Proxy Realm Error or Realm dead ??
Hi all,Found a problem on freeradius when I review the log file (detail-MMDD).The following is my proxy settings.default (proxy to 1.1.1.1)abc.com (proxy to 2.2.2.2)But I found some error entries in detail log.The username is [EMAIL PROTECTED] and it's realm must be "abc.com"But in detail log, it belongs "default".Is there anybody have the same problem ??Or abc.com deaded and the freeradius assign [EMAIL PROTECTED] to new realm (default) ???Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does freeradius calculate the number of required threads?
Another update I've measured the time required by a single function under light load (5-7req/sec) - on average it takes ~ 0.01 to 0.015 to process authorize, pre-acct and less then half of that for pre/post proxy. Under heavier load the boxes still spiral out of control (but only after some time) and eventually freeradius disappears of the list of processes in a puff of white smoke, without leaving any trails in the logs (except for complains about max of thread running). I have no idea what causes that, but the fact that it doesn't happen straightaway suggests some memory problems (but not lack of it, the boxes have 4GB of RAM). I think I hit a wall :-( and I don't think rlm_perl is going to make it to the next phase of the project. regards pshemko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius User config file
Hi All, I am currently configuring power distribution units(PDU) in our organisation, authentication from freeradius-1.0.1-3.RHEL4.3 1. I have configured the dictionary file accordingly. client 131.xxx.xx.xxx { secret =abcdeffghijk shortname =PDU1 } client 131.xxx.xx.xxx { secret =lmnoopqrstuve shortname =PDU2 } 2. I have also defined the ATTRIBUTE and VALUE the dictionary file as per APC vendor's instructions VENDOR APC 318 BEGIN-VENDOR APC ATTRIBUTE APC-Service-Type 1 integer APC VALUE APC-Service-Type Admin 1 VALUE APC-Service-Type Device 2 VALUE APC-Service-Type ReadOnly 3 3. I have modified the users file , created groups and outlet access for each group. In the below example,I have given group3 access to outlet3. DEFAULT Group == "group3", Auth-Type = System APC-Service-Type = Outlet, APC-Outlets = "3", Fall-Through = No 4. Now, I have 20 PDUs setup (in pair) and I also would like to restrict the subnets that it can authenticate from. I would like to set up a rule in user file as following: If pdu1 or pdu2 {if group1 and authenticated from the approved subnets Then APC-Service-Type = Outlet, APC-Outlets = "1", } And so on for the rest of PDU pairs. Has anyone done a similar setup before? If so, could you please shed light? Thanks in advance Uma [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Static IP Address allocation database - Active Directory?
On 10/30/06, duckeo <[EMAIL PROTECTED]> wrote: > > On 10/27/06, Jonathan De Graeve <[EMAIL PROTECTED]> wrote: > > > > Has anyone experimented with using Active Directory as a database for > > > > Static IP Addressing? > > > Yes, just assign a static ip in the AD dial-in properties for that user and adapt the ldap.attrmap accordingly, this works perfectly. There is no need to make a user member of a 'radius_staticip' Group. > > Some digging shows me I have in Active Directory 2003 the ldap attribute "msRadiusFramedIPAddress" corresponding to the entry in the Dial In tab. It's a string in LONGIP format at the moment, hoping I can work with that. Okay it's simpler than I thought. I commented out the replyItem for Framed-IP-Address and changed the last attribute to msRADIUSFramedIPAddress and it works, if the static IP is defined in AD it is returned, else 255.255.255.254 is returned as usual. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Static IP Address allocation database - Active Directory?
> On 10/27/06, Jonathan De Graeve <[EMAIL PROTECTED]> wrote: > > > Has anyone experimented with using Active Directory as a database for > > > Static IP Addressing? > > Yes, just assign a static ip in the AD dial-in properties for that user and adapt the ldap.attrmap accordingly, this works perfectly. There is no need to make a user member of a 'radius_staticip' Group. > Some digging shows me I have in Active Directory 2003 the ldap attribute "msRadiusFramedIPAddress" corresponding to the entry in the Dial In tab. It's a string in LONGIP format at the moment, hoping I can work with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Static IP Address allocation database - Active Directory?
On 10/30/06, duckeo <[EMAIL PROTECTED]> wrote: On 10/27/06, Jonathan De Graeve <[EMAIL PROTECTED]> wrote: > > Has anyone experimented with using Active Directory as a database for > > Static IP Addressing? > Yes, just assign a static ip in the AD dial-in properties for that user and adapt the ldap.attrmap accordingly, this works perfectly. There is no need to make a user member of a 'radius_staticip' Group. Okay having trouble getting this working, what attribute needs to be changed? I'm currently just using the users file to check for membership of the group and returning the correct attributes if successful. For the Static IPs I'dl ike the user to have to be a member of the group, and have the "Dial In" tab's Static IP set, and return that IP to them in the attribute. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Static IP Address allocation database - Active Directory?
On 10/27/06, Jonathan De Graeve <[EMAIL PROTECTED]> wrote: > Has anyone experimented with using Active Directory as a database for > Static IP Addressing? Yes, just assign a static ip in the AD dial-in properties for that user and adapt the ldap.attrmap accordingly, this works perfectly. There is no need to make a user member of a 'radius_staticip' Group. Thanks, will give it a try in the morning. I've got that group used as not all users have permission to dial in to the service. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to check multiple value of same attribute
"open source" <[EMAIL PROTECTED]> wrote: > The radius is checking only against the first check item, it's not checking > the second one. You can put two entries into Login-Time, by separaring them with commas. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does freeradius calculate the number of required threads?
"Pshem Kowalczyk" <[EMAIL PROTECTED]> wrote: > I have one more question, though, - assuming that almost every single > packet request requires some perl intervention - what should be the > ratio of freeradius threads to rlm_perl threads (at least which number > should be higher, or should they be equal)? They can be equal. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rlm modules
"Ali Majdzadeh" <[EMAIL PROTECTED]> wrote: > (As suggested by the template itself) > > * *reply = pairmake ("User-Name", "root", T_OP_EQ); > pairadd (&request->reply->vps, reply); > request->reply->code = PW_USER_NAME; No, that last line is wrong. Completely and totally wrong. No template or examples suggests that you do that. Delete it. > What specific code should I use when for example I want to send > h323-credit-amount attribute to a NAS? You don't use a code. You just refer to the attribute by name. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about rlm modules
Hi allIs it possible to send Vendor Specific Attributes through an rlm module?I use the following method to send standard attributes through an rlm module:(As suggested by the template itself) reply = pairmake ("User-Name", "root", T_OP_EQ);pairadd (&request->reply->vps, reply);request->reply->code = PW_USER_NAME;DEBUG ("rlm_cmod: Sending User-Name"); What specific code should I use when for example I want to send h323-credit-amount attribute to a NAS?Best RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html