avpair
Hi I setting up two avpair in users file but only one (first setting) sending to NAS. Why? users file --- DEFAULT Framed-Protocol == PPP Framed-IP-Netmask =255.255.255.0, cisco-avpair = "ip:dns-servers=10.131.112.4 10.131.112.5", cisco-avpair = "ip:wins-servers=10.131.112.11", Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP radius debug- Sending Access-Accept of id 91 to 10.131.251.3:1645 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.131.200.33 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 576 Cisco-AVPair = "ip:dns-servers=10.131.112.4 10.131.112.5" Framed-Compression = Van-Jacobson-TCP-IP Finished request 1 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating "unknown" or "wrong" users with special attributes?
Alan, > Do authorization && authentication through the ldap module. Then if > the user isn't found in ldap, you can do a configurable fail-over to > the 'files'. module. Thanks - this seems to work for me, there is only one problem left: authenticate { ldap } authorize { group { ldap { notfound = return ok = 1 } files notfound = 1 ok = return } files-default } Now, if the user isn't found in ldap, the module "files-default" is considered, which points to a users file with the "standard accept reply". But if the user exists in ldap and the password was wrong, the request ist still rejected (ldap authorization returns ok, the module files is taken into account, ldap authentication returns reject). Is it possible to change this behauviour in such a way that in this case, the default accept reply is returned too? Roland - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: Changing RADIUS Passwords]
HI John It is working. thank you. chaminda John Blumel wrote: > On 10/25/01 2:05 AM, Chaminda Rathnasinghe wrote: > > >I would like to know how to set bin/false users to change their > >passwords as you describe below. > > On Linux, use the '-s' switch with usermod or useradd (or perhaps chuser > and adduser on BSD -- syntax may vary). For example, > > usermod -s /usr/bin/passwd some_user > > (assuming that passwd is located in /usr/bin on your system). Or, you > could just edit the /etc/passwd file and replace /bin/false with > /usr/bin/passwd. > > John Blumel > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
Well, now it fails before even doing the first request, and no core :( Listening on IP address *, ports 1645/udp and 1646/udp. Ready to process requests. rad_recv: Access-Request packet from host 207.136.103.131:2981, id=4, length=44 User-Name = "test" Password = "\361h\356\036\231\263^\035\016\250\244\271\365?q\007" modcall: entering group authorize MASTER: exit on signal (11) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > [EMAIL PROTECTED] > Sent: October 25, 2001 5:52 PM > To: [EMAIL PROTECTED] > Subject: Re: Problems starting radiusd > > > "Jason Lixfeld" <[EMAIL PROTECTED]> wrote: > > **Request finished. Now, same thread waiting for next request: > > > > Going to the next request > > Thread 1 waiting to be assigned a request > > > > **Check `top`, radiusd process is @99% CPU. > > OK, grab the latest cvs version, and do a > './configure;make;make install'. I've found problems with > signal handling in the threads. > > If that doesn't solve the problem, go to src/main/threads.c, and > add: > > sigaddset(&set, SIGSEGV); > > > with the other 'sigaddset' lines. > > > > - it happens in threaded mode and when running '-s' > > > > No, in -s it's fine: > > That's pretty telling. > > > The issue appears to be that the sem_wait() call in the > threads code gives a SEGV when signals are received. Very weird. > > > I think that this change will at least cause the server to > NOT use all of the CPU. It may still core dump, but that's a > Good Thing, if the core dump tells us what the problem is. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
Great, will do. I'll test it out and send a core if it spits it out.. Thx for the help! > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > [EMAIL PROTECTED] > Sent: October 25, 2001 5:52 PM > To: [EMAIL PROTECTED] > Subject: Re: Problems starting radiusd > > > "Jason Lixfeld" <[EMAIL PROTECTED]> wrote: > > **Request finished. Now, same thread waiting for next request: > > > > Going to the next request > > Thread 1 waiting to be assigned a request > > > > **Check `top`, radiusd process is @99% CPU. > > OK, grab the latest cvs version, and do a > './configure;make;make install'. I've found problems with > signal handling in the threads. > > If that doesn't solve the problem, go to src/main/threads.c, and > add: > > sigaddset(&set, SIGSEGV); > > > with the other 'sigaddset' lines. > > > > - it happens in threaded mode and when running '-s' > > > > No, in -s it's fine: > > That's pretty telling. > > > The issue appears to be that the sem_wait() call in the > threads code gives a SEGV when signals are received. Very weird. > > > I think that this change will at least cause the server to > NOT use all of the CPU. It may still core dump, but that's a > Good Thing, if the core dump tells us what the problem is. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems starting radiusd
"Jason Lixfeld" <[EMAIL PROTECTED]> wrote: > **Request finished. Now, same thread waiting for next request: > > Going to the next request > Thread 1 waiting to be assigned a request > > **Check `top`, radiusd process is @99% CPU. OK, grab the latest cvs version, and do a './configure;make;make install'. I've found problems with signal handling in the threads. If that doesn't solve the problem, go to src/main/threads.c, and add: sigaddset(&set, SIGSEGV); with the other 'sigaddset' lines. > > - it happens in threaded mode and when running '-s' > > No, in -s it's fine: That's pretty telling. The issue appears to be that the sem_wait() call in the threads code gives a SEGV when signals are received. Very weird. I think that this change will at least cause the server to NOT use all of the CPU. It may still core dump, but that's a Good Thing, if the core dump tells us what the problem is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x authentication
Right now I'm using FreeRADIUS (0.3 / i686-pc-linux-gnu) to handle MAC-based authentication for an Enterasys Roamabaout Wireless Access Point. Works like a charm. Turns out that the new WAPs support 802.1x. Has anyone implemented RADIUS/802.1x authentication in either a wireless or wired context? Right now, my users are configured like this: 00-40-96-48-9b-42 Auth-Type := Local, Password == "NOPASSWORD" What additional parameters, if any, are needed to handle 802.1x authentication? Also, has anyone successfully used support for dynamic WEP key distribution? If so, what part, if any, does RADIUS play? Thanks in advance for any help Best, Matthew Berk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
> > Tried auth'ing from a users file, bypassing SQL, no dice. I'm > > compiling a uni-processor kernel now to see if it's something with > > SMP. > > Just to be clear, the problem is: > > - high CPU load Upon startup, the process is fine. High CPU load after radiusd processes the first request: **radiusd is loaded with -xx (in this case). Server is up, and responding: Thread spawned new child 1. Total threads in pool: 1 Listening on IP address *, ports 1645/udp and 1646/udp. Ready to process requests. **It's waiting for it's first request: Thread 1 waiting to be assigned a request **It recieves and processes it's first request: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=95, length=53 Thread 1 assigned request 0 --- Walking the entire request list --- Thread 1 handling request 0, (1 handled so far) User-Name = "test" Password = "@\026LQ{\351.8um\277\277\303\016J" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "0" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched test at 44 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied Password matches local Password Login OK: [test/testing] (from nas local port 0) Sending Access-Accept of id 95 to 127.0.0.1:32769 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 **Request finished. Now, same thread waiting for next request: Going to the next request Thread 1 waiting to be assigned a request **Check `top`, radiusd process is @99% CPU. > - it happens in threaded mode and when running '-s' No, in -s it's fine: ** First request: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=178, length=53 User-Name = "test" Password = "gx^?\364G{o-\361(5\214\337$*" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "0" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched test at 44 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied Password matches local Password Login OK: [test/testing] (from nas local port 0) Sending Access-Accept of id 178 to 127.0.0.1:32769 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 178 with timestamp 3bd88333 Nothing to do. Sleeping until we see a request. **Second request. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=182, length=53 User-Name = "test" Password = "b8\2175`Z\034\033\342\266\356Lz\n\r`" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "0" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched test at 44 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied Password matches local Password Login OK: [test/testing] (from nas local port 0) Sending Access-Accept of id 182 to 127.0.0.1:32769 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 182 with timestamp 3bd88349 Nothing to do. Sleeping until we see a request. **No problems. I can process requests all day, here. > - it happens in SMP or in uni-processor mode Correct. It happens with an SMP kernel AND a uni-processor kernel. > Can you strip down your configuration to load and use the > smallest number of modules possible? i.e. If you can verify > that it happens with just rlm_files installed, that would > help to track down where the problem is located. Well, the output from t
Re: Problems starting radiusd
"Jason Lixfeld" <[EMAIL PROTECTED]> wrote: > Anyone have any ideas here? I'm still stumped, no matter what I try. Ok... just a sec... I'm seeing something weird when using threads, and doing a CTRL-C. It's sending itself a SEGV forever That will use up the CPU time, for sure. I hope to know more within the hour. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Errors Under High Load ( Including the Drop dup auth pack et e rr)
"RATI,SIDDU (HP-Cupertino,ex1)" <[EMAIL PROTECTED]> wrote: > The problem is occurring under load only, and is not occurring all the time. > I also suspect, this could be because of race condition in the server as of > at present the server is not multithreaded. Multithreading may resolve this > problem. Then why not run it with threads? That's the default! For these sorts of issues, do NOT disable threads. The multi-process version of the server does NOT work well, if at all. Note that the server code reading the packets is NOT multi-threaded. This is because it does minimal work to sanity check the packet. All of the CPU intensive work is then farmed out to a thread. So each new request is handled by a different thread. The server core takes care of creating new threads, and assigning requests to waiting threads. There should be no locking or race problems here, because the core is designed to NOT need locks when giving requests to threads. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems starting radiusd
"Jason Lixfeld" <[EMAIL PROTECTED]> wrote: > Anyone have any ideas here? I'm still stumped, no matter what I try. It's really weird, sorry. > Tried auth'ing from a users file, bypassing SQL, no dice. I'm compiling > a uni-processor kernel now to see if it's something with SMP. Just to be clear, the problem is: - high CPU load - it happens in threaded mode and when running '-s' - it happens in SMP or in uni-processor mode Can you strip down your configuration to load and use the smallest number of modules possible? i.e. If you can verify that it happens with just rlm_files installed, that would help to track down where the problem is located. But the trace you showed was weird: > > > time(NULL) = 1004022581 > > > Password = "#testuser11" > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Service-Type = Framed-User > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Service-Type = Framed-User > > > Auth-Type = Local > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Service-Type = Framed-User > > > Auth-Type = Local > > > Framed-MTU = 1500 You have *multiple* identical attributes added to the request. That says there may even be a problem with a list being circularly linked. > > > radiusd: Starting - reading configuration files ... And this should be printed out before it handles a request, not after. > > > * DEAD. CPU HITS 100% * Can you see which function is using all of the CPU time? About all I can do in these situations is to add lots of : fprintf(stderr, "HERE %s:%d\n", __FILE__, __LINE__); sprinkle these throughout the code, recompile, and do: (radiusd -Xd /etc/raddb 2>&1) | tee output send it one request at a time until it hits 100% CPU, you should probably see lots of repeating lines. Hit CTRL-C, and look at the output file. You should be able to see where it's looping, or at least that it got to a certain file/line, and looped after that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Errors Under High Load ( Including the Drop dup auth packet e rr)
Hello Aland, The problem is occurring under load only, and is not occurring all the time. I also suspect, this could be because of race condition in the server as of at present the server is not multithreaded. Multithreading may resolve this problem. Any suggestions !! Thanks and regards, Siddu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 12:14 PM To: [EMAIL PROTECTED] Subject: Re: FW: Errors Under High Load ( Including the Drop dup auth packet e rr) "RATI,SIDDU (HP-Cupertino,ex1)" <[EMAIL PROTECTED]> wrote: > I am also facing similar problem under load for authentication, > getting following error "Received authentication reply packet from > 15.13.115.182 with invalid signature!" Is it only happening under high load? If so, it sounds like a race condition in the server. If not, then it's a shared secret problem. > I am using Interlink AAA Radius server product. Any idea what could be the > reason, what is the fix ?? I have no idea, sorry. I can't reproduce it locally, so unless you can provide more detailed information, there's not much I can say. And I don't even know what more information will help. Once the request is handed to a thread, there should be NO race conditions, as nothing else should be accessing that request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP configuration question
"Fernando Costa de Almeida" <[EMAIL PROTECTED]> wrote: > So do it with your server and sees if all goes right... I said > in the last email about all config files that I changed, exactly as > you sugested in the link above. I don't run ldap, sorry, so I can't test it exactly. Hmm... the 'realm' modules doesn't add a Realm attribute for local realms. That's probably the source of the problem. OK, grab the CVS snapshot from tonight (or do a 'cvs update' now). It should now work the way I described. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
Same deal with uni-processor kernel. Out of ideas.. Anyone? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Jason Lixfeld > Sent: October 25, 2001 3:47 PM > To: [EMAIL PROTECTED] > Subject: RE: Problems starting radiusd > > > Anyone have any ideas here? I'm still stumped, no matter what I try. > > Tried auth'ing from a users file, bypassing SQL, no dice. > I'm compiling a uni-processor kernel now to see if it's > something with SMP. > > I'm open to any ideas. > > > -Original Message- > > From: Jason Lixfeld [mailto:[EMAIL PROTECTED]] > > Sent: October 25, 2001 12:12 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: Problems starting radiusd > > > > > > I'm not using hints at all, actually. Nor am I using a users > > file. User information is coming from MySQL. > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > Andreas Faust > > > Sent: October 25, 2001 12:09 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Problems starting radiusd > > > > > > > > > On Thu, Oct 25, 2001 at 11:13:13AM -0400, Jason Lixfeld wrote: > > > > Gdb radiusd was useless. > > > > > > > > Attached is strace output. > > > check your hints or your users file.. > > > have a close look at the packet, it has the same values over and > > > over written into it again I would guess it loops > somewhere. I > > > think that FallThrough may be a problem in here ... > > > > > > please check that > > > > > > cheers medic > > > > > > > * RECIEVE AUTH PACKET HERE * > > > > > > > > )= 1 (in [9]) > > > > recvfrom(9, "\1\2\0001 1004021946\1\vtestuser1\2"..., > > > 1600, 0, {sin_family=AF_INET, sin_port=htons(3243), > > > sin_addr=inet_addr("216.7.221.25")}}, [16]) = 49 > > > > time(NULL) = 1004022581 > > > > kill(1351, SIGRT_0) = 0 > > > > time(NULL) = 1004022581 > > > > Password = "#testuser11" > > > > Framed-Compression = Van-Jacobson-TCP-IP > > > > Framed-Compression = Van-Jacobson-TCP-IP > > > > Framed-Protocol = PPP > > > > Framed-Compression = Van-Jacobson-TCP-IP > > > > Framed-Protocol = PPP > > > > Service-Type = Framed-User > > > > Framed-Compression = Van-Jacobson-TCP-IP > > > > Framed-Protocol = PPP > > > > Service-Type = Framed-User > > > > Auth-Type = Local > > > > Framed-Compression = Van-Jacobson-TCP-IP > > > > Framed-Protocol = PPP > > > > Service-Type = Framed-User > > > > Auth-Type = Local > > > > Framed-MTU = 1500 > > > > radiusd: Starting - reading configuration files ... > > > > > > > > * DEAD. CPU HITS 100% * > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: LDAP configuration question
Falmeida <[EMAIL PROTECTED]> wrote: > Well, you're posting HTML to the list, without even a 'content-type' > saying it's HTML. That isn't nice. Sorry, I used a webmail to send this message and didnt know that this would occurs... > What I want to do is to set the basedn dinamycally with the > realm of the username in the request, because my ldap tree is > organized in this way (one Organizational Unit for each domain)... > Changing the %{Realm} for another attribute (like %{User-Name}) does exactly > what I want, but only for the Realm attribute I cant do this. Im looking in > the source code to try to understand what is happening, but Im a hurry with > this... > http://lists.cistron.nl/pipermail/freeradius-users/2001-October/002567.html So do it with your server and sees if all goes right... I said in the last email about all config files that I changed, exactly as you sugested in the link above. Thanks anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
Anyone have any ideas here? I'm still stumped, no matter what I try. Tried auth'ing from a users file, bypassing SQL, no dice. I'm compiling a uni-processor kernel now to see if it's something with SMP. I'm open to any ideas. > -Original Message- > From: Jason Lixfeld [mailto:[EMAIL PROTECTED]] > Sent: October 25, 2001 12:12 PM > To: '[EMAIL PROTECTED]' > Subject: RE: Problems starting radiusd > > > I'm not using hints at all, actually. Nor am I using a users > file. User information is coming from MySQL. > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > Andreas Faust > > Sent: October 25, 2001 12:09 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Problems starting radiusd > > > > > > On Thu, Oct 25, 2001 at 11:13:13AM -0400, Jason Lixfeld wrote: > > > Gdb radiusd was useless. > > > > > > Attached is strace output. > > check your hints or your users file.. > > have a close look at the packet, it has the same values over > > and over written into it again I would guess it loops > > somewhere. I think that FallThrough may be a problem in here ... > > > > please check that > > > > cheers medic > > > > > * RECIEVE AUTH PACKET HERE * > > > > > > )= 1 (in [9]) > > > recvfrom(9, "\1\2\0001 1004021946\1\vtestuser1\2"..., > > 1600, 0, {sin_family=AF_INET, sin_port=htons(3243), > > sin_addr=inet_addr("216.7.221.25")}}, [16]) = 49 > > > time(NULL) = 1004022581 > > > kill(1351, SIGRT_0) = 0 > > > time(NULL) = 1004022581 > > > Password = "#testuser11" > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Service-Type = Framed-User > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Service-Type = Framed-User > > > Auth-Type = Local > > > Framed-Compression = Van-Jacobson-TCP-IP > > > Framed-Protocol = PPP > > > Service-Type = Framed-User > > > Auth-Type = Local > > > Framed-MTU = 1500 > > > radiusd: Starting - reading configuration files ... > > > > > > * DEAD. CPU HITS 100% * > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Errors Under High Load ( Including the Drop dup auth packet e rr)
"jason" <[EMAIL PROTECTED]> wrote: > Hmm, I think I'm seeing something different occur.. my authentication works > fine ( as long as the server is able to stay up ) but I'm getting and > accounting request error, but not an error from auth. Any ideas here? I have pretty much the same comments. Maybe the signature IS bad. Maybe there's a race condition that happens only under high load. > And, just out of curiousity, does the current cvs build compile for you yet, > aland? Yes. I committed a fix this morning (EDT). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Errors Under High Load ( Including the Drop dup auth packet e rr)
> "RATI,SIDDU (HP-Cupertino,ex1)" <[EMAIL PROTECTED]> wrote: > > I am also facing similar problem under load for authentication, > > getting following error "Received authentication reply packet from > > 15.13.115.182 with invalid signature!" > > If not, then it's a shared secret problem. Hmm, I think I'm seeing something different occur.. my authentication works fine ( as long as the server is able to stay up ) but I'm getting and accounting request error, but not an error from auth. Any ideas here? And, just out of curiousity, does the current cvs build compile for you yet, aland? Thu Oct 25 14:36:59 2001 : Error: Received Accounting-Request packet from 209.131.216.213 with invalid signature! -jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP configuration question
Falmeida <[EMAIL PROTECTED]> wrote: > Could someone please see what am I doing wrong in my radius > configuration? Well, you're posting HTML to the list, without even a 'content-type' saying it's HTML. That isn't nice. > What I want to do is to set the basedn dinamycally with the > realm of the username in the request, because my ldap tree is > organized in this way (one Organizational Unit for each domain)... > Changing the %{Realm} for another attribute (like %{User-Name}) does exactly > what I want, but only for the Realm attribute I cant do this. Im looking in > the source code to try to understand what is happening, but Im a hurry with > this... http://lists.cistron.nl/pipermail/freeradius-users/2001-October/002567.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Errors Under High Load ( Including the Drop dup auth packet err)
Hello, I am also facing similar problem under load for authentication, getting following error "Received authentication reply packet from 15.13.115.182 with invalid signature!" I am using Interlink AAA Radius server product. Any idea what could be the reason, what is the fix ?? Regds, Siddu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 11:29 AM To: [EMAIL PROTECTED] Subject: Re: Errors Under High Load ( Including the Drop dup auth packet err) "jason" <[EMAIL PROTECTED]> wrote: > I'm running freeradius-0.3 with a postgres backend and under high load I > have some errors that are plaguing me. > > Wed Oct 24 12:47:47 2001 : Error: Received Accounting-Request packet from > 209.131.216.212 with invalid signature! That could be caused by the packet being bad, or it could be a problem seen only under high load. > The termservers are totalcontrol units, I'm not sure if there is anything > special I have to set somewhere to allow their accounting packets to work? Maybe. Some NASes don't calculate the accounting signature properly. (sigh) > And everyone's favorite error > > Wed Oct 24 12:51:26 2001 : Error: Dropping duplicate authentication packet > from client iei211:1645 - ID: 98 > > I'm recieving this after a couple thousand requests or so, and then it will > cause the radius server to fill up it's thread pool ( set to 128 currently ) > .. after which radius will continually complain that it's threads are full, > and become useless. So increase the maximum number of threads. The problem may also be that each request is taking a LONG time. In that case, the server will use a large number of threads, and the NAS may re-send requests, if it hasn't seen a reply quickly enough. The solution is to figure out why the requests are taking so long, and solve that. Once the server responds quickly, most of these problems should go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Errors Under High Load ( Including the Drop dup auth packet e rr)
"RATI,SIDDU (HP-Cupertino,ex1)" <[EMAIL PROTECTED]> wrote: > I am also facing similar problem under load for authentication, > getting following error "Received authentication reply packet from > 15.13.115.182 with invalid signature!" Is it only happening under high load? If so, it sounds like a race condition in the server. If not, then it's a shared secret problem. > I am using Interlink AAA Radius server product. Any idea what could be the > reason, what is the fix ?? I have no idea, sorry. I can't reproduce it locally, so unless you can provide more detailed information, there's not much I can say. And I don't even know what more information will help. Once the request is handed to a thread, there should be NO race conditions, as nothing else should be accessing that request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP configuration question
Could someone please see what am I doing wrong in my radius configuration? What I want to do is to set the basedn dinamycally with the realm of the username in the request, because my ldap tree is organized in this way (one Organizational Unit for each domain)... Changing the %{Realm} for another attribute (like %{User-Name}) does exactly what I want, but only for the Realm attribute I cant do this. Im looking in the source code to try to understand what is happening, but Im a hurry with this... Radiusd.conf LDAP section ldap {server = ""identity = "cn=root," password = basedn = "ou=%{Realm},"filter = "(uid=%U)"# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"# profile_attribute = "radiusProfileDn"#access_group = "cn=clients,ou=dialup,o=My Org,c=UA"#access_attr = "dialupAccess"dictionary_mapping = ${raddbdir}/ldap.attrmaptimeout = 4timelimit = 3net_timeout = 1} authenticate { ldap } users DEFAULT Auth-Type := LDAPFall-Through = 1 Thanks in advance! Realms: LOCAL:1812 Essa mensagem foi enviado pelo Webmail Overnet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating "unknown" or "wrong" users with special attributes?
[EMAIL PROTECTED] wrote: > The basic issue is that we try to use the freeradius server to > authenticate users logging in via DSL (PPPoA/PPPoE). Especially if > a router connects to the broadband NAS via PPPoA (PPP over ATM), and > the RADIUS server sends an "Access-Reject" (i.e. wrong password, > user unknown, ...) the router tries to connect again and again, and > the NAS puts some dozens RADIUS requests per second (!) on the the > freeradius server. I'd complain to your router vendor. That isn't a nice thing to do. > If we accepted (!) the "wrong" connections using an > IP filter to prevent the users to use Internet connectivity > and a session timer to make sure the "on-hold" session > expires after some minutes, this would be a reasonable > workaround. That sounds OK. > I have had a hard day looking at the freeradius configuration, > but I did not find any way to produce the following behaviour: > > * If the user is in the LDAP database (and the password is > correct), take the LDAP attributes and send "Access-Accept" > > * If not, send some standard attributes. What you want is module fail-over. See 'doc/configurable_failover' Do authorization && authentication through the ldap module. Then if the user isn't found in ldap, you can do a configurable fail-over to the 'files'. module. I don't have examples handy, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pppd and radius
Hello, Can you tell me how can made pppd use for authentication ICRadius on FreeBsd. Thanks _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello, Can you tell me how can made pppd use for authentication ICRadius on FreeBsd. Thanks _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating "unknown" or "wrong" users with special attributes?
Andreas, > Please excuse if I say something stupid now, as I do not know how > exactly LDAP works with FreeRADIUS, but why do you not supply these > attributes via LDAP on a per users base ? LDAP seems to provide > that functionality. this does not work for the following reason: What I want is to accept *any* user, even if there is no corresponding entry in the LDAP database. If a user "steve1234" logs in, the LDAP database has to know about this user - but this is not the case for "unkown" users. Roland - Original Message - From: "Andreas Faust" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 25, 2001 6:47 PM Subject: Re: Authenticating "unknown" or "wrong" users with special attributes? > On Thu, Oct 25, 2001 at 06:20:50PM +0200, [EMAIL PROTECTED] wrote: > > Hi, > > > > # LDAP - most attributes come out of the LDAP database > > DEFAULT Auth-Type := LDAP > > Service-Type = Framed, > > Framed-Protocol = PPP, > > Framed-MTU = 1500, > > Framed-Compression = Van-Jacobsen-TCP-IP > > > > DEFAULT Auth-Type := Accept > > Framed-IP-Address = 255.255.255.254, > > Framed-IP-Netmask = 255.255.255.255, > > Framed-Filter-Id = "diabled", > > Session-Timer = 600 > > > > on the other hand, the "Fall-Through = yes" does not work > > here, because I want no fall-through if the user is a valid > > LDAP user. > > > > Has anyone an idea on this issue? > Please excuse if I say something stupid now, as I do not know how exactly LDAP works >with FreeRADIUS, but why do you not supply these attributes via LDAP on a per users base ? > LDAP seems to provide that functionality. > > cheers > Andreas Faust > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating "unknown" or "wrong" users with special attributes?
On Thu, Oct 25, 2001 at 06:20:50PM +0200, [EMAIL PROTECTED] wrote: > Hi, > > # LDAP - most attributes come out of the LDAP database > DEFAULT Auth-Type := LDAP > Service-Type = Framed, > Framed-Protocol = PPP, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP > > DEFAULT Auth-Type := Accept > Framed-IP-Address = 255.255.255.254, > Framed-IP-Netmask = 255.255.255.255, > Framed-Filter-Id = "diabled", > Session-Timer = 600 > > on the other hand, the "Fall-Through = yes" does not work > here, because I want no fall-through if the user is a valid > LDAP user. > > Has anyone an idea on this issue? Please excuse if I say something stupid now, as I do not know how exactly LDAP works with FreeRADIUS, but why do you not supply these attributes via LDAP on a per users base ? LDAP seems to provide that functionality. cheers Andreas Faust - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject account
Hi, how I can write in a MySQL table the account reject with the reason for rejection? Regards, Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating "unknown" or "wrong" users with special attributes?
Hi, There is a little problem I'd like to share with you, maybe someone has come along this already. The basic issue is that we try to use the freeradius server to authenticate users logging in via DSL (PPPoA/PPPoE). Especially if a router connects to the broadband NAS via PPPoA (PPP over ATM), and the RADIUS server sends an "Access-Reject" (i.e. wrong password, user unknown, ...) the router tries to connect again and again, and the NAS puts some dozens RADIUS requests per second (!) on the the freeradius server. We did not find any option on the NAS to tell it to stop flooding the RADIUS server in case of Access-Rejects, so we had the following idea: If we accepted (!) the "wrong" connections using an IP filter to prevent the users to use Internet connectivity and a session timer to make sure the "on-hold" session expires after some minutes, this would be a reasonable workaround. I have had a hard day looking at the freeradius configuration, but I did not find any way to produce the following behaviour: * If the user is in the LDAP database (and the password is correct), take the LDAP attributes and send "Access-Accept" * If not, send some standard attributes. I have the following users file which doesn't do the job, since the first DEFAULT entry is always taken, and if the user does not authenticate via LDAP, the second one is not taken into account: # LDAP - most attributes come out of the LDAP database DEFAULT Auth-Type := LDAP Service-Type = Framed, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP DEFAULT Auth-Type := Accept Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Filter-Id = "diabled", Session-Timer = 600 on the other hand, the "Fall-Through = yes" does not work here, because I want no fall-through if the user is a valid LDAP user. Has anyone an idea on this issue? Thanks in advance, Roland - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
I'm not using hints at all, actually. Nor am I using a users file. User information is coming from MySQL. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Andreas Faust > Sent: October 25, 2001 12:09 PM > To: [EMAIL PROTECTED] > Subject: Re: Problems starting radiusd > > > On Thu, Oct 25, 2001 at 11:13:13AM -0400, Jason Lixfeld wrote: > > Gdb radiusd was useless. > > > > Attached is strace output. > check your hints or your users file.. > have a close look at the packet, it has the same values over > and over written into it again I would guess it loops > somewhere. I think that FallThrough may be a problem in here ... > > please check that > > cheers medic > > > * RECIEVE AUTH PACKET HERE * > > > > )= 1 (in [9]) > > recvfrom(9, "\1\2\0001 1004021946\1\vtestuser1\2"..., > 1600, 0, {sin_family=AF_INET, sin_port=htons(3243), > sin_addr=inet_addr("216.7.221.25")}}, [16]) = 49 > > time(NULL) = 1004022581 > > kill(1351, SIGRT_0) = 0 > > time(NULL) = 1004022581 > > Password = "#testuser11" > > Framed-Compression = Van-Jacobson-TCP-IP > > Framed-Compression = Van-Jacobson-TCP-IP > > Framed-Protocol = PPP > > Framed-Compression = Van-Jacobson-TCP-IP > > Framed-Protocol = PPP > > Service-Type = Framed-User > > Framed-Compression = Van-Jacobson-TCP-IP > > Framed-Protocol = PPP > > Service-Type = Framed-User > > Auth-Type = Local > > Framed-Compression = Van-Jacobson-TCP-IP > > Framed-Protocol = PPP > > Service-Type = Framed-User > > Auth-Type = Local > > Framed-MTU = 1500 > > radiusd: Starting - reading configuration files ... > > > > * DEAD. CPU HITS 100% * > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems starting radiusd
On Thu, Oct 25, 2001 at 11:13:13AM -0400, Jason Lixfeld wrote: > Gdb radiusd was useless. > > Attached is strace output. check your hints or your users file.. have a close look at the packet, it has the same values over and over written into it again I would guess it loops somewhere. I think that FallThrough may be a problem in here ... please check that cheers medic > * RECIEVE AUTH PACKET HERE * > > )= 1 (in [9]) > recvfrom(9, "\1\2\0001 1004021946\1\vtestuser1\2"..., 1600, 0, >{sin_family=AF_INET, sin_port=htons(3243), sin_addr=inet_addr("216.7.221.25")}}, >[16]) = 49 > time(NULL) = 1004022581 > kill(1351, SIGRT_0) = 0 > time(NULL) = 1004022581 > Password = "#testuser11" > Framed-Compression = Van-Jacobson-TCP-IP > Framed-Compression = Van-Jacobson-TCP-IP > Framed-Protocol = PPP > Framed-Compression = Van-Jacobson-TCP-IP > Framed-Protocol = PPP > Service-Type = Framed-User > Framed-Compression = Van-Jacobson-TCP-IP > Framed-Protocol = PPP > Service-Type = Framed-User > Auth-Type = Local > Framed-Compression = Van-Jacobson-TCP-IP > Framed-Protocol = PPP > Service-Type = Framed-User > Auth-Type = Local > Framed-MTU = 1500 > radiusd: Starting - reading configuration files ... > > * DEAD. CPU HITS 100% * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Errors Under High Load ( Including the Drop dup auth packet err)
"jason" <[EMAIL PROTECTED]> wrote: > the new build seems to work properly.. must just have been the 1024 snapshot > and previous Ouch. I hate those kind of bugs. I would like to know *why* it's fixed. > Hmm... i just checked out a new CVS build at 10:00 central time and this is > what happened with the compile phase.. > > rlm_unix.c: In function `unix_authenticate': > rlm_unix.c:480: `pws' undeclared (first use in this function) Arg, sorry. I committed the last patch without compiling it, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
AFAIK, this is the suggested config for usage with mysql. authorize { preprocess suffix sql } authenticate { sql } > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Chris Parker > Sent: October 25, 2001 11:33 AM > To: [EMAIL PROTECTED] > Subject: RE: Problems starting radiusd > > > At 11:21 AM 10/25/2001 -0400, Jason Lixfeld wrote: > >Here's everything from my radiusd.conf in the modules section: > > This sets up the modules, doesn't mean they are all used. > What does your autorize/authenticate sections look like? > > -Chris > -- > \\\|||/// \ Chris Parker-Manager, Development > Engineering > \ ~ ~ / \ WX *is* Wireless!\ > [EMAIL PROTECTED] > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\ > -- >\ Without C we would have 'obol', 'basi', > and 'pasal' > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Errors Under High Load ( Including the Drop dup auth packet err)
> "jason" <[EMAIL PROTECTED]> wrote: > > Ok, so in trying to install tonights build ( 1024 ) i ran into a few > > problems.. the postgres configure stuff still seems to be off, but I plugged > > my static values into the makefile to get around that.. ( and my postgres > > installation is in the standard /usr/local/pgsql .. ) > > Do you have any ideas as to why it's wrong? the new build seems to work properly.. must just have been the 1024 snapshot and previous > > > but then afterwards when doing a "make install" > > > > make[7]: Entering directory > > `/usr/src/devel/freeradius-snapshot-20011024/src/mod > > ules/rlm_dbm' > > /usr/src/devel/freeradius-snapshot-20011024/install-sh -c -m 755 > > rlm_dbm_parser > > OK, I just updated the 'configure' script in rlm_dbm, to do things a > bit better. It should work now. (i.e. NOT do install if the module > isn't built.) Hmm... i just checked out a new CVS build at 10:00 central time and this is what happened with the compile phase.. rlm_unix.c: In function `unix_authenticate': rlm_unix.c:480: `pws' undeclared (first use in this function) rlm_unix.c:480: (Each undeclared identifier is reported only once rlm_unix.c:480: for each function it appears in.) make[6]: *** [rlm_unix.o] Error 1 make[6]: Leaving directory `/usr/src/devel/radiusd/src/modules/rlm_unix' > Which modules are you using, and what are you using them for? > here are the modules i'm loading, sql2 is a second postgresql instance to replicate accounting info to a separate server .. both sql modules run with postgresql authorize { preprocess suffix files sql } authenticate { sql } preacct { suffix files preprocess } accounting { detail sql sql2 unix } session { } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
At 11:21 AM 10/25/2001 -0400, Jason Lixfeld wrote: >Here's everything from my radiusd.conf in the modules section: This sets up the modules, doesn't mean they are all used. What does your autorize/authenticate sections look like? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
Here's everything from my radiusd.conf in the modules section: modules { pam { pam_auth = radiusd } unix { cache = no passwd = /etc/passwd group = /etc/group radwtmp = ${logdir}/radwtmp } realm suffix { format = suffix delimiter = "@" } realm realmslash { format = prefix delimiter = "/" } realm realmpercent { format = suffix delimiter = "%" } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = yes } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } fastusers { usersfile = ${confdir}/users_fast hashsize = 1000 compat = no hash_reload = 600 } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } $INCLUDE ${confdir}/sql.conf # sql.conf is calling: driver = "rlm_sql_mysql" radutmp { filename = ${logdir}/radutmp perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } example { boolean = yes integer = 16 string = "This is an example configuration string" ipaddr = 127.0.0.1 mysubsection { anotherinteger = 1000 deeply nested { string = "This is a different string" } } } } > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > [EMAIL PROTECTED] > Sent: October 25, 2001 10:34 AM > To: [EMAIL PROTECTED] > Subject: Re: Problems starting radiusd > > > "Jason A. Lixfeld" <[EMAIL PROTECTED]> wrote: > > Reboot didn't do anything (like I really expected it to anyway). > > > > This is strange. I run radiusd -xx and it won't sig11 anymore. > > > > Gets as far as here, then that's it: > > OK, so what modules do you have configured? I ran it > locally with just rlm_files, under a bounds checking > compiler, and didn't see anything. > > I suspect that the problem is one of the modules. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems starting radiusd
"Jason Lixfeld" <[EMAIL PROTECTED]> wrote: > Any known problems with gcc version 2.96 2731 (Red Hat Linux 7.1 > 2.96-81)? I don't think so. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+ldap
"Toth Zoltan" <[EMAIL PROTECTED]> wrote: > There are two schema files (Radius-LDAP.schema and Radius-LDAPv3.shema) in > the freeradius package . > Which one shall I add to the novell LDAP server? I think the LDAP one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Errors Under High Load ( Including the Drop dup auth packet err)
"jason" <[EMAIL PROTECTED]> wrote: > Ok, so in trying to install tonights build ( 1024 ) i ran into a few > problems.. the postgres configure stuff still seems to be off, but I plugged > my static values into the makefile to get around that.. ( and my postgres > installation is in the standard /usr/local/pgsql .. ) Do you have any ideas as to why it's wrong? > but then afterwards when doing a "make install" > > make[7]: Entering directory > `/usr/src/devel/freeradius-snapshot-20011024/src/mod > ules/rlm_dbm' > /usr/src/devel/freeradius-snapshot-20011024/install-sh -c -m 755 > rlm_dbm_parser OK, I just updated the 'configure' script in rlm_dbm, to do things a bit better. It should work now. (i.e. NOT do install if the module isn't built.) > in the meanwhile, I noticed that the server was occasionally dying on sig > 11's after having the hailstorm of drop dup auth packet error, so I turned > core dumping on, and maybe I'll be able to get a core file with some useful > info in it.. That would be *wonderful*. I can't reproduce it here in the modules I use. Which modules are you using, and what are you using them for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems starting radiusd
"Jason A. Lixfeld" <[EMAIL PROTECTED]> wrote: > Reboot didn't do anything (like I really expected it to anyway). > > This is strange. I run radiusd -xx and it won't sig11 anymore. > > Gets as far as here, then that's it: OK, so what modules do you have configured? I ran it locally with just rlm_files, under a bounds checking compiler, and didn't see anything. I suspect that the problem is one of the modules. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch to log bad shell failures
Bill Campbell <[EMAIL PROTECTED]> wrote: > I just spent quite a while debugging a problem where Unix logins were > failing. It turned out to be that /bin/pdksh wasn't in /etc/shells. The > attached patch logs this failure to make it a lot easier to identify why > logins fail (I did finally learn to use ddd and gdb :-). Applied, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
At 09:59 AM 10/25/2001 -0400, you wrote: > > Perhaps until we have a non-beta release, we should set the > > default option to "allow" coredumps, since right now the > > primary focus is on getting to a stable production-ready > > release. Those who really are paranoid enough, can certainly > > disable coredumps. > >Any ideas on what I can try to get this thing running again? Tried >yesterday's CVS. No dice :( Try starting radiusd from GDB : gdb radiusd (gdb) run Or, a litle easier but a lot more verbose, run it with 'strace' ala: 'strace radiusd' and you'll see the system calls where it stops. Start there and see if that sheds any more light on it. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
> Of course, a watched pot never boils and all that. Yes, but I was able to replicate the problem and force a sig11. Can't do that anymore. Not watching a bot, per se. > Perhaps until we have a non-beta release, we should set the > default option to "allow" coredumps, since right now the > primary focus is on getting to a stable production-ready > release. Those who really are paranoid enough, can certainly > disable coredumps. Any ideas on what I can try to get this thing running again? Tried yesterday's CVS. No dice :( Any known problems with gcc version 2.96 2731 (Red Hat Linux 7.1 2.96-81)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Errors Under High Load ( Including the Drop dup auth packet err)
At 01:54 AM 10/25/2001 -0500, you wrote: >in the meanwhile, I noticed that the server was occasionally dying on sig >11's after having the hailstorm of drop dup auth packet error, so I turned >core dumping on, and maybe I'll be able to get a core file with some useful >info in it.. Yes please share it here if you do. :) -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems starting radiusd
At 01:17 AM 10/25/2001 -0400, Jason A. Lixfeld wrote: >Damn it, > > Reboot didn't do anything (like I really expected it to anyway). > >This is strange. I run radiusd -xx and it won't sig11 anymore. Of course, a watched pot never boils and all that. >Thought it might have something to do with the user I'm running as >(nobody). Tried to run as root, same problem. > >BTW: The only config change I made was to enable core dumps in the >config. It gave Sig11 last time I tried (a few hours ago) prior to >enabling core dumps. When it wouldn't Sig11 any more after enabling, I >then disabled them but it won't revert back to the state where it will >Sig11. Perhaps until we have a non-beta release, we should set the default option to "allow" coredumps, since right now the primary focus is on getting to a stable production-ready release. Those who really are paranoid enough, can certainly disable coredumps. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: Changing RADIUS Passwords]
On 10/25/01 2:05 AM, Chaminda Rathnasinghe wrote: >I would like to know how to set bin/false users to change their >passwords as you describe below. On Linux, use the '-s' switch with usermod or useradd (or perhaps chuser and adduser on BSD -- syntax may vary). For example, usermod -s /usr/bin/passwd some_user (assuming that passwd is located in /usr/bin on your system). Or, you could just edit the /etc/passwd file and replace /bin/false with /usr/bin/passwd. John Blumel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL authorization with operatos
Hello, I forget to mention about radgroupcheck table changing in README.patch: CREATE TABLE radgroupcheck ( id INT PRIMARY KEY, groupname VARCHAR(20) NOT NULL, attribute VARCHAR(40), value VARCHAR(40). op VARCHAR(2) ); I'm very sorry about that. http://todes.org.by/~mitry/freeradius/rlm_sql/README.patch fixed. Mitry. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authorization with operatos
On Thursday, October 25, 2001 13:12 Stephan Viljoen [EMAIL PROTECTED] wrote: SV> I added the 'op' column to my radgroupcheck table with the value ':=' , but SV> it's still giving me the same problems. Did you change authorize statements in your sql.conf to following: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id" Mitry. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL authorization with operatos
I added the 'op' column to my radgroupcheck table with the value ':=' , but it's still giving me the same problems. Stephan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eddie Stassen Sent: 25 October 2001 03:51 To: [EMAIL PROTECTED] Subject: RE: SQL authorization with operatos At 11:24 10/25/01 +0200, you wrote: >I patched my radius with your patch but I'm still getting >Authentication problems when I add Simultaneneos-Use in the >radgroupcheck table. Here's an example of what my tables look >like. It authenticates fine when I remove the Simultaneous-Use >from the radgroupcheck; > >mysql> select * from radgroupcheck; >++---+--+---+ >| id | GroupName | Attribute| Value | >++---+- +---+ >| 1 | norm | Simultaneous-Use | 1 | >++---+- +---+ >1 row in set (0.00 sec) I think you are missing the 'op' column in your radgroupcheck table. This should have the value ':=' in this case. Eddie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL authentication with Auth-Type
Aah , don't worry I discovered my mistake. Tanx for the help , it's working A ok now. Stephan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joe Modjeski Sent: 17 October 2001 08:49 To: [EMAIL PROTECTED] Subject: Re: SQL authentication with Auth-Type - Original Message - From: "Christoph Haas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 17, 2001 9:48 AM Subject: SQL authentication with Auth-Type > Hi all... > > has anyone yet managed to set an Auth-Type as a check item > in a MySQL database? For me no Auth-Type is working. I read > in some older posting that the 'users' file supports > an Auth-Type of 'sql'. But whenever I set an Auth-Type in > the 'radcheck' table used for authentication (e.g. 'Local' > or 'System') I receive an Access-Reject for no reason. > > I can even set Auth-Type to Local and it won't work. Just > removing the Auth-Type record it works (with the Password > entry alone). Is the 'users' file my destiny? Is the SQL > authentication just not powerful enough to even support > UNIX authentication? > > I'm sure there is a very simple solution. ;) >From reading on the list I believe this to be a problem that will be solved when the SQL tables begin to support operators. Currently the tables only use the '==' operator and in that case you can only match attributes that are sent. The easiest way for me to finally grasp what is actually going on in the background is to break it into the separate processes 'Authorize' and 'Authenticate', if you are used to dealing with the 'users' file then this can be a bit of a challenge. The Authorize section does the comparison between the original Access-Request packet and the Attributes that would be in the check statements in the users file, or radcheck, radgroupcheck table in SQL, AND builds the reply packet from the reply statements in the users file, or radreply, radgroupreply tables in SQL. The Authenticate section only does Authentication comparisons. So in your users file you can have a: DEFAULT Auth-Type := Local To get local authentication while still building the reply packets from the database. This is similiar to what I am doing except I skip the Authentication part totally and use a freaky configurable failover to authenticate duplicate users out of an SQL database. Anyone want to offer corrections on my interpretation of the Authorize/Authentication process? Joe > > Christoph > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL authorization with operatos
At 11:24 10/25/01 +0200, you wrote: >I patched my radius with your patch but I'm still getting >Authentication problems when I add Simultaneneos-Use in the >radgroupcheck table. Here's an example of what my tables look >like. It authenticates fine when I remove the Simultaneous-Use >from the radgroupcheck; > >mysql> select * from radgroupcheck; >++---+--+---+ >| id | GroupName | Attribute| Value | >++---+- +---+ >| 1 | norm | Simultaneous-Use | 1 | >++---+- +---+ >1 row in set (0.00 sec) I think you are missing the 'op' column in your radgroupcheck table. This should have the value ':=' in this case. Eddie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL authorization with operatos
I patched my radius with your patch but I'm still getting Authentication problems when I add Simultaneneos-Use in the radgroupcheck table. Here's an example of what my tables look like. It authenticates fine when I remove the Simultaneous-Use from the radgroupcheck; mysql> select * from radgroupcheck; ++---+--+---+ | id | GroupName | Attribute| Value | ++---+- +---+ | 1 | norm | Simultaneous-Use | 1 | ++---+- +---+ 1 row in set (0.00 sec) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mitry Matyushkov Sent: 23 October 2001 07:41 To: [EMAIL PROTECTED] Subject: Re: SQL authorization with operatos On Tuesday, October 23, 2001 18:47 [EMAIL PROTECTED] wrote: >> Please don't. I think only tested patches should be applied. In that patch I >> added support only for 'check' AV pairs. Shall I add operator support for >> 'reply' AV pairs too? > Yes. OK. The patch is getting much simple. Here are the new patch location: http://todes.org.by/~mitry/freeradius/rlm_sql/README.patch http://todes.org.by/~mitry/freeradius/rlm_sql/rlm_sql.diff Mitry. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+ldap
There are two schema files (Radius-LDAP.schema and Radius-LDAPv3.shema) in the freeradius package . Which one shall I add to the novell LDAP server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+ldap
...not work. here is LDAP serveg debug with freeradius search 10-25-2001 10:28:17 am begin get_filter 10-25-2001 10:28:17 am EQUALITY 10-25-2001 10:28:17 am filter: (uid=a7340003) 10-25-2001 10:28:17 am attrs:10-25-2001 10:28:17 am uid10-25-2001 10:28:17 am 10-25-2001 10:28:17 am => send_search_entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) 10-25-2001 10:28:17 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (entry) 10-25-2001 10:28:17 am <= acl_get: no match 10-25-2001 10:28:17 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:28:17 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (uid) 10-25-2001 10:28:17 am <= acl_get: no match 10-25-2001 10:28:17 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:28:17 am send_ldap_result 0:: 10-25-2001 10:28:17 am listening for activity in monitor thread 0x3ee on:10-25-2001 10:28:17 am 0xd1fea440r10-25-2001 10:28:17 am 0xd1fa3fc0r10-25-2001 10:28:17 am 0xd1fea700r10-25-2001 10:28:17 am 0xd1feab80r10-25-2001 10:28:17 am 10-25-2001 10:28:17 am before select in monitor thread 0x3ee, active_threads 0 10-25-2001 10:28:17 am select activity 10-25-2001 10:28:17 am Accepting TCP connection 10-25-2001 10:28:17 am Found usable monitor thread 0x3ee 10-25-2001 10:28:17 am new connection on 0xd1feac00 10-25-2001 10:28:17 am select activity in monitor thread 0x3ee 10-25-2001 10:28:17 am read activity on 0xd1fea440 10-25-2001 10:28:17 am listening for activity in monitor thread 0x3ee on:10-25-2001 10:28:17 am 0xd1fea440r10-25-2001 10:28:17 am 0xd1fa3fc0r10-25-2001 10:28:17 am 0xd1fea700r10-25-2001 10:28:17 am 0xd1feab80r10-25-2001 10:28:17 am 0xd1feac00r10-25-2001 10:28:17 am 10-25-2001 10:28:17 am before select in monitor thread 0x3ee, active_threads 0 10-25-2001 10:28:17 am select activity in monitor thread 0x3ee 10-25-2001 10:28:17 am read activity on 0xd1feac00 10-25-2001 10:28:17 am do_bind 10-25-2001 10:28:17 am bind: protocol version 2 dn (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) method 128 10-25-2001 10:28:17 am dn (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU), ndsDN (CN=A7340003.OU=OCN.OU=O.OU=GEDOS.O=GHU) 10-25-2001 10:28:17 am listening for activity in monitor thread 0x3ee on:10-25-2001 10:28:17 am 0xd1fea440r10-25-2001 10:28:17 am 0xd1fa3fc0r10-25-2001 10:28:17 am 0xd1fea700r10-25-2001 10:28:17 am 0xd1feab80r10-25-2001 10:28:17 am 0xd1feac00r10-25-2001 10:28:17 am 10-25-2001 10:28:17 am before select in monitor thread 0x3ee, active_threads 1 10-25-2001 10:28:17 am send_ldap_result 0:: here is LDAP serveg debug with netscape search 10-25-2001 10:11:54 am begin get_filter 10-25-2001 10:11:54 am EQUALITY 10-25-2001 10:11:54 am filter: (cn=a7340003) 10-25-2001 10:11:54 am attrs:10-25-2001 10:11:54 am 10-25-2001 10:11:54 am listening for activity in monitor thread 0x3ee on:10-25-2001 10:11:54 am 0xd1fea440r10-25-2001 10:11:54 am 0xd1fa3fc0r10-25-2001 10:11:54 am 0xd1fea700r10-25-2001 10:11:54 am 0xd1feab80r10-25-2001 10:11:54 am 0xd1fea640r10-25-2001 10:11:54 am 10-25-2001 10:11:54 am before select in monitor thread 0x3ee, active_threads 1 10-25-2001 10:11:54 am => send_search_entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (entry) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (objectClass) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (radiusFramedIPAddress) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (revision) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (l) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (sn) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (uid) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am => acl_get: entry (cn=A7340003,ou=OCN,ou=O,ou=GEDOS,o=GHU) attr (cn) 10-25-2001 10:11:54 am <= acl_get: no match 10-25-2001 10:11:54 am <= acl: granted by default (no matching "to" entry) 10-25-2001 10:11:54 am send_ldap_result 0:: any idea? this