Re: Radius Died Message
Junaid Saeed Uppal wrote: I am new to configuring radius , but i got it working , now the problem is that when i run the radius deamon , it keeps dying and sending emails to root with subject Radius Died , Restarting after about every 20 seconds ... i can't figure out whats wrong ... please help .. i am using free radius ... Have you tried running it in debug-mode? If not, try to do that with the -X switch, it will probably tell you why it dies. -- We tend to meet any new situation by reorganising; and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency and demoralisation.-- Gaius Petronius, 60 AD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling pam_radius module on HP-UX
Hi, Does anybody have some experience or hints on how to get the pam_radius module compiled on HP-UX (10.20 and 11) ? Thanks, Walter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mysql core dumped
Hello freeradius-users,
My config Linux Redhat 7
Linux 2.4.18 #3 SMP Fri Apr 5 14:07:36 MSD 2002 i686 unknown
mysql Ver 3.22.32 for pc-linux-gnu on i686
freeradius-snapshot-20020417
If I set num_sql_socks 1, i have core dumped ;(
With num_sql_socks = 1 it work fine
What changes i must do and where???
#gdb radiusd
(gdb) set args -X
(gdb) run
Starting program: /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1814
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd.pid
main: user = root
main: group = root
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = 192.168.200.1
sql: port =
sql: login = radius
sql: password = radpass
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql
sql: deletestalesessions = yes
sql: num_sql_socks = 2
sql: sql_user_name = %{User-Name}
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
sql: authenticate_query = SELECT Value,Attribute FROM radcheck WHERE UserName =
'%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR
Attribute = 'Crypt-Password' OR Attribute = 'NT-Password') ORDER BY Attribute DESC
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_times[New Thread 1024 (LWP 25018)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 25018)]
0x401085bc in chunk_free (ar_ptr=0x401aace0, p=0x80c1eb0) at malloc.c:3117
(gdb) bt
#0 0x401085bc in chunk_free (ar_ptr=0x401aace0, p=0x80c1eb0) at malloc.c:3117
#1 0x40107d12 in chunk_alloc (ar_ptr=0x401aace0, nb=88) at malloc.c:2601
#2 0x401077e6 in __libc_malloc (bytes=84) at malloc.c:2703
#3 0x401f1993 in my_malloc () from /usr/lib/libmysqlclient.so.10
(gdb) q
The program is running. Exit anyway? (y or n)
--
Best regards,
rust
RE: Question about redundant/failover accounting.
Alan de Kok wrote:
When a NAS fails the telco will failover the the other NAS
when a Radius server fails the NAS will select it's twin-sister.
The only thing this doesn't work for is Accounting.
You might want to take a look at 'radrelay', from the Cistron
distribution. It's the preferred method for replicating accounting
data.
If you can come up with a patch to add it to FreeRADIUS, that would
help a lot.
Then an accounting loop start that adds about 220KB to the
detail file
for every packet received from a NAS. Probably the loop
ends when a packet
get too large. (Some Proxy- fields are added to every hop).
Yes. And you can't rely on the Proxy-State attribute to discover
loops, as some RADIUS servers destroy the Proxy-State attribute.
I believe that radrelay *should* take care of a lot of these issues.
When is Client-IP-Address added to the packet? (probably too late)
It's not. It's a server-side attribute that's adding to the REQUEST
data structure, but rlm_preprocess.
Aha.
Then the patch is in radiusd.conf:
from old:
preacct {
files
preprocess
}
to new:
preacct {
preprocess
files
}
And get Client-IP-Address from the rlm_acct_unique spec.
Why can't Client-IP-Address be used as a check-item? (if it
is in the request)
It can.
If the preprocess is done before the files, otherwise the attribute just isn't
there.
I've a patched freeradius to get it to work on AIX and I not aware
that the patches sent to the list have been incorporated or not.
They haven't been incorporated. Quite frankly, I'm reluctant to do
so.
Well for radius the basic problem is the complaints about the missing
strings.h. (well the complaints are missing templates for routines
like bzero and strcasecmp etc..)
BTW There is a difference when trying to compile --disable-shared or not
manu modules will only compile using --enable-shared.
Therefore linking with modules preloaded seems to be best.
A test in configure the strings.h file will probably solve the most.
One problem was the order of includes (missing.h from radius.h was included
before some other ones)
The problem is I'am a VMS Programmer/systems manager/systemprogrammer and I
don't
normally use tools like autoconf etc. Had things been more my way the
radius server would have run on an available VMS-cluster using VMSRadius anyway.
(It would have been be a LOT simpler then). And the amount of time available
won't allow learning to use them with all their intricacies. Although AIX is
problably
an interesting platform to learn things on as a lot of things are done
quite differently with respect to other UNICES.
If you just patched it to *add* functionality or include files
specifically for AIX, then I would have applied the patch. However,
the patch *removes* functionality and include files which are
currently used on other platforms. I'm not going to break the build
on many platforms just to make it work on another one.
Agreed, I just supplied the differences to show what was needed to get up
running.
auto* are beyond my interests/capabilities. The basic problem is described
above.
So until I get time to edit the patch to fix it, or until you can
supply a better patch, it won't get committed.
No problem this is probably a one-off for many years to come unless a problem
should
arise from radiusd from the next few weeks. The server does what it should do
and new
functionality can be nice but is not needed as currently foreseen.
Regards,
Nico Baggus
-
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional Proxy
Hi,
I have posted a patch for this on the developers list, but there has been
no response yet so I'm wondering if this patch would be as useful to others
as it is for me. Basically it allows one to specify a check list in the
realm config which would then be checked before a request is proxied. e.g.:
realm company.com {
authhost = 10.0.0.1:1645
accthost = 10.0.0.1:1646
secret = mysecret
check= Called-Station-Id == 1234,NAS-Port-Type = 2
}
If the incoming request for realm mycompany.com does not match the items in
'check', rlm_realm will not set the Proxy-To-Realm attribute and the
request will not be proxied. Omitting 'check' from the config would allow
realms to be proxied as usual.
Any Comments?
Eddie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
At 02:08 PM 4/26/2002 -0200, Eddie Stassen wrote:
Hi,
I have posted a patch for this on the developers list, but there has been
no response yet so I'm wondering if this patch would be as useful to
others as it is for me. Basically it allows one to specify a check list
in the realm config which would then be checked before a request is
proxied. e.g.:
realm company.com {
authhost = 10.0.0.1:1645
accthost = 10.0.0.1:1646
secret = mysecret
check = Called-Station-Id == 1234,NAS-Port-Type = 2
}
If the incoming request for realm mycompany.com does not match the items
in 'check', rlm_realm will not set the Proxy-To-Realm attribute and the
request will not be proxied. Omitting 'check' from the config would allow
realms to be proxied as usual.
Any Comments?
Why is not possible to simply do this in the 'users' file with:
DEFAULT Called-Station-Id == 1234, Proxy-To-Realm := company.com
Fall-Through = No
-Chris
--
\\\|||/// \ StarNet Inc. \Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP nt-lnPasswords on LDAP
3APA3A [EMAIL PROTECTED] wrote: mschap in authorize is only required if you store cleartext password, in this case it produces NT/LM hashes from cleartext. That work can be done in the 'authenticate' code, can't it? I don't see why it's required to be in the 'authorize' section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dial_up admin question
On Tue, 23 Apr 2002, Juan Hernandez wrote: can I get it off the web? I've never used the cvs repositry You can either get it through the web (http://sourceforge.net/projects/dialup-admin) or find it in the latest cvs snapshots. The cvs snapshots can be found in the ftp site in the CVS-snapshots diarectory. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
At 04:30 PM 4/26/2002 -0200, Eddie Stassen wrote:
At 08:47 AM 02/04/26 -0500, you wrote:
At 02:08 PM 4/26/2002 -0200, Eddie Stassen wrote:
Hi,
I have posted a patch for this on the developers list, but there has
been no response yet so I'm wondering if this patch would be as useful
to others as it is for me. Basically it allows one to specify a check
list in the realm config which would then be checked before a request is
proxied. e.g.:
realm company.com {
authhost = 10.0.0.1:1645
accthost = 10.0.0.1:1646
secret = mysecret
check = Called-Station-Id == 1234,NAS-Port-Type = 2
}
If the incoming request for realm mycompany.com does not match the items
in 'check', rlm_realm will not set the Proxy-To-Realm attribute and the
request will not be proxied. Omitting 'check' from the config would
allow realms to be proxied as usual.
Any Comments?
Why is not possible to simply do this in the 'users' file with:
DEFAULT Called-Station-Id == 1234, Proxy-To-Realm := company.com
Fall-Through = No
The problem is when you use the files method in conjunction with rlm_realm
it would still be possible to be proxied without the checks being
done. If for example you had:
authorize {
suffix
files
}
and in users:
DEFAULT Suffix == @company.com,Called-Station-Id == 1234,
Proxy-To-Realm := company.com
Fall-Through = No
then the Proxy-To-Realm attribute for '[EMAIL PROTECTED]' would be set by
rlm_realm before the users file got hold of it and the request would be
sent on.
Then simply change the order of the 'authorize' block, so that files is
called first.
Or better have a separate 'fastusers' instance that uses a different
'users' file without a DEFAULT entry ( so that it return NOTFOUND if
nothing matches ).
One way of getting past this is to simply not use rlm_realm and have
DEFAULT entries for all your realms, including the various combinations of
Prefixes/suffixes etc. Seems that the rlm_realm was designed to deal with
realms and therefore checks should be done there. Not a big deal, just a
little tidier IMO.
Perhaps, though I'd rather not duplicate functionality that's already
there. I'm a minimalist, so I prefer to keep the modules simple in what
they do unless there isn't another way already of doing what you want.
-Chris
--
\\\|||/// \ StarNet Inc. \Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
Chris Parker [EMAIL PROTECTED] wrote: Perhaps, though I'd rather not duplicate functionality that's already there. I'm a minimalist, so I prefer to keep the modules simple in what they do unless there isn't another way already of doing what you want. I tend to agree. Although I supposed I could put the patch into the 'pub/radius/contrib/' directory, on the FTP site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client-IP-Address occasionally incorrect
Running FreeRADIUS 0.4 under Solaris 8/SPARC. When I enabled Simultaneous-Use check for some user classes, I've got the same problem as Mervyn Jack - invalid packets with fake Client-IP-Address. This is such typical packet: Fri Mar 22 14:49:03 2002 Acct-Status-Type = Stop NAS-IP-Address = xx.xx.xx.xx Acct-Delay-Time = 0 User-Name = atuser NAS-Port = 20211 Acct-Session-Id = 74886441 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = xx.xx.xx.xx Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Client-IP-Address = 70.114.105.32 [FAKE !] Hint = ATPPP Service-Type = Framed-User Framed-Protocol = PPP Timestamp = 1016797743 Request-Authenticator = Verified These packets arrived only when user with Simultaneuos-Use (atuser in this case) tried to login and checkrad returned OK (this user already exists on NAS). NAS-es: Ascend MAX 6060, Cisco AS5800 (IOS 12.0(13)S). Any suggestions ? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Oleg Derevenetz [EMAIL PROTECTED] wrote: When I enabled Simultaneous-Use check for some user classes, I've got the same problem as Mervyn Jack - invalid packets with fake Client-IP-Address. That's really weird. The Client-IP-Address is taken from request-packet-src_ipaddr, which is taken directly from the recv_from() system call. So if the address is wrong, then it sounds to me like the OS is lying to the server about where the packet came from. Client-IP-Address = 70.114.105.32 [FAKE !] Does this address have *any* relation to addresses on your network, or is it random (and changing) garbage? These packets arrived only when user with Simultaneuos-Use (atuser in this case) tried to login and checkrad returned OK (this user already exists on NAS). I find it *really* bizarre that the NAS is sending fake accounting records when it's queried via checkrad. Have you used 'tcpdump' from another machine, to verify that the packet is sent on the wire, and isn't some artifact of the server and/or OS? If the packet *is* coming from the NAS, have you asked Ascend/Cisco for support? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional Proxy
At 11:46 AM 02/04/26 -0400, you wrote: Chris Parker [EMAIL PROTECTED] wrote: Perhaps, though I'd rather not duplicate functionality that's already there. I'm a minimalist, so I prefer to keep the modules simple in what they do unless there isn't another way already of doing what you want. I tend to agree. Although I supposed I could put the patch into the 'pub/radius/contrib/' directory, on the FTP site. Alan DeKok. I agree with the minimalist approach, but if we apply that to the rlm_realm module, then it should not be required at all, since all its functionality can already be achieved in another way. My understanding of the DEFAULT directive in the users file has always been that it is there to: a. provide a default policy for a number of users b. apply a policy for some very special conditions that cannot be done through other methods or modules (yet) as looping through a large number of DEFAULT statements can be expensive. I don't believe that conditional proxy falls into either of these cases as it is quite a common requirement (where I come from at least), hence my idea of doing this in the rlm_realm module. Anyway, I won't drag this matter out any longer if nobody agrees with me (I'll just sulk all weekend) Eddie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
I actually saw this same problem way back in the post 0.3 CVS days (and before), and I wasn't even involving checkrad. I would turn on Simultaneous-Use, and I would immediately begin to get completely bogus Client-Ip-Addresses in my accounting packets...IPs that had nothing to do with my network (I remember 0.0.0.0 being one of the examples). And I would get them from my MAX TNTs, my PM3s, my Cisco AS5200s, and the various RADIUS servers that proxied to me. Some packets would be fine, others would be bogus. It was so weird and pervasive I just canned the implementation and didn't really troubleshoot past isolating Simultaneous-Use as the cause. I've actually been meaning to revisit this now that .5 is out and see if life is better. Although it is reassuring to see that it didn't only bite me. :) Chris Kalin - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 26, 2002 11:32 AM Subject: Re: Client-IP-Address occasionally incorrect Oleg Derevenetz [EMAIL PROTECTED] wrote: When I enabled Simultaneous-Use check for some user classes, I've got the same problem as Mervyn Jack - invalid packets with fake Client-IP-Address. That's really weird. The Client-IP-Address is taken from request-packet-src_ipaddr, which is taken directly from the recv_from() system call. So if the address is wrong, then it sounds to me like the OS is lying to the server about where the packet came from. Client-IP-Address = 70.114.105.32 [FAKE !] Does this address have *any* relation to addresses on your network, or is it random (and changing) garbage? These packets arrived only when user with Simultaneuos-Use (atuser in this case) tried to login and checkrad returned OK (this user already exists on NAS). I find it *really* bizarre that the NAS is sending fake accounting records when it's queried via checkrad. Have you used 'tcpdump' from another machine, to verify that the packet is sent on the wire, and isn't some artifact of the server and/or OS? If the packet *is* coming from the NAS, have you asked Ascend/Cisco for support? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Chris A. Kalin [EMAIL PROTECTED] wrote: I actually saw this same problem way back in the post 0.3 CVS days (and before), and I wasn't even involving checkrad. I would turn on Simultaneous-Use, and I would immediately begin to get completely bogus Client-Ip-Addresses in my accounting packets...IPs that had nothing to do with my network (I remember 0.0.0.0 being one of the examples). Hmm... after quickly rooting through the code, the only thing I can come up with is the session_zap() function in src/main/session.c, and it's only called from the radutmp module. If removing 'radutmp' from the list of modules makes these packets stop, then the problem is the session_zap() routine. (Which may not initialize all of the data structures it creates) I haven't looked at it for a while, but it calls rad_process(), which is the main request processing function. Unfortunately, rad_process() is designed to be called ONLY from the main thread handler, and NOT from any child thread. Arg... On closer examination of the packet in the previous message, I think the problem *is* session_zap. It SHOULD initialize all of the entries in the data structures it creates. It SHOULD NOT call rad_process(). rad_respond() is safe, and better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
ãÉÔÉÒÕÀ Chris A. Kalin [EMAIL PROTECTED]:
I actually saw this same problem way back in the post 0.3 CVS days
(and
before), and I wasn't even involving checkrad. I would turn on
Simultaneous-Use, and I would immediately begin to get completely
bogus
Client-Ip-Addresses in my accounting packets...IPs that had nothing to
do
with my network (I remember 0.0.0.0 being one of the examples). And I
would
get them from my MAX TNTs, my PM3s, my Cisco AS5200s, and the various
RADIUS
servers that proxied to me. Some packets would be fine, others would
be
bogus.
It was so weird and pervasive I just canned the implementation and
didn't
really troubleshoot past isolating Simultaneous-Use as the cause.
I've
actually been meaning to revisit this now that .5 is out and see if life
is
better.
Although it is reassuring to see that it didn't only bite me. :)
So, there is a piece of code in rlm_radutmp.c/radutmp_checksimul():
radutmp_unlock(fd);
rcode = rad_check_ts(u.nas_address, u.nas_port, login,
session_id);
radutmp_lock(fd);
if (rcode == 1) {
++request-simul_count;
/*
* Does it look like a MPP attempt?
*/
if (strchr(SCPA, u.proto)
ipno u.framed_address == ipno)
request-simul_mpp = 2;
else if (strchr(SCPA, u.proto) call_num
!strncmp(u.caller_id,call_num,16))
request-simul_mpp = 2;
}
else {
/*
* False record - zap it.
*/
session_zap(u.nas_address, u.nas_port, login,
session_id, u.framed_address,
u.proto, 0);
}
If rad_check_ts() returns 1 (dup found), and no multilink is there, this code
simply increments request-simul_count, but if not, it does session_zap() (and
generates fake Accounting-Stop record with fields such in my case). So it
seems to be a problem in rad_process().
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
ãÉÔÉÒÕÀ Alan DeKok [EMAIL PROTECTED]: Arg... On closer examination of the packet in the previous message, I think the problem *is* session_zap. It SHOULD initialize all of the entries in the data structures it creates. It SHOULD NOT call rad_process(). rad_respond() is safe, and better. Hm-m... But I don't understand, how it can call session_zap() in such case (checkrad.log): Fri Apr 26 21:30:41 2002 checkrad ascend xx.xx.xx.xx 20219 atuser 74981341 No SNMP answer from ascend. user at port S20219: atuser (dec) Returning 1 (double detected) There is dup, so rad_check_ts() must return 1, and session is valid. There is no reason to call session_zap(), is'nt it ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Client-IP-Address occasionally incorrect
Dear Alan DeKok,
I wrote about cause of this problem a month ago:
--This is a forwarded message
From: 3APA3A [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Monday, April 1, 2002, 6:48:12 PM
Subject: radutmp bugs
===8==Original message text===
Dear [EMAIL PROTECTED],
First bug is in radutmp_checksimul.
In call to session_zap (then user record found in radutmp but there is
no active user with this name on NAS) we send request-packet-sockfd.
sockfd will be socket for authentication, but later rad_process called
from session_zap does the check:
if (request-packet-sockfd != acctfd) {
it makes an error in log like Accounting-Request packet sent to a
non-accounting port from client and session_zap fails to remove this
hanging session.
I bet either
session_zap(request-packet-sockfd,
should be changed to
session_zap(acctfd,
or code should be rewritten without session_zap at all, because
session_zap in this implementation will cause problems, for example in
case of improper NAS or Radius server shutdown user can be billed the
time between two logons... So, at least radius must clean up radutmp
on startup.
Second problem is that ip address of NAS saved in radutmp is
PW_NAS_IP_ADDRESS. Existence of this attrbiute is never checked and if
this attribute isn't present any garbage may be instead of it.
I think we should add in radutmp_accounting
nas_address = request-packet-src_ipaddr;
ut.nas_address = request-packet-src_ipaddr;
as either default value or replacement to
case PW_NAS_IP_ADDRESS:
nas_address = vp-lvalue;
ut.nas_address = vp-lvalue;
break;
because this attribute is also used for session_zap() call.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo-{ ^ }-+ \
| ZARAZA U 3APA3A }
+-o66o--+ /
|/
You know my name - look up my number (The Beatles)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
===8===End of original message text===
--
~/ZARAZA
Íî âåäü êîìó óãîäíî ìîãóò ïðèéòè â ãîëîâó ÿéöà, ïÿòêè è åïèñêîïû. (Ëåì)
--Friday, April 26, 2002, 9:34:42 PM, you wrote to [EMAIL PROTECTED]:
AD Chris A. Kalin [EMAIL PROTECTED] wrote:
I actually saw this same problem way back in the post 0.3 CVS days (and
before), and I wasn't even involving checkrad. I would turn on
Simultaneous-Use, and I would immediately begin to get completely bogus
Client-Ip-Addresses in my accounting packets...IPs that had nothing to do
with my network (I remember 0.0.0.0 being one of the examples).
AD Hmm... after quickly rooting through the code, the only thing I can
AD come up with is the session_zap() function in src/main/session.c, and
AD it's only called from the radutmp module.
AD If removing 'radutmp' from the list of modules makes these packets
AD stop, then the problem is the session_zap() routine. (Which may not
AD initialize all of the data structures it creates)
AD I haven't looked at it for a while, but it calls rad_process(),
AD which is the main request processing function. Unfortunately,
AD rad_process() is designed to be called ONLY from the main thread
AD handler, and NOT from any child thread.
AD Arg... On closer examination of the packet in the previous message,
AD I think the problem *is* session_zap.
AD It SHOULD initialize all of the entries in the data structures it
AD creates.
AD It SHOULD NOT call rad_process(). rad_respond() is safe, and
AD better.
AD Alan DeKok.
AD -
AD List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
Íî Ãàððè... ÿ áåçóñëîâíî îòäàþ ïðåäïî÷òåíèå åìó, çà
âûñîêóþ ïèòàòåëüíîñòü è êàêîå-òî îñîáåííî íåæíîå ìÿñî. (Òâåí)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Oleg Derevenetz [EMAIL PROTECTED] wrote: If rad_check_ts() returns 1 (dup found), and no multilink is there, this code simply increments request-simul_count, but if not, it does session_zap() (and generates fake Accounting-Stop record with fields such in my case). So it seems to be a problem in rad_process(). No, it looks like it's in session_zap(). Try editing src/main/session.c, function session_zap(). Change code from: ... rad_process(stopreq, ...) ... to: ... rad_accounting(stopreq); request_free(stopreq); ... That should *help*, at least. I'll try to edit commit a slightly larger fix to the code today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compiling error on FreeBSD-4.5?
I am trying to compile the latest freeradius snapshot on a FreeBSD 4.5. With just basic ./configure and make, it stopped at ltdl.lo (see below). If I disable libltdl with ./configure --disable-ltdl-install, it stopped at *** [rlm_attr_rewrite.lo] Error 1 I suspect there might be something missing in FreeBSD? gmake[1]: Entering directory `/usr/local/src/freeradius-snapshot-20020426' Making all in libltdl... gmake[2]: Entering directory `/usr/local/src/freeradius-snapshot-20020426/libltdl' /bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -pthread -D_THREAD_SAFE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -c ltdl.c mkdir .libs gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -pthread -D_THREAD_SAFE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -c ltdl.c -fPIC -DPIC -o .libs/ltdl.lo ltdl.c:140: warning: function declaration isn't a prototype ltdl.c:263: warning: function declaration isn't a prototype ltdl.c:280: warning: function declaration isn't a prototype ltdl.c:295: warning: function declaration isn't a prototype ltdl.c:725: warning: function declaration isn't a prototype ltdl.c:757: warning: function declaration isn't a prototype ltdl.c: In function `presym_open': ltdl.c:774: warning: cast discards qualifiers from pointer target type ltdl.c: At top level: ltdl.c:787: warning: function declaration isn't a prototype ltdl.c:796: warning: function declaration isn't a prototype ltdl.c:910: warning: function declaration isn't a prototype ltdl.c:959: warning: function declaration isn't a prototype ltdl.c:1034: warning: function declaration isn't a prototype ltdl.c:1110: warning: function declaration isn't a prototype ltdl.c:1123: warning: function declaration isn't a prototype ltdl.c:1133: warning: function declaration isn't a prototype ltdl.c:1160: warning: function declaration isn't a prototype gcc: Internal compiler error: program as got fatal signal 4 gmake[2]: *** [ltdl.lo] Error 1 gmake[2]: Leaving directory `/usr/local/src/freeradius-snapshot-20020426/libltdl' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/usr/local/src/freeradius-snapshot-20020426' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Client-IP-Address occasionally incorrect
3APA3A [EMAIL PROTECTED] wrote:
I wrote about cause of this problem a month ago:
Yes, but...
I bet either
session_zap(request-packet-sockfd,
should be changed to
session_zap(acctfd,
Both of these are completely wrong, now that I look further at the
code. The problem is that the 'sockfd' in session_zap() isn't used by
*anything* in that function. Sure, it's placed into stoppkt-sockfd,
but that is completely wrong. The stop packet is a FAKE packet,
generated internally by the server. It MUST NOT be associated with
any real socket, so that there is NO possibility of a NAS getting a
reply packet to the fake request (which the NAS never sent)
The real problem is that session_zap() is calling rad_process().
The rad_process() function assumes that it's being called ONLY from
the main thread, so calling it from a child thread handling a request
is completely wrong, and may cause the server to do unexpected things.
Second problem is that ip address of NAS saved in radutmp is
PW_NAS_IP_ADDRESS. Existence of this attrbiute is never checked and if
this attribute isn't present any garbage may be instead of it.
I think we should add in radutmp_accounting
nas_address = request-packet-src_ipaddr;
ut.nas_address = request-packet-src_ipaddr;
as either default value or replacement to
case PW_NAS_IP_ADDRESS:
nas_address = vp-lvalue;
ut.nas_address = vp-lvalue;
break;
because this attribute is also used for session_zap() call.
That's already done in radutmp:
/*
* If we didn't find out the NAS address, use the
* originator's IP address.
*/
if (nas_address == 0) {
nas_address = request-packet-src_ipaddr;
ut.nas_address = nas_address;
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling error on FreeBSD-4.5?
Paul S. Puth [EMAIL PROTECTED] wroreL I am trying to compile the latest freeradius snapshot on a FreeBSD 4.5. With just basic ./configure and make, it stopped at ltdl.lo (see below). ... gcc: Internal compiler error: program as got fatal signal 4 gmake[2]: *** [ltdl.lo] Error 1 Your system appears to be broken. If I disable libltdl with ./configure --disable-ltdl-install, it stopped at *** [rlm_attr_rewrite.lo] Error 1 Reading the rest of the messages associated with that build should help figure out *why* that build failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
ãÉÔÉÒÕÀ Oleg Derevenetz [EMAIL PROTECTED]: Hm-m... But I don't understand, how it can call session_zap() in such case (checkrad.log): Fri Apr 26 21:30:41 2002 checkrad ascend xx.xx.xx.xx 20219 atuser 74981341 No SNMP answer from ascend. user at port S20219: atuser (dec) Returning 1 (double detected) There is dup, so rad_check_ts() must return 1, and session is valid. There is no reason to call session_zap(), is'nt it ? Oh-oh. I have error in this case: Fri Apr 26 21:30:52 2002 : Error: Check-TS: timeout waiting for checkrad So rad_check_ts() returned 2. But is there a reason to zap session record ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
i need to update 2 database with the data of the radius. y test to put this in the sql file: accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into A LOT OF DATA when i use it with update work fine, but in a insert say /etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format any idea to update, and insert in 2 diferent database as the same time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
At 08:17 PM 4/26/2002 +0200, Victor Sanchez wrote:
i need to update 2 database with the data of the radius.
y test to put this in the sql file:
accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into
A LOT OF DATA
when i use it with update work fine, but in a insert say
/etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format
any idea to update, and insert in 2 diferent database as the same time
Use two instances of the sql module.
sql one {
foo = bar
}
sql two {
foo = baz
}
authorize {
one
two
}
accounting {
one
two
}
-Chris
--
\\\|||/// \ StarNet Inc. \Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Victor Sanchez [EMAIL PROTECTED] wrote: accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into A LOT OF DATA when i use it with update work fine, but in a insert say /etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format any idea to update, and insert in 2 diferent database as the same time Grab the latest CVS snapshot. The buffers used internally in the configuration file reader have been increased in size. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling error on FreeBSD-4.5?
Paul S. Puth [EMAIL PROTECTED] wroreL I am trying to compile the latest freeradius snapshot on a FreeBSD 4.5. With just basic ./configure and make, it stopped at ltdl.lo (see below). ... gcc: Internal compiler error: program as got fatal signal 4 gmake[2]: *** [ltdl.lo] Error 1 Your system appears to be broken. It appears to be just his system too. Make ran just fine for freeradius-snapshot-20020426 on my FreeBSD matchbox.toybox.ca 4.5-RELEASE-p4 FreeBSD 4.5-RELEASE-p4 #0: Tue Apr 23 15:18:48 EDT 2002 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 just now. If I disable libltdl with ./configure --disable-ltdl-install, it stopped at *** [rlm_attr_rewrite.lo] Error 1 Reading the rest of the messages associated with that build should help figure out *why* that build failed. I would suggest a memory test or some other form of system stability test. This is not a FreeBSD-4.5 problem. Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
insert and update 2 database
i need to update 2 database with the data of the radius. y test to put this in the sql file: accounting_start_query = INSERT into radacct A LOT OF DATA ;INSERT into A LOT OF DATA but don't work, /etc/raddb/sql.conf[124]: Line is not in 'attribute = value' format any idea to update, and insert in 2 diferent database as the same time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address occasionally incorrect
Oleg Derevenetz [EMAIL PROTECTED] wrote: There is dup, so rad_check_ts() must return 1, and session is valid. There is no reason to call session_zap(), is'nt it ? The session should be zapped ONLY if checkrad decides that the user is not logged in on that port. Fri Apr 26 21:30:41 2002 checkrad ascend xx.xx.xx.xx 20219 atuser 7498134= 1 No SNMP answer from ascend. user at port S20219: atuser (dec) Returning 1 (double detected) And the radutmp module does NOT zap the session if the check for duplicate logins returns '1' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert and update 2 database
any idea to update, and insert in 2 diferent database as the same time
You can done this by using replication.
Or configure radius like this:
--radiusd.conf--
accounting{
...
sql1
sql2
...
}
--radiusd.conf--
---
Aleksandr Kuzminsky,AK476-RIPE
System Administrator, AK16-UANIC
ISP NBI.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
