Re: Two Ldaps Authentication
Message: 6
Date: Fri, 16 Jun 2006 09:44:29 -0700 (PDT)
From: fvt3 [EMAIL PROTECTED]
Subject: Re: Two Ldaps Authentication
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=iso-8859-1
Alan,
This is what I have in my radius.conf
Autz-Type LDAP1{
ldap_ldap1{
invalid=return
}
ldap_ldap2
}
Auth-Type LDAP1 {
redundant{
ldap_ldap1{
}
ldap_ldap2
}
users file
DEFAULT Auth-Type = LDAP1
Fall-Through = No,
Reply-Message = ldap login
I'm forcing radius to lookup user in ldap1(ldap) and
ldap2(Active Directory). The same user name can
reside on both db backend. With this setup, radius
only works if the user name does not exist on both db.
If user John is on both db, it would only
authenticate off LDAP1 and not in LDAP2.
Here is my log
snip
correct...this is the way you have it configured.
as long as ONE ldap server answers the request (whether it be an
authentication allowed or rejected) it still answered. so it won't fail
over to the next ldap server...
--- Alan DeKok
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and 2 ldap servers.
Okay, since this isn't easy to piece together from the docs. (and no one
has posted this on the mailing list that i've seen, and i've gotten a
few emails on this as well)
here is how i got freeradius running good failover with 2 ldap servers.
hopefully those who know the system better than me will let me/us (the
list) know if i've done something wrong here.
in the ldap section you'll have:
ldap ldap1 {
server = ip
identity =
...
}
ldap ldap2 {
second server info
}
then in the instantiate section put
ldap1
ldap2
then in authorize you'll have:
redundant {
ldap1
ldap2
}
and in authenticate you'll have:
Auth-Type LDAP {
redundant {
ldap1
ldap2
}
}
that is what worked for me.
now one thing to consider/think about. it appears whichever server is
listed secondly (in instantiate, authorize, and authenticate, will be
hit first) not sure why this is...and it may not be important
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius filters for ldap searching
The only way i got this to work, was seperate trees in ldap for each group. and then in your default line in your users file put the tree you want it to search for the group and nas definition. Message: 2 Date: Thu, 11 May 2006 12:52:47 +0300 From: Mircea Harapu [EMAIL PROTECTED] Subject: radius filters for ldap searching To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello, I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on cisco switches. Every switch belongs to a specific group and for every user I'm setting the groups he can access. I also use cisco avpairs for level privilege. So far , so good! The problems occured when I tried to make a user to have different level privileges on different switches . This is the profile I'm using : # test, radius, isp.ro dn: uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile cn: test userPassword:: xxx radiusGroupName: bucuresti radiusGroupName: valcea radiusServiceType: NAS-Prompt-User # bucuresti, test, radius, isp.ro dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: bucuresti radiusServiceType: NAS-Prompt-User radiusCiscoLevel: shell:priv-lvl=15 cn: bucuresti # valcea, test, radius, isp.ro dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: valcea radiusServiceType: NAS-Prompt-User radiusCiscoLevel: shell:priv-lvl=7 cn: valcea raddb/users # Switch 192.168.50.202 # Descriere test DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti Fall-Through = no DEFAULT Auth-Type := Reject what I need is to filter the ldap search in authorize section based on GroupName and I don't know how. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and 2 ldap servers
Okay, i'm probably being a little dense here but just wanted to check
i'm understanding this correctly.
if i'm running 2 ldap servers; in the users file, do i need a default
entry for each ldap server?
for example:
moving from a line like this with a single ldap server:
DEFAULT Huntgroup-Name == People, Ldap-Group == dial, User-Profile :=
uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net, Ldap-UserDN :=
`uid=%{User-Name},ou=People,dc=mtaonline,dc=net`
Fall-Through = no
to two lines like this:
DEFAULT Huntgroup-Name == People, Ldap_primary-Ldap-Group == dial,
User-Profile := uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net,
Ldap-UserDN := `uid=%{User-Name},ou=People,dc=mtaonline,dc=net`
Fall-Through = no
DEFAULT Huntgroup-Name == People, Ldap_secondary-Ldap-Group == dial,
User-Profile := uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net,
Ldap-UserDN := `uid=%{User-Name},ou=People,dc=mtaonline,dc=net`
Fall-Through = no
assuming your ldap instatiations are ldap_primary and ldap_secondary
respectively.
thanks in advance
t-
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius ldap with two trees
Okay, i want radius to look at two trees in ldap, one tree for dial-up
one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in
dial-up).
my huntgroup is like this:
dialip1
dialip2
dialip on local box for testing
dsl ip3
dsl ip4
dsl ip on local box for testing
with the ip on local box commented out on the one i'm not testing.
my users file is like so (at least, the two lines i'm testing with):
DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile :=
uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net, Ldap-UserDN :=
`uid=%{User-Name},ou=people,dc=mtaonline,dc=net`
Fall-Through = no
DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile :=
uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net, Ldap-UserDN :=
`uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net`
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = Please call the help desk.
my ldap config in the radiusd.conf is as follows:
ldap {
server = private ip
identity = cn=Manager,dc=mtaonline,dc=net
password = somepassword
basedn = ou=people,dc=mtaonline,dc=net
#basedn = dc=mtaonline,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
start_tls = no
tls_mode = no
#this maps ldap attributetypes to radius attributes
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
#password_header = {clear}
password_attribute = userPassword
groupname_attribute = radiusGroupName
groupmembership_filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
groupmembership_attribute = radiusGroupName
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
if i test with a user on the tree listed in basedn, it works. if i try
to test with a user in a different tree, it fails. if i try a basedn
one level up (so i can try to go down both trees) both users receive an
Auth-Reject please call the help desk. in radiusd -X the reason is
because ldap is finding multiple entries for the user (in two plus trees).
i've gone through the documentation multiple times (and feel like i'm
missing something). what am i doing wrong? or is there no way to do
what i'm trying to do?
i suppose it comes down to; is there a way to re-define the basedn in
either huntgroups, or on a default line in the users file so the search
comes up with a single user.
thanks for your help
t-
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ldap with two trees
Try this in your radiusd.conf:
basedn = ou=%{Huntgroup-Name},ou=radius,dc=mtaonline,dc=net
You will need to either rename your dial huntgroup to people to
match your ldap structure or you can change the profile OU to be dial.
Either way, this setup is working for me.
Ben
this works! thanks Ben
t-
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and LDAP with static ips...
Okay, i have freeradius and ldap talking together quite fine. it doesn't
matter if the nas is a dsl or dial-up it work correctly (huntgroups,
defaults in the users file...etc)
what i am wondering is there a way that if i have a user with a static
ip for dsl, that i can not pull the static ip on the same account with
dialup.
i have group attributes for dsl and dialup, the static ip is associated
with the user in ldap.
below is an example dsl group from ldap and my dial-up group. also, the
user i'm testing with (these are in ldif format).
before moving to ldap all our dsl users were flatfiled in the users file
(yea, i know how bad that is, and it is why i am pushing the move to
ldap). anyways...in order to make this work we just added
NAS-Identifier to the username/password line for authentication on users
with static ips. this forced the system to authentice via unix
authentication for dial-up. is there a way to do this in ldap without
two trees (one for dsl one for dialup or one for statics, one for normal
users? or ??)
oh...yea...and i'll also put my defaults in from the users file.
the huntgroups just list the NAS-IP-Address (for testing,
255.255.255.255 which i move to whichever group i want to work with as
i'm running radtest locally on the radius server)
thanks in advance
t-
DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile :=
uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net
Fall-Through = no
DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile :=
uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net
Fall-Through = no
version: 1
# LDIF Export for: uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on
April 5, 2006 2:00 pm
# Server: My LDAP Server (10.10.0.46)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
# Entry 1: uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net
dn: uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net
radiusFramedCompression: Van-Jacobson-TCP-IP
radiusPortLimit: 1
radiusFramedMTU: 1500
objectClass: radiusprofile
radiusRateLimitRate: 0
radiusPoliceRate: 0
uid: dial
radiusPoliceBurst: 15000
radiusIdleTimeout: 900
radiusFramedProtocol: PPP
radiusSessionTimeout: 18000
radiusRateLimitBurst: 0
version: 1
# LDIF Export for: uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on
April 5, 2006 2:00 pm
# Server: My LDAP Server (10.10.0.46)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
# Entry 1: uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net
dn: uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net
radiusPortLimit: 1
radiusFramedMTU: 1500
objectClass: radiusprofile
radiusRateLimitRate: 8192
radiusPoliceRate: 8192
uid: dsl8m
radiusPoliceBurst: 15000
radiusIdleTimeout: 0
radiusSessionTimeout: 0
radiusFramedRouting: None
radiusRateLimitBurst: 15000
radiusServiceType: Framed-User
version: 1
# LDIF Export for: uid=ftptest99,ou=People,dc=mtaonline,dc=net
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on
April 5, 2006 2:01 pm
# Server: My LDAP Server (10.10.0.46)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
# Entry 1: uid=ftptest99,ou=People,dc=mtaonline,dc=net
dn: uid=ftptest99,ou=People,dc=mtaonline,dc=net
mailLocalAddress: [EMAIL PROTECTED]
sn: Tester
userPassword: {CRYPT}XuO3ko3FEXkV6
loginShell: /bin/sh
uidNumber: 2001
gidNumber: 2001
objectClass: OpenLDAPperson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: radiusprofile
objectClass: inetLocalMailRecipient
objectClass: dcObject
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: ftptest99
shadowLastChange: 13014
mailHost: mail.mtaonline.net
mailRoutingAddress: [EMAIL PROTECTED]
cn: Ftp99 Tester
homeDirectory: /export/home/ftptest99
dc: People.mtaonline.net
radiusFramedIPAddress: 192.168.200.1
radiusFramedIPNetmask: 255.255.255.0
radiusGroupName: dsl8m
radiusGroupName: dial
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, Ldap, and static IPs for users.
Hello All, I'm trying to figure out how to get a static ip to only show up on a DSL login, and not a Dial-up. I'm using Freeradius 1.0.1 and OpenLdap 2.1.30. The only changes in the radiusd.conf is to bind to an ip and port and turn off radutmp and radwtmp I have a huntgroup for the dial-up that allows me to differentiate between the dial and dsl based on the radiusGroupName without any problems. But now i need to be able to let a DSL user with a static ip be able to log in via dial-up and pull a dynamic ip. Is this possible and how do i do it (or for that matter, what docs might even point me in the right direction) i'm not seeing much on this in my searches. my huntgroups.conf is like this: dialup NAS-IP-Address == ip of nas device in my users file i have this: DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Huntgroup-Name == dialup, Ldap-Group == dial, User-Profile := uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net Fall-Through = no DEFAULT Ldap-Group == dsl128, User-Profile :=uid=dsl128,ou=profiles,ou=radius,dc=mtaonline,dc=net Fall-Through = no DEFAULT Ldap-Group == dsl256, User-Profile :=uid=dsl256,ou=profiles,ou=radius,dc=mtaonline,dc=net Fall-Through = no DEFAULT Ldap-Group == dsl512, User-Profile :=uid=dsl512,ou=profiles,ou=radius,dc=mtaonline,dc=net Fall-Through = no DEFAULT Ldap-Group == dsl768, User-Profile :=uid=dsl768,ou=profiles,ou=radius,dc=mtaonline,dc=net Fall-Through = no DEFAULT Ldap-Group == dsl4m, User-Profile :=uid=dsl4m,ou=profiles,ou=radius,dc=mtaonline,dc=net Fall-Through = no DEFAULT Ldap-Group == dsl8m, User-Profile :=uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. the ldap user i'm testing this all with looks like this: dn: uid=tfike,ou=People,dc=mtaonline,dc=net cn: Terry gecos: Terry,,Fike gidNumber: 14 homeDirectory: /export/home/tfike loginShell: /bin/csh objectClass: posixAccount objectClass: top objectClass: radiusprofile objectClass: shadowAccount radiusFramedIPAddress: 216.152.176.25 radiusFramedIPNetmask: 255.255.255.255 radiusGroupName: dial radiusGroupName: dsl4m shadowLastChange: 13062 uid: tfike uidNumber: 130 userPassword: temppass thanks in advance. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius install problem
when you set up the client in the clients.conf
did you put all the client info inside {} ?
client ip {
secret = nosecret
shortname = mycomputer
}
it didn't look that way in the message, but that may have just been for
ease of writing...
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about ippools
It all depends on how you get the Pool-Name attribute added to the user's configuration attribute list. If it's added for one user when that user comes from a specific NAS, then only that user on that specific NAS will get an IP from the relevant pool. Okay, i see in the radiusd.conf where to set the pools, but where do define them as a per NAS? (ie: pool 1.2.3.0/24 to NAS1 and 1.2.4.0/24 to NAS2) then in the user's info just add Pool-name := poolname right? what is the Group == poolname part for in the DEFAULT?? would that be for the fallthroughs? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrealay and coredumps...
Okay, i'm about 90% certain i've blown away everthing before rebuilding. (i guess this is what i get for having four different versions on the machine in the last couple years...) both were built with the environment variables CC opt/csw/gcc3/bin/gcc -m64 PATH=/usr/bin:/sbin:/usr/sbin:/opt/oracle/products/9.2.0/bin: /usr/local/bin:/usr/local/sbin:/tools/scripts:/tools/scripts/radius: /opt/sfw/bin:/opt/sfw/sbin:/opt/csw/bin:/opt/csw/sbin:/usr/ccs/bin: /usr/openwin/bin:/usr/ucb:/etc:. CLASSPATH=/usr/local/jdk1.4/lib/ojdbc14.jar:/usr/local/jdk1.4/lib/tools.jar: /usr/local/jdk1.4/jre/lib/rt.jar:. the first one (without --disable-shared) also had: ORACLE_BASE=/opt/oracle ORACLE_HOME=/opt/oracle/products/9.2.0 ORACLE_SID=RADIUS the second one (with --disable-shared) didn't link in a required library from oracle so i rebuilt it without the oracle info. (it was just quicker that way) gcc version 3.3.2 make is gmake 3.80 rebuilt once with ./configure --prefix=/usr/local --with-rlm--dbm=/opt/csw/bdb4 --enable-developer make make install run radrelay on the data from the pdsn, still cores with: warning: Couldn't find general-purpose registers in core file. blow everything away and build with ./configure --prefix=/usr/local --with-rlm-dbm=/opt/csw/bdb4 --disable-shared --enable-developer make make install run radrelay on the data from the pdsn and still cores with warning: Couldn't find general-purpose registers in core file. (this is from inside gdb) p.s. i took a couple days to do this to ensure the data i was getting off the pdsn would be from the current build without the extra modules -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Radrealay and coredumps...
I'm not sure what else to suggest. It really looks like the compiler tools on your system don't produce usable binaries. I've *never* seen this problem on Solaris, but I've always used GCC. Alan DeKok Yea, i've used gcc to compile pretty much everything, and the wierd thing is that this only breaks for the one NAS device. For everything else, radrelay works just fine. It goes through and reads all the dictionary files, and at the time it opens the detail file for relaying is the point it cores. And it only does it from the PDSN *shrug* Everything else works just fine...all my users authenticate just like normal...even from the pdsn, i get my accounting data just fine...even from the pdsn...*shrug* this just is not making any sense... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Radrealay and coredumps...
Arg...okay, yea, it has got to be something funky with the machine i've been compiling on... As per some advice you gave earlier, i compiled this on a different sol9 box (never had freeradius on it before) copied the detail file from current radius server, and used the radrelay on the new box...sent just fine. i guess it is time to build me a new radius box... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Raadrelay and coredumps...
*sigh* okay, first off, shoot me...i didn't read /doc/bugs right and i hadn't recompiled with the --enable-developer so, i did that...same output from the core (Couldn't find general-purpose registers in core file) recompiled it a couple times... once with just --disable-shared still cores... once with --enable-developer (without --disable-shared) still cores, no change in output inside gdb once with --enable-developer with --disable-shared still cores, no change in output inside gdb one thing though, while in the make process with --enable-developer i received lots of warnings (mostly from md4.c) but no errors. is this normal when compiling with --enable-developer? also...any other ideas? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Raadrelay and coredumps...
I did amake distclean before ./configure each time and i ran the radrelay from inside src/main (i didn't do make install on any of these runs) with the exception of the radiusd.conf file, i've been using pretty much the same config files since 0.8.3 (though i think i changed to the new clients.conf in 1.0.0 and copied that into 1.0.2) the radiusd.conf i edit from scratch with each new version based on the conf file from the previous version. unfortunetly, i'm doing this in a production environment, so swapping servers isn't going to be easy, but i'll see what i can do. (i have a lot of things :( tied into the same ip as radius) -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Raadrelay and coredumps...
Terry J Fike Jr [EMAIL PROTECTED] wrote: I did amake distclean before ./configure each time The *installed* files may be causing problems. even if i'm telling a different prefix each time? (i ask because i have 1.0.2 in /usr/local and 1.0.0 in /opt) as i make new versions i just change the prefix so i can leave the old version running. 1.0.0-pre3 used to be in /usr/local but i deleted all those files before compiling 1.0.2 -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
Thanks Alan for all your help! anyone know of any other good paid for radius servers?? cause unfortunetly...with this not working...i'm going to have to come up with something new :( and i really like this one...very easy to install, very user friendly (with configs and with errors) and VERY stable (pretty much takes a user fubar to break it) you guys have done great work i'll be sad to see it go... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
What is gdb? (and what sort of package could i find it in) we don't have it on our boxes so i'll need to find it and install it then get you the info you need. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
argh...i pulled the package down from sunfreeware.com and this is my outupt... this is on a sol 9 box, runing 1.0.2 radrelay # ./gdb ./radrelay /opt/var/log/radius/radacct/12.21.213.86/core GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as sparc-sun-solaris2.9... warning: Couldn't find general-purpose registers in core file. warning: Couldn't find general-purpose registers in core file. 0x in ?? () (gdb) bt #0 0x in ?? () (gdb) #0 0x in ?? () (gdb) bt #0 0x in ?? () (gdb) quit Is there something else i can do/try to dig the info you need out of this file? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
Okay, here comes a bit of an update. just in case of compatability issues between 1.0.0 files and the 1.0.2 radrelay app i moved everything into 1.0.2 and started fresh my detail file of all data for the individual NAS devices. here is the command i used to run radrelay (v 1.0.2) /usr/local/bin/radrelay -a /opt/var/log/radius/radacct/12.21.213.86 -d /usr/local/etc/raddb -r 209.4.229.75:1813 -S /path/to/secretfile detail-NAS it still cores. here is from the top of the core file: CORE radrelay /usr/local/bin/radrelay -a /opt/var/log/radius/radacct/12.21.213.86 -d /usr/loc CORE SUNW,Sun-Fire-280R CORE in/r opt/ us/r .213 CORE CORE /freeradal/share/usr/local/share CORE radrelay /usr/local/bin/radrelay -a /opt/var/log/radius/radacct/12.21.213.86 -d /usr/loc CORE /freeradal/share/usr/local/share CORE SUNW,Sun-Fire-280R CORE CORE SunOS david Generic_112233-11 sun4u CORE CORE CORE /freeradal/share/usr/local/share CORE ing %s failed to parse IPv6 address string %s unknown attribute type %d Unknown attribute %s Attr- Vendor- 0123456789 Attribute has invalid length -Attr- Illegal regular expression in attribute: %s: %s Duplicate tag %s for attribute %s Duplicate tag %s for attribute %s Invalid tag for attribute %s No token read where we expected an attribute name Expected end of line or comma failed to get value expecting '=' Read a comment instead of a token $Id: token.c,v 1.17 2003/09/12 19:25:29 phampson Exp $ $Id: misc.c,v 1.41.2.2 2004/10/04 15:26:46 aland Exp $ %d.%d.%d.%d %x:%x:%x:%x 0123456789abcdef $Id: log.c,v 1.7 2003/09/12 19:25:29 phampson Exp $ $Id: filters.c,v 1.36 2004/02/26 19:04:20 aland Exp $ here is the end of a truss of this (starting from reading the last of the dictionary files): open(/usr/local/share/freeradius/dictionary.xedia, O_RDONLY) = 5 fstat(5, 0x7FFFE540)= 0 fstat(5, 0x7FFFE410)= 0 ioctl(5, TCGETA, 0x7FFFE47C)Err#25 ENOTTY read(5, # # # # # # # # # # # #.., 8192) = 766 read(5, 0x1001290A4, 8192) = 0 lseek(5, 0, SEEK_CUR) = 766 close(5)= 0 brk(0x10023D830)= 0 brk(0x100241830)= 0 read(4, i n t e g e r\n A T T R.., 8192) = 8192 brk(0x100241830)= 0 brk(0x100245830)= 0 brk(0x100245830)= 0 brk(0x100249830)= 0 read(4, i r e l e s s - 1 X - E.., 8192) = 8192 brk(0x100249830)= 0 brk(0x10024D830)= 0 brk(0x10024D830)= 0 brk(0x100251830)= 0 read(4, \n, 8192) = 1 read(4, 0x100127084, 8192) = 0 lseek(4, 0, SEEK_CUR) = 24577 close(4)= 0 read(3, 0x100125064, 8192) = 0 lseek(3, 0, SEEK_CUR) = 935 close(3)= 0 so_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP, , 1) = 3 sigaction(SIGTERM, 0x7070, 0x7230) = 0 sigprocmask(SIG_SETMASK, 0x7DD1D4C0, 0x7190) = 0 fork1() = 882 sigprocmask(SIG_SETMASK, 0x7190, 0x) = 0 lwp_schedctl(SC_STATE|SC_PREEMPT, 0, 0x7FFFEF68) = 0 mmap(0x, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x7DA0 munmap(0x7DA0, 8192)= 0 _exit(0) I can send the whole core file and truss file if need be. I'm still a little surprised this works for all but one of my NAS devices... Thanks for your help on this so far :) t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restart Radius
if your on unix world in your $prefix/sbin should be a script called rc.radiusd call this like so: /prefix/sbin/rc.radiusd restart that is a quick clean way of restarting radius -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
Okay, Per Alan i compiled up 1.0.2 and moved the radrelay binary. (i didn't move everything into version 1.0.2 just the 1.0.2 binary into my 1.0.0 install). Modified all the dictionary files to the way they are in 1.0.2 and it still cores. with pretty much the same output in a strings of the core. would there be differences in the CVS that might help? my config string was as follows: CC=/path/to/gcc3 -m64 ./configure --prefix=/usr/local --with-rlm-dbm=/path/to/berkeley4 then a make no errors in either configure or make... i'm also willing to post/send the data from the core if need be. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radrelay and file deletion/rotation
Okay, hopefully this is a pretty easy question; if i want to go through my large file (accounting packets from all NAS devices) about once a month so it doesn't grow too large, do i have to shutdown both radius and radrelay or can i just shutdown radius, do my housecleaning, and start it back up? (In the radius.conf file i'm setting locking=yes for this detail file) Thanks in advance. t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay and coredumps...
= Feb 18 2005 10:33:22 AKST Service-Type = Framed-User NAS-IP-Address = 64.4.239.197 Shasta-Attr-4 = 0x53686173746120353030303a2069534f532028746d292c207064736e2d6d74 632d332e302e3128352900 Acct-Session-Id = 0b000d74 3GPP2-Correlation-Id = 0b000d73 Calling-Station-Id = 09073559993 NAS-Port = 184552819 NAS-Port-Type = Virtual Framed-IP-Netmask = 255.255.255.255 3GPP2-IP-Technology = 1 3GPP2-BSID = 07FA0001012D Acct-Authentic = RADIUS Framed-IP-Address = 64.4.233.10 Acct-Input-Octets = 88 Acct-Output-Octets = 88 Acct-Input-Packets = 2 Acct-Output-Packets = 2 Acct-Terminate-Cause = User-Request 3GPP2-Release-Indicator = 3 3GPP2-Session-Continue = 0 ... and continues like that for a while ... ... some more stuff that i'm not sure if i need to add or not ... Anyone got any ideas what i might be doing wrong here? Thanks in advance for your help t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install Solaris9 - ver 1.0.1 and 1.0.2
Message: 2 Date: Wed, 16 Feb 2005 16:40:30 -0700 (MST) From: Data Processing Fone Net [EMAIL PROTECTED] Subject: Install Solaris9 - ver 1.0.1 and 1.0.2 To: freeradius-users@lists.freeradius.org Reply-To: freeradius-users@lists.freeradius.org Afternoon, I can not get the 1.0.1 or 1.0.2 versions to compile on may Solaris 9 server. I went to the FAQ's and archive to research past recommendations. I have installed all the recommended packages, updated the CPAN modules, installed all new gcc, make, ld and the like. I put on the newest patches for sol9. I have tried the standard ./configure, I tried on teh recommended ./configure in the archives and I am not able to get a build. I remove the freeradius dir and untar the tar ball for each time I attempt to get a build completed. Here is what I do get on the make and make install. configure seems to be ok. I am not the best or most knowledgeable when it comes to this so I do expect it is a simple problem that I have missed. End of the make process: make[6]: Leaving directory `/var/tmp/freeradius-1.0.2/src/modules/rlm_unix' Making static dynamic in rlm_x99_token... make[6]: Entering directory `/var/tmp/freeradius-1.0.2/src/modules/rlm_x99_token' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\rlm_x99_token\ -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory In file included from x99_rlm.c:54: msg trunkated. on my Sol 9 box, i removed all references to x99 in the makefile and then it compiled just fine. But then, i didn't need that stuff so i was okay with that. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Copying accounting packets
Hello All, I'm looking for information on what others have done in similar situations. What i have to do is copy the accounting packets from one particular NAS device to another radius server. I know i can use radrelay for this if i copy all the accounting packets from that NAS device into one file but here is my dilemma. I am flat filing all accounting packets from the different NAS devices by IP then by date. Then once a day, i copy all these into a database for accounting/billing purposes. (yes i realize this is a little clunky but i lose almost no data this way, and the overall system runs faster, and i have a guaranteed backup if my database takes a major nosedive for the trashcan and the normal database backups fail as well) To add to the fun, I'm about to have to start forwarding all (from all NAS devices) accounting packets to a web content filtering system. So I suppose the question is, will there be a problem running two sets of radrelay (one on all accounting packets, and one on accounting packets from just one NAS)? or is there a better way to do this and I'm just being blind? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copying accounting packets
Never let more than 1 radrelay process the same logfile! For each radrelay, you should configure a seperate rlm_detail instance, which logs the needed packets to a different logfile which radrelay can read from. So for your situation, you need 3 rlm_detail instances: - 1 to log all requests to seperate logfiles based on source ip and time - 1 to log all requests to a single logfile - 1 to log requests from a particular NAS to a single logfile -- Groeten, Regards, Salutations, Okay, sounds like what i was thinking. Thanks very much! t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
Message: 8 Date: Wed, 19 Jan 2005 12:17:05 -0500 (EST) From: Joe H [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Freeradius hangs after a HUP Reply-To: freeradius-users@lists.freeradius.org We have two seemingly identical freeradius servers, for this email lets call them radius-1 and radius-2. Both are FreeBSD 4.9 systems running freeradius 1.0.1 with an Openldap 2.2.18 authentication method. Both machines run freeradius without a problem. When I send a HUP to reload the config files on radius-1, the radiusd process hangs and needs to be killed and started. If I do the same process on radius-2, it reloads fine. I have diffed all the configs and the only thing that is different in them is the listen statements in the radiusd.conf, as they should be. My question is, has anyone seen this before and if so, how was it fixed? Troubleshooting already done: Checked configs for errors. reinstalled freeradius Thanks. --__--__-- We had this problem with two different versions (pre 1) to the point were we just gave up on HUP. we just force a restart each time. the 30 second reload time doesn't affect the users as far as we can see and we ensure we get a clean load each time. BTW, we are/were running this on Sol 8 and now Sol 9. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
8e6 technologies and radius
Has anyone out there used these boxes with freeradius? We are trying to set up a demo (to see if it work/if we can get it working) and what i have gotten from the 8e6 is that an attribute needs to be added to the user, the attribute is Class (value 25?) and it does show up in the base dictionary file (but as requiring an octet value not a string which the 8e6 box wants). This may be a stupid question (since i haven't read through the RFCs for radius) but would/could it cause some major problems if i changed the dictionary file so it expected a string instead of an octet? Right now, as far as i can see, none of our NAS devices are using the Class attribute (as it doesn't show up in any of the accounting packets from the different NAS devices), but i thought i would check with those who know more than me before i go trying to break things. thanks in advance. Terry -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 8e6 technologies and radius
They use the Class attribute to tell their box what users are being filtered and how (which filtering ruleset). but it means that either the nas device has to send the data to it, or i can radrelay it to the 8e6 box (which is what i'm using for testing at the moment). it also has the ability (i think) to recieve data like an accounting server and then forward it to the actual accounting server. how do i modify the Access-Accept to send it to the NAS so it can add this attribute in the accounting packet? I don't remember seeing anything like that in the readmes or comments in the conf files? (not to say i couldn't be blind and have totally missed it though) -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: difference in columns/names
Terry J Fike Jr [EMAIL PROTECTED] wrote:
/ Okay, i'm not sure if this is the right place, to ask, but since it is /
/ more or less radius accounting i thought i'd try here. Does anyone know /
/ the difference in the data in the columns inputoctets/outputoctets and /
/ inputoctets64/outputoctets64 and why there would always be data in the /
/ i/o columns, but not always in the i/o64 columns?/
Are those columns in the standard FreeRADIUS SQL schema?
Alan DeKok
Umm...not sure, much of this was originally set up by someone else and
i just copied
the sql queries into the sql.conf file from our original version
(0.8.3). Here is an example of one of the queries
accounting_update_query = INSERT into interim_updates (AcctSessionId,
AcctUniqueId, UserName, NASIPAddress, NASPortId, AcctUpdateTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_Update, AcctInputOctets,
AcctInputOctets64, AcctOutputOctets, AcctOutputOctets64,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress) values
('%{Acct-Session-Id}','%{Acct-Unique-Session_Id}','%{SQL-User-Name}','%{NAS-IP-Address}','%{NAS-Port-Id}',TO_DATE('%S','-mm-dd
hh24:mi:ss'),'%{Acct-Session-Time}','%{Acct-Authentic}','%{Connect-Info}','%{Acct-Input-Octets}',radius.hex2dec('%{Acct_Input_Octets_64}'),'%{Acct-Output-Octets}',radius.hex2dec('%{Acct_Output_Octets_64}'),'%{Acct-Terminate-Cause}','%{Service-Type}','%{Framed-Protocol}','%{Framed-IP-Address}')
and just in case this was an inhouse written java function, here is
hex2dec from in oracle
function hex2dec (
hex_in varchar2) return NUMBER as
language java name 'Hex2Dec.getInt(java.lang.String) return int';
public class Hex2Dec {
public static long getInt(String hex) {
if(hex!=null hex.startsWith(0x)) {
String cleanHex = hex.substring(2, hex.length());
return Long.parseLong(cleanHex, 16);
} else if(hex!=null) {
return Long.parseLong(hex, 16);
} else {
return 0;
}
}
}
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: difference in columns/names
The Acct_Output_Octets_64 isn't a standard RADIUS attribute. It's a Redback attribute. (see dictionary.redback) I suggest asking Redback what it means, and why it's zero. Alan DeKok. Okay, will do. Thank you very much! t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP Orinoco 2500
Okay, i know for the most part these things have been done to death, but mostly just with logging. Has anyone else had issues with the orinoco allowing multiple sessions for a user. (ie: they are loged in via another NAS device and their port limit=1 they are still allowed to log into the AP normally) thanks in advance t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
