Re: Advanced SQL Auth/Generate clients.conf from SQL?
On Wed, 2007-02-07 at 16:56 +0100, Alan DeKok wrote: Maybe simply reloading the nas configuration from SQL at configurable time intervals would do that? Send a patch. :) I'd love to, but at the moment I'm no real C coder. The difficulty with doing automatic reloads is timing, and updating the configuration while the server is running. Please forgive my ignorance, but how is this different from what Freeradius already does when handling SIGHUP? Wrt cron + kill -HUP I think that it may be a bit overkill just to reload the NAS table. ciao Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
Luca Corti wrote: Please forgive my ignorance, but how is this different from what Freeradius already does when handling SIGHUP? There are some issues with the servers handling of HUP. Wrt cron + kill -HUP I think that it may be a bit overkill just to reload the NAS table. Yes. An alternative is to read the clients live from the DB. I've been opposed to that because of DoS issues. i.e. for known clients it works fine. But attackers can take down your RADIUS server by sending packets from millions of source IP addresses, each causing an SQL lookup. I think there's a way to fix that, but I don't know if I have the time to implement it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
On Fri, 9 Feb 2007, Alan DeKok wrote: The immediate question that comes to mind is Does FreeRADIUS reread its configuration when it receives a -HUP?. The immediate answer is have you tried reading the documentation? To which I'd have to reply no (WRT this, anyways) and then ask if you were related to Theo de Raadt. *gdr* -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
Gaddis, Jeremy L. wrote: The immediate question that comes to mind is Does FreeRADIUS reread its configuration when it receives a -HUP?. The immediate answer is have you tried reading the documentation? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
On Sat, 2007-02-03 at 12:12 +0100, Alan DeKok wrote: It should be possible to mitigate the DoS potential somewhat, but someone still has to write the code. Maybe simply reloading the nas configuration from SQL at configurable time intervals would do that? ciao Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
Luca Corti wrote: On Sat, 2007-02-03 at 12:12 +0100, Alan DeKok wrote: It should be possible to mitigate the DoS potential somewhat, but someone still has to write the code. Maybe simply reloading the nas configuration from SQL at configurable time intervals would do that? Send a patch. :) The difficulty with doing automatic reloads is timing, and updating the configuration while the server is running. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
On Wed 07 Feb 2007 17:56, Alan DeKok wrote: Luca Corti wrote: On Sat, 2007-02-03 at 12:12 +0100, Alan DeKok wrote: It should be possible to mitigate the DoS potential somewhat, but someone still has to write the code. Maybe simply reloading the nas configuration from SQL at configurable time intervals would do that? Send a patch. :) The difficulty with doing automatic reloads is timing, and updating the configuration while the server is running. Hmm.. cron and -HUP comes to mind :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpmtMHkjt8f1.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced SQL Auth/Generate clients.conf from SQL?
Dan Mahoney, System Admin wrote: My second question is, now that I've got a list of all my NASes in SQL, has anyone written (or added to beta or something similar) code to do *those* via SQL? Specifically we already have all our network devices (and shared secrets) in a SQL database anyway, and it would be cool to use them in realtime. Yes, this is (mostly) supported in the server. It will read the list of clients from SQL at startup, but NOT during run-time. This is to prevent DoS attacks... It should be possible to mitigate the DoS potential somewhat, but someone still has to write the code. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Advanced SQL Auth/Generate clients.conf from SQL?
Hey all, Two questions, related to SQL... 1: I recently became enamored by the power of SQL, and while I find no easy way through SQL to do multiple check-items easily in a logical fall-throughable order. I.e. through SQL how would one do (for an entry level tech): Jeremy nas-ip-address=the vpn server password=x Service-Type = Framed-User # Our switches, which we trust jeremy not to mess up Jeremy password = y Service-Type = Admin-User Jeremy nas-ip-address=a big powerful router Service-Type = Reject I see an easy way to return items based on group membership (which seems to be rather 1:n right now, i.e. it doesn't appear that a person can be a member of more than one group). With the standard tables. I.e. I'm not sure how the various items are linked and ordered where you are able to have multiple instances of the same usernames, but varying other auth attributes. I do think I've found a happy medium (albeit with a more complex join/union system on the backend) -- but it involves embedding a lot of values into the query, which shouldn't be the case (I couldn't find a really-advanced example anywhere -- if anyone has one, I would LOVE to see it (as it translates to a normal users file. I'm not using this for dialup, instead we're using it for network management (because RADIUS is a good common denominator, far better than tac+). For that reason, we're going to have a lot of specific instances where we do (or don't) want people to have very specific types of access. 2: My second question is, now that I've got a list of all my NASes in SQL, has anyone written (or added to beta or something similar) code to do *those* via SQL? Specifically we already have all our network devices (and shared secrets) in a SQL database anyway, and it would be cool to use them in realtime. I could just as easily bang together a perl script for this, and throw it in a crontab with a HUP tool (every hour or whatnot) -- and I would be happy to contibute such a script, but I'd like to know I'm not reinventing the wheel (especially because SQL-realtime is so much cooler than once an hour). Any ideas GREATLY appreciated. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html