets sent by the NASes where being acknowledged by the remote server thru the proxy server (which i think, is the correct behavior). but right after the upgrade, it seems that all accounting acknowledgments sent by the remote server where being delivered directly to the NASes instead of the proxy. this results in voluminous complaints by rlm_sql about 'duplicate entry' such as this one: Error: rlm_sql: Couldn't insert SQL accounting STOP record - Duplicate entry '7f93e019ee9b1b76' for key 1 i've already verified on the sql database that the accounting details have been logged. i suspect that the NAS didn't get the acknowledgment from the remote server, thus, it continue to resend the accounting packets. any ideas? help is already appreciated. regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS resending access-request packets
On Thu, 28 Nov 2002, Allister Maguire wrote: > Hello, > > I was wondering if someone could help me with this question. > > If a NAS sends a access-request packet and it does not get a response from the >radius server within the timelimit (3 sec), it then sends another access-request >(with different packet id) packet. IMHO, if any of the attributes on the request packet is NOT changed (i.e. User-Password), it MUST use the same ID, as in the case of retransmissions. otherwise, it will use a new one. > > The radius server gets the first ( network lag) packet, assigns a ip address from a >pool, and sends it back, it then receives the second packet (it has different id, >local cache response is not used), checks ip pools db, a record exists (NAS IP/Port) >assigns a new ip address and sends it back. > > Does the NAS discard the access-accept of the first packet, and only accept the >second? or does it accept the first it receives? Therefore the ip address the db >thinks is assigned, might not be the same as the ip address the NAS assigns to the >client. the NAS should accept the first packet and it would consider the second packet as a possible double-login attempt. so it would perform some checks on the session database and send the appropriate access code i.e. reject if the user is restricted to single login only. if the ID, source IP and source UDP port on the client's ACCESS-REQUEST packet is the same, the server detects it as a duplicate request and would be discarded. hope this helps, ronald > > thanks > > Allister Maguire > .+-wèþ˱Êâmïî˱Êâmäzm§ïÿÃç«iØ®²àþX¬·û¬z»!¶i -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.8 & checkrad
hello guys, i've recently upgraded to freeradius 0.8. everything went well except checkrad. it was not being invoked by the server to verify simultaneous logins on the NAS. do i miss something trivial in the current release? regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSSQL and Freeradius
hi, you need to install the freetds set of libraries. this allows your *nix box to talk to ms sql server or sybase databases. for more info, visit: http://www.freetds.org hope this helps, ronald On Wed, 18 Sep 2002, Andrew G. Buenaventura wrote: > I forgot to mention that I am using mssql.conf and that my driver is > "rlm_sql_freetds". > > I am using Microsoft's SQL 2k and not mysql. > -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL and Freeradius
hi, i've just upgraded to the latest CVS snapshot under FreeBSD 4.5 and so far, it was running perfectly. i'm doing ldap authentication + mysql accounting. i tried looking for the file rlm_sql_freetds.so and it was not existent on my system as well. for the sake of reproducing the problem, i tried installing it under slackware 8.0 and it went through without complaining. have you tried adding the path (/usr/local/lib) where it looks for shared libraries in your ld.so.conf file? don't forget to run 'ldconfig' after adding the path. hope this helps, ronald On Wed, 18 Sep 2002, Andrew G. Buenaventura wrote: > I would like to run freeradius-0.7.1 and let it authenticate and record > accounting details in MS SQL 2000. I have already installed freeradius > and created the SQL schema using the script provided. When I run > radiusd -xx , I got the following error: > > rlm_sql: Could not link driver rlm_sql_freetds: file not found > rlm_sql: Make sure it (and all its dependent libraries!) are in the > search path of your system's ld. > radiusd.conf[8]: sql: Module instantiation failed > > I noticed that rlm_sql_freetds.so does not exist in my system. All > other rlm_sql_*.so files are inside the /usr/local/lib. Anybody knows > why rlm_sql_freetds.so is not being created by the install script? I > tried this on both freebsd 4.X and Redhat Linux 7.X as well as the > stable and CVS copies of freeradius and I got the same result. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap-group
hi, On Thu, 12 Sep 2002, Brian Leung wrote: > how about the user object, do i need to add anyting attribute to there > if you have already added the user DN under the group DN, then there's no need to add any attribute on the user object. it will be looked-up on the group DN for the user's membership. another way of checking group membership via LDAP is utilizing the groupmembership_attribute on radiusd.conf. you just need to add another attribute which the ldap module checks if it exists on the user object. IMHO, this is more elegant if you have thousands of users belonging to different groups. so for this DN, > # ronaldo, testing > dn: uid=ronaldo,o=testing > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: inetLocalMailRecipient > objectClass: radiusprofile > objectClass: posixAccount > objectClass: PureFTPdUser > cn: ronaldo > sn: ronaldo > mail: ronaldo@testing > uid: ronaldo > uidNumber: 1001 > gidNumber: 1001 > homeDirectory: /home/ronaldo > userPassword:: > FTPuid: 1001 > FTPQuotaMBytes: 1 > radiusProfileDn: cn=radiusprofile2,o=testing add this attribute: radiusGroupName: testgroup and create this: [Group DN] # mygroup, testing dn: cn=testgroup,ou=testing cn: testgroup objectClass: posixGroup gidNumber: 1101 and on radiusd.conf, set groupmembership_attribute = radiusGroupName restart, radiusd and see the results. regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help!!!
hi, On Thu, 12 Sep 2002, huangjian wrote: > Sorry!My english is very poor. > Question: > Radius-server often crashed when it received numerous authentication-requests within >short time.. > Errors as follow: > > Error: rlm)sql: All sockets are being used! Please increase maximum number of >sockets! as the message suggests, increase the maximum number of sockets in the sql.conf file. refer also to doc/tuning_guide for more tips. hope this helps, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale Sessions
hi, On Thu, 12 Sep 2002, Ador Dauz wrote: > need help please, my RAS is USR/3Com Total Control, how do I check if > my checkrad is properly work? I have a firewall also, what port should I > open? edit checkrad and set the $debug variable according to your preference. don't forget to populate the nasclient/naspasswd file appropriately. this will give checkrad a hint on what type your NAS is and how to log on these NASes. pls. see doc/Simultaneous-Use for more info. if your radius server is behind a firewall, you should open SNMP and/or telnet ports to allow checkrad 'see' who is currently logged-in on the NASes. hope this helps, Ronald > > Thank's in advance > --ador > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale Sessions
hello, > First of all, you should use checkrad when enforcing one simultaneous connection > per user. That way the sql module can delete the stale session. > yeah, 'twas one config that i've overlooked ;) > Normally they should be 'deleted' when an accounting stop arrives from the nas. > Please check that everything is working ok with your accounting (for instance > check that the nas does not timeout when sending the accounting packets). in the case of stale sessions, it was automatically handled by the sql module as verified by checkrad. all was logically working as it should be. thanks for the reply. regards, Ronald > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED]National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stale Sessions
hi guys, i'm using the aug29 snapshot of freeradius + ldap authentication + mysql accounting. i'm enforcing one (1) simultaneous connection per user login via simul_count_query of the sql module. deletestalesessions was already set to 'yes' on the config file. however, most of my users end up having stale connection which denies them access on their next login. manually deleting it on the sql server is fine but it becomes a nightmare if it occupies most of your time. is there any other way of deleting these stale sessions? what might be the cause of the stale connections? can someone point me to the right direction pls? regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RH 6.2 & Freeradius-0.7
hi, On Fri, 6 Sep 2002, Joeffrey Betita wrote: > > i did turn on logging for authentication request on radiusd.conf and > restarted the radius server. but it did not register my username when i type > tail -f /var/log/radius/radius.log i try to dialup using Win98. pls. help > me. thanks for your help. try running radiusd in debug mode: radiusd -x -A the output should give you an idea if your radius client authenticates with freeradius and will show you what's happening under the hood. take note of the error messages that you'll see on startup and while the authentication process goes on. hth, ronald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RH 6.2 & Freeradius-0.7
hello, > >Freeradius is now running on my RH6.2 but when i try to dialup my login > name did not appear on the radius.log you need to turn on logging for authentication requests on radiusd.conf don't forget to restart radiusd after editing the conf file. regards, Ron > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.384 / Virus Database: 216 - Release Date: 8/21/2002 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Accounting Packets
hello all, sorry for crying it out too quick. the answer can be found in the docs itself. its nice to know that the developers have dealt with it perfectly. regards, Ron On Tue, 3 Sep 2002, [EMAIL PROTECTED] wrote: > > hello gurus, > > i would like to know how does freeradius+mysql accounting deal with duplicate > packets sent by the nas? > > with cistron, i constantly encounter duplicate stop records with the same > session id. and since we calculate timeusage based on the stop records, it > will produce undesirable results. > > is there any mechanism that freeradius use to eliminate this when used in > conjunction with mysql? > > any help is already appreciated. > > regards, > > Ron Rivera > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Accounting Packets
hello gurus, i would like to know how does freeradius+mysql accounting deal with duplicate packets sent by the nas? with cistron, i constantly encounter duplicate stop records with the same session id. and since we calculate timeusage based on the stop records, it will produce undesirable results. is there any mechanism that freeradius use to eliminate this when used in conjunction with mysql? any help is already appreciated. regards, Ron Rivera - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MySQL
hello all, i've successfully configured freeradius with LDAP authentication and SQL accounting. thanks to all who responded on the list. best regards, Ron Rivera - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP & MySQL
hello, i've already configured freeradius + ldap for authentication. and i've successfully utilized the Ldap-Group attribute for enforcing session timeouts. i was looking for the possibility of using MySQL for accounting instead of the traditional detail file. i could write a perl script that parses the detail file and dump it to an sql server but it would be nice if the server log its accounting details directly to sql. is this possible? my goal is to use LDAP for authentication and MySQL for accounting. thanks in advance. regards, Ron Rivera - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups + LDAP
Hi, On Wed, 28 Aug 2002, Kostas Kalevras wrote: > A huntgroup (if we are talking about the same thing) is defined in the > huntgroups file in freeradius. Defining it in ldap is of no use. You can do much > more cleaver things with the huntgroups file. You could use though the > Huntgroup-Name and User-Profile attributes and define separate user profiles for > each hungroup. In more detail: Yes, we're talking about the same thing :) FYI, my users are stored in LDAP and gets authenticated via Auth-Type := LDAP I already tried using the Huntgroup-Name attribute but it was never matched. IIRC, the group name was being checked against the system group file. How could I tell freeradius to check the group membership on an LDAP server? And check it for any match on the users file? What I'm trying to accomplish is to check every user who log in for their group membership then compare if it has a DEFAULT entry match on the users file, then run an external program which calculates its remaining time and return the Session-Timeout attribute. Here's an entry from my users file: DEFAULT Huntgroup-Name == "testing" Exec-Program-Wait = "/usr/local/sbin/testing %u %n %p", Fall-Through = Yes I've read some docs re: Ldap-Group attribute but it requires that every user dn must be entered on its group dn. For example, dn: cn=users,ou=groups,dc=foo,dc=com objectClass: posixGroup objectClass: groupOfUniqueNames cn: users gidNumber: 1101 memberUid: arise uniqueMember: uid=arise,ou=People,dc=foo,dc=com This works well if you have few users but what if you have 10,000+ users in different hungtgroups? You need to add all of them on its own group dn. Is there any other way of doing this? Like checking the radiusHuntgroupName attribute then compare if it matches on the huntgroups file. Is there anything I miss here? Thanks for the time. regards, Ron > > users file: > > DEFAULT Hungroup-Name == "foo", User-Profile := > "uid=foo-profile,dc=company,dc=com" > > Hope it helps > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED]National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups + LDAP
hi all, i'm currently migrating from cistron radius to freeradius + ldap backend. on cistron radius, we're using huntgroups and run an external program to return the Session-Timeout for a particular system group. was it still the same for freeradius? does it check for the huntgroup name via LDAP? can someone shed some light pls? thanks in advance. regards, ron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html