Re: Huntgroup by calledstationid?
i don't know about ldap, but i tried them with mysql and it's working, so i think it should be working with ldap too, anybody else could help?? --Ossama J. S. Townsley wrote: Thank you Ossama. I will look into what you've given me thus far. Idealy I do not want to add a huntgroup to all of my users, I just want to prevent 'everyone but' user bob, user bob2, etc. Additionally, do you know if I can store the huntgroup in ldap? I am assuming I would set the huntgroup-name up as a check item, but not sure preprocess is going to know about it. --JST * Ossama Suleiman [Wed, 5 Feb 2003] Date: Wed, 05 Feb 2003 10:33:51 +0200 From: Ossama Suleiman [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Huntgroup by calledstationid? J. S. Townsley wrote: Anyone on the list ever hacked something up to create hunt groups based on calledstationid? I have a situation where I have a NAS with a couple different DID's on it. I'd like an easy method to differentiate between users on these DID's. IE, user bob can dial the local XXX number, but not the 800 number on the same NAS. create 2 huntgroups, list them in the file huntgroups: huntgroup1Called-Station-Id==123456 huntgroup2Called-Station-Id==654321 then add this entry "huntgroup" to the user you want: bobpassword=="secret", Huntgroup-Name == "huntgroup1" hope that helps --Ossama Thoughts anyone? --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ J. S. Townsley Senior Network and Systems Engineer [EMAIL PROTECTED] Integrity Online www.integrity.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
entry for NAS port has wrong ID
Hello, I've used freeradius-0.7.1 and mysql. For users who have bad connections I have two records in radacct table instead 1 record. For example: select username, radacctid, acctstarttime, acctstoptime from radacct where (acctstarttime=0 or acctstoptime=0); ppvb79800 2003-02-05 15:12:38 -00-00 00:00:00 ppvb79801 -00-00 00:00:00 2003-02-05 15:12:38 ppedvin 79820 2003-02-05 17:03:11 -00-00 00:00:00 ppedvin 79821 -00-00 00:00:00 2003-02-05 17:03:12 And in log file: Wed Feb 5 15:12:38 2003 : Auth: Login OK: [ppvb] (from client XX port X) Wed Feb 5 15:12:38 2003 : Auth: Multiple logins (max 1) : [ppvb] (from client XX port X) Wed Feb 5 15:12:38 2003 : Error: Accounting: logout: entry for NAS XX port X has wrong ID Wed Feb 5 17:03:11 2003 : Auth: Login OK: [ppedvin] (from client XX port X) Wed Feb 5 17:03:12 2003 : Auth: Multiple logins (max 1) : [ppedvin] (from client XX port X) Wed Feb 5 17:03:12 2003 : Error: Accounting: logout: entry for NAS XX port X has wrong ID Sincerelly, Svetlana - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
05-Feb-03 at 17:59, Robert Canary ([EMAIL PROTECTED]) wrote : Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html.but then agian half of the docs are spelling Jacobs*o*n, instead Jacobs*e*n.. What your saying makes perfect sense, of course. You suggest it be put in the radcheck, or the radgroupcheck? Funny... it's in radgroupreply in my SQL table (and only there) and it works here. So it must be luck that it works because # The default Auth-Type is Local. That is, whatever is not included # inside an authtype section will be called only if Auth-Type is set to # Local (from radiusd.conf) -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
On Wed, Feb 05, 2003 at 05:59:41PM -0600, Robert Canary wrote: Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html.but then agian half of the docs are spelling Jacobs*o*n, instead Jacobs*e*n.. What your saying makes perfect sense, of course. You suggest it be put in the radcheck, or the radgroupcheck? Either should work equally well, depending on how you order things putting it in radgroupcheck might help cut down on duplicate entries. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bintec and Freeradius ??
Hi ! I tried to set up a user via freeradius (0.8.1) and a bintec router, and didn't succeed 'till now. Does anybody have a working users file and/or dictionary for me ? In special, i have the following problem: I dial in, and then (as it looks to me), it is tried to authenticate the CLID, what doesn't succedd. Shouldn't the Server then try to autheticate the username/password combination ? It doesn't look like the server does in my case. Here are the debug output of the router, my users file und the output of the radius server: ROUTER-DEBUG: 09:22:12 DEBUG/PPP: dialin from 2512345 to local number 15696 (7/0) 09:22:12 DEBUG/RADIUS: 2512345: send CALLERID REQUEST ID 79 to 10.64.65.67:1812 09:22:13 DEBUG/RADIUS: 2512345: send CALLERID REQUEST ID 79 to 10.64.65.67:1812 09:22:14 DEBUG/RADIUS: outband RADIUS identification timed out, try inband 09:22:14 DEBUG/PPP: ?: call accepted, call not identified by number 09:22:14 DEBUG/PPP: Layer 1 protocol hdlc, 64000 bit/sec 09:22:14 NOTICE/RADIUS: server 10.64.65.67:1812 changed state to INACTIVE 09:22:14 NOTICE/PPP: ?: CHAP auth failed for testdap 09:22:59 INFO/ACCT: ISDN: 06.02.2003,09:22:12,09:22:59,45,133,142,4,5,,I,15696,2512345,7/0,0,0, 09:22:59 INFO/PPP: ?: incoming connection closed, duration 0 sec, 121 bytes received, 127 bytes sent, 0 charging units, 0 charging amounts USERS-FILE: DEFAULT Auth-Type := Local Fall-Through = 1 testdap User-Password == testdap Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.30.10.50, Framed-IP-Netmask = 255.255.255.255, RADIUS-OUTPUT: --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 10.64.65.47:1024, id=78, length=83 NAS-Identifier = dialer Service-Type = Framed-User Framed-Protocol = PPP User-Name = 2512345 NAS-Port = 0 NAS-Port-Type = ISDN User-Password = modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = 2512345, looking up realm NULL rlm_realm: No such realm NULL User-Name = 2512345 NAS-Port = 0 NAS-Port-Type = ISDN User-Password = modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = 2512345, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 77 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [2512345/] (from client dialer port 0) auth: Failed to validate the user. Login incorrect: [2512345/] (from client dialer port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request rl_next: returning NULL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Bintec and Freeradius ??
09:22:13 DEBUG/RADIUS: 2512345: send CALLERID REQUEST ID 79 to 10.64.65.67:1812 09:22:14 DEBUG/RADIUS: outband RADIUS identification timed out, try inband It seems that your Bintec can't reach the radius server or the radius server isn't answering. Check if the radius server is running and that it is using the right port (1812) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Bintec and Freeradius ??
Hallo ! Ich mach mal in Deutsch weiter, wenns recht ist :) Das war ein guter Tip. Sieht so aus als würde dieses blöde Lebenszeichen-schicken der Bintecs da Probleme machen. Wenn ich das abstelle funktionierts in jedem Fall.Mal sehen wie es weiter geht. Danke Kai -Ursprüngliche Nachricht- Von: Stefan Immel [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 6. Februar 2003 10:38 An: [EMAIL PROTECTED] Betreff: RE: Bintec and Freeradius ?? 09:22:13 DEBUG/RADIUS: 2512345: send CALLERID REQUEST ID 79 to 10.64.65.67:1812 09:22:14 DEBUG/RADIUS: outband RADIUS identification timed out, try inband It seems that your Bintec can't reach the radius server or the radius server isn't answering. Check if the radius server is running and that it is using the right port (1812) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius not reading Auth-Type from MySQL
Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html (I'm 'infamous'... Wow...!) www.frontios.com/freeradius.html was written a long time ago, based purely on my own experiences and needs (i.e. learning, playing) getting FreeRadius and MySQL working. It may well have been wrong at the time (I was learning, still am), and as FreeRadius has progressed I'm sure that any errors it has have been magnified... I really must re-write it (or at least correct it when mistakes are known), but then there *is* a book now too... ;-) Admittedly, my own need is very limited (simple user and group auth with MySQL holding all info, nothing else, no other fallback methods, no LDAP or system auth etc) and the whole auth-type thing hurts when I think about it... Heh... Curious, I just did a quick test (FR 0.8.1): My users file has nothing in it's DEFAULT section setting auth-type (only some PPP parameters (?)). I have an 'auth-type=local' entry in radgroupreply for each group we have. I removed the auth-type entry for a test group from the database ... and a user in that group can still log in just fine. Basically, there is now no auth-type set anywhere explicitly for that user, their group, or DEFAULT, but it still seems to work. I'm assuming that this is because, as it can't find one, FreeRadius is defaulting to using an auth-type of 'local' (?) and thus using the password returned by the only available authorisation module ('sql') for the user found (i.e the password held in radcheck) (?) Someone pls correct me if I'm wrong, but otherwise then if I'm guessing right then it seems that people *only* using MySQL can basically not worry about having auth-types set (at least until FR enforces checking one!). I'm sure if you're doing more complex stuff you'll need to set it appropriately... but I'm not, so I can't be sure... Based on the feedback to this thread, I should probably adjust that web page to indicate that the auth-type should go in rad(group)check and not rad(group)reply, yes? (and I'm off to re-re-read the docs again... Heh...) SB (scott at frontios dot com) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Snapshot error
Alexey Chetroi wrote: On Thu, Feb 06, 2003 at 01:10:20AM -0500, Gene Parks wrote: Subject: Snapshot error From: Gene Parks [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 6 Feb 2003 01:10:20 -0500 Thought you guys should know that the new snapshot is producing this error after install. 2003-02-06 00:41:52.418187500 Starting - reading configuration files ... 2003-02-06 00:41:52.437049500 ?[0]: Unknown variable datadir 2003-02-06 00:41:53.526664500 Starting - reading configuration files ... 2003-02-06 00:41:53.543306500 ?[0]: Unknown variable datadir 2003-02-06 00:41:54.638002500 Starting - reading configuration files ... 2003-02-06 00:41:54.655309500 ?[0]: Unknown variable datadir 2003-02-06 00:41:55.748170500 Starting - reading configuration files ... 2003-02-06 00:41:55.764256500 ?[0]: Unknown variable datadir 2003-02-06 00:41:56.857507500 Starting - reading configuration files ... 2003-02-06 00:41:56.873177500 ?[0]: Unknown variable datadir radiusd.conf from the snapshots is a bit different from those 0.8.1. I've compiled a snapshot from cvs yesterday and it complains about the same error and after that dumps core, so I had modify radiusd.conf from CVS tree. you should add something like : datadir = ${prefix}/share 'hope this help, @+ -- DouRiX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counter problem
Hi, I've now managed to compile the missing rlm_counter module (the gdbm-devel lib was missing). When I try and use it I get the error when it processes the 'users' file: Syntax error: Previous line is missing a trailing comma for entry DEFAULT. Radius.conf relevant bits are: counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = never counter-name = Total-Session-Time check-name = Max-All-Session allowed-servicetype = Framed-User cache-size = 1 } instantiate { expr counter } authorize { preprocess chap counter files sql } accounting { detail counter sql radutmp } First part of users file (as far as it gets) is: # (Loads of connected out lines) DEFAULT Max-All-Sessions := 60600 Fall-through = Yes DEFAULT Total-Session-Time 60600, Auth-Type := Reject Reply-Message = Your time has expired. The last line above is the line number the error refers to. I'm sure I've done something stupid, but after 4 hours fiddling, I still can't find it. regards, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS quit of it's own accord
This morning about 20 minutes ago, FreeRADIUS just sort of quit on it's own. All the log said was this: Thu Feb 6 09:02:44 2003: Error: MASTER: exit on signal (11) This is version 0.7.1 by the way. And all it's doing is acting as a proxy for another RADIUS server. This is actually the first problem I've had since i set the thing upanyone know where I should go with this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS quit of it's own accord
On Thu, Feb 06, 2003 at 09:32:11AM -0500, [EMAIL PROTECTED] wrote: X-SBClass: Admin This morning about 20 minutes ago, FreeRADIUS just sort of quit on it's own. All the log said was this: Thu Feb 6 09:02:44 2003: Error: MASTER: exit on signal (11) Signal (11) on most Unix-type systems is SIGSEGV, which means you had a bad pointer or uninitialized pointer or buffer overrun -- basically it means that the program tried to access memory that was not allocated to it. -- Michael P. Brininstool [EMAIL PROTECTED] The most dangerous man, to any government, is the man who is able to think things out for himself without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is apt to spread discontent among those who are. -- H.L. Mencken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [isp-radius] RADIUS Load Test program (fwd)
Kostas Kalevras [EMAIL PROTECTED] wrote: From: Mike Mazar [EMAIL PROTECTED] To: [EMAIL PROTECTED] .. I have developed a RADIUS Load Test program and it's available for free download at www.evolynx.com/radius. I like their performance tunning page. g Unfortunately, it's .NET thing. I wonder if they realize that 99% of the internet doesn't run the software that they run? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and IplanetDirectory Server
Does anyone have such scenario running? We want to setup freerad against Iplanet Directory server using rlm_ldap. Just to know good/bad experiences -- _ __ Gustavo A. Lozano Noldata Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS quit of it's own accord
Adam Moffett [EMAIL PROTECTED] wrote: Thu Feb 6 09:02:44 2003: Error: MASTER: exit on signal (11) This is version 0.7.1 by the way. And all it's doing is acting as a proxy for another RADIUS server. This is actually the first problem I've had since i set the thing upanyone know where I should go with this? Upgrade to 0.8.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and IplanetDirectory Server
On Thu, 6 Feb 2003, Gustavo Lozano wrote: Does anyone have such scenario running? We want to setup freerad against Iplanet Directory server using rlm_ldap. Just to know good/bad experiences Works just perfect -- _ __ Gustavo A. Lozano Noldata Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Snapshot error
Gene Parks [EMAIL PROTECTED] wrote: Thought you guys should know that the new snapshot is producing this error after install. 2003-02-06 00:41:52.418187500 Starting - reading configuration files ... 2003-02-06 00:41:52.437049500 ?[0]: Unknown variable datadir The configuration files may change from snapshot to snapshot. One of the changes is the introduction of new configuration directives. The installation process does NOT over-write your existing configuration (with good reason), so it's up to you to ensure that the new directives get added to your old configuration files. In this case, define datadir... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
On Thu, Feb 06, 2003 at 10:53:13AM -, Scott Bartlett wrote: [...] Someone pls correct me if I'm wrong, but otherwise then if I'm guessing right then it seems that people *only* using MySQL can basically not worry about having auth-types set (at least until FR enforces checking one!). If you want something other then 'local' authentication you need to set the auth-type. from src/main/files.c: /* * Fixup a check line. * If User-Password or Crypt-Password is set, but there is no * Auth-Type, add one (kludge!). */ static void auth_type_fixup(VALUE_PAIR **check) { [...] if (vp-attribute == PW_PASSWORD) { c = vp; n = PW_AUTHTYPE_LOCAL; } if (vp-attribute == PW_CRYPT_PASSWORD) { c = vp; n = PW_AUTHTYPE_CRYPT; } [...] As the 'kludge' comment shows, not setting an auth-type is rather ugly. I'm sure if you're doing more complex stuff you'll need to set it appropriately... but I'm not, so I can't be sure... Based on the feedback to this thread, I should probably adjust that web page to indicate that the auth-type should go in rad(group)check and not rad(group)reply, yes? (and I'm off to re-re-read the docs again... Heh...) Yes, probably. Wouldn't it infact in the long run be better to remove the 'local' auth-type completely and force usage of PAP or CHAP instead? The PAP and CHAP modules do everything and more that 'local' does, while keeping the code in modules and not in the server core. I could be missing something important done by 'local' though, i haven't really looked that hard. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
Scott Bartlett [EMAIL PROTECTED] wrote: My users file has nothing in it's DEFAULT section setting auth-type (only some PPP parameters (?)). I have an 'auth-type=local' entry in radgroupreply for each group we have. I removed the auth-type entry for a test group from the database ... and a user in that group can still log in just fine. Basically, there is now no auth-type set anywhere explicitly for that user, their group, or DEFAULT, but it still seems to work. Yes. See 'src/main/auth.c'. If you supply a User-Password from a back-end ('users' file, SQL, etc), and the request has a User-Password or CHAP-Password, then 'Auth-Type := Local' is assumed. I think it would be prudent to add a warning message about this misconfiguration, since it may change in the future. Based on the feedback to this thread, I should probably adjust that web page to indicate that the auth-type should go in rad(group)check and not rad(group)reply, yes? (and I'm off to re-re-read the docs again... Heh...) Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and IplanetDirectory Server
hi Kostas have you running ok please, give a help ? i need freeradius against iplanet Directory but the user do not can get atributes of the ldap ... so the user can`t conect see the logs: Cleaning up request 9 ID 55 with timestamp 3e42857f Sending Access-Reject of id 56 to 10.12.1.254:1645 Waking up in 2 seconds... rad_recv: Access-Request packet from host 10.12.1.254:1645, id=57, length=100 NAS-IP-Address = 10.12.1.254 NAS-Port = 15 NAS-Port-Type = Async User-Name = "jlelizeu" ==> this is a User Called-Station-Id = "33550998" Calling-Station-Id = "1130311497" User-Password = "afrnf1" Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: No '@' in User-Name = "jlelizeu", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 96 modcall[authorize]: module "files" returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for jlelizeu radius_xlat: '((uid=jlelizeu)(employeetype=active))' radius_xlat: 'ou=pessoal,o=fazenda,o=sp.gov,c=br' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pessoal,o=fazenda,o=sp.gov,c=br, with filter ((uid=jlelizeu)(employeetype=active)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jlelizeu authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" auth: Failed to validate the user. Login incorrect: [jlelizeu/afrnf1] (from client intragov port 15 cli 1130311497) Delaying request 11 for 1 seconds Finished request 11 Going to the next request Waking up in 2 seconds... --- Walking the entire request list --- Kostas Kalevras wrote: On Thu, 6 Feb 2003, Gustavo Lozano wrote: > Does anyone have such scenario running? > > We want to setup freerad against Iplanet Directory server using > rlm_ldap. > > Just to know good/bad experiences Works just perfect > > -- > _ __ > Gustavo A. Lozano Noldata Corporation > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS quit of it's own accord
On Thu, Feb 06, 2003 at 09:32:11AM -0500, Adam Moffett wrote: This morning about 20 minutes ago, FreeRADIUS just sort of quit on it's own. All the log said was this: Thu Feb 6 09:02:44 2003: Error: MASTER: exit on signal (11) This is version 0.7.1 by the way. And all it's doing is acting as a proxy for another RADIUS server. This is actually the first problem I've had since i set the thing upanyone know where I should go with this? While not solving the actual problem, you could monitor radiusd with something like djb's supervise. That would atleast get things going again automatically if something like this happens. See 'doc/supervise-radiusd.txt'. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS quit of it's own accord
For those of you with the RADIUS book, I describe this in Chapter 6 on pages 116-117. -Original Message- From: Simon [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 06, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: Re: FreeRADIUS quit of it's own accord While not solving the actual problem, you could monitor radiusd with something like djb's supervise. That would atleast get things going again automatically if something like this happens. See 'doc/supervise-radiusd.txt'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS quit of it's own accord
On Thu, Feb 06, 2003 at 09:32:11AM -0500, [EMAIL PROTECTED] wrote: X-SBClass: Admin This morning about 20 minutes ago, FreeRADIUS just sort of quit on it's own. All the log said was this: Thu Feb 6 09:02:44 2003: Error: MASTER: exit on signal (11) Signal (11) on most Unix-type systems is SIGSEGV, which means you had a bad pointer or uninitialized pointer or buffer overrun -- basically it means that the program tried to access memory that was not allocated to it. Ah. Thankyou. And thanks to the others who responded also. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [isp-radius] RADIUS Load Test program (fwd)
On Thu, 6 Feb 2003, Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: From: Mike Mazar [EMAIL PROTECTED] To: [EMAIL PROTECTED] .. I have developed a RADIUS Load Test program and it's available for free download at www.evolynx.com/radius. I like their performance tunning page. g Unfortunately, it's .NET thing. I wonder if they realize that 99% of the internet doesn't run the software that they run? And it crashes when you try to run the stress load test Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Freeradius and IplanetDirectory Server
On Thu, 6 Feb 2003, Kostas Kalevras wrote: hi Kostas have you running ok Just fine please, give a help ? i need freeradius against iplanet Directory but the user do not can get atributes of the ldap ... so the user can`t conect The one thing is not related to the other see the logs: Cleaning up request 9 ID 55 with timestamp 3e42857f Sending Access-Reject of id 56 to 10.12.1.254:1645 Waking up in 2 seconds... rad_recv: Access-Request packet from host 10.12.1.254:1645, id=57, length=100 NAS-IP-Address = 10.12.1.254 NAS-Port = 15 NAS-Port-Type = Async User-Name = jlelizeu == this is a User Called-Station-Id = 33550998 Calling-Station-Id = 1130311497 User-Password = afrnf1 Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = jlelizeu, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 96 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for jlelizeu radius_xlat: '((uid=jlelizeu)(employeetype=active))' radius_xlat: 'ou=pessoal,o=fazenda,o=sp.gov,c=br' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pessoal,o=fazenda,o=sp.gov,c=br, with filter ((uid=jlelizeu)(employeetype=active)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jlelizeu authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type LDAP auth: Failed to validate the user. So have you added the ldap module in your authenticate section? Particularly in the LDAP {} section Login incorrect: [jlelizeu/afrnf1] (from client intragov port 15 cli 1130311497) Delaying request 11 for 1 seconds Finished request 11 Going to the next request Waking up in 2 seconds... --- Walking the entire request list --- Kostas Kalevras wrote: On Thu, 6 Feb 2003, Gustavo Lozano wrote: Does anyone have such scenario running? We want to setup freerad against Iplanet Directory server using rlm_ldap. Just to know good/bad experiences Works just perfect -- _ __ Gustavo A. Lozano Noldata Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Freeradius and IplanetDirectory Server
hi Kostas i have ldap module in my authentication directive i coment many entries in ldap.attrmap file so, now the request check only this: checkItem Auth-Type radiusAuthType but not ok because the user cant authenticate ! see the log: --- Walking the entire request list --- Cleaning up request 29 ID 188 with timestamp 3e42995b Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.12.1.254:1645, id=189, length=103 NAS-IP-Address = 10.12.1.254 NAS-Port = 2 NAS-Port-Type = Async User-Name = nytaniguchi Called-Station-Id = 45880998 Calling-Station-Id = 1145230164 User-Password = taniguchi Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = nytaniguchi, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 97 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for nytaniguchi radius_xlat: 'uid=nytaniguchi' radius_xlat: 'ou=pessoal,o=fazenda,o=sp.gov,c=br' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pessoal,o=fazenda,o=sp.gov,c=br, with filter uid=nytaniguchi rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user nytaniguchi authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type LDAP auth: Failed to validate the user. Login incorrect: [nytaniguchi/taniguchi] (from client intragov port 2 cli 1145230164) Delaying request 30 for 1 seconds Finished request 30 Going to the next request --- Walking the entire request list --- Kostas Kalevras wrote: On Thu, 6 Feb 2003, Kostas Kalevras wrote: hi Kostas have you running ok Just fine please, give a help ? i need freeradius against iplanet Directory but the user do not can get atributes of the ldap ... so the user can`t conect The one thing is not related to the other see the logs: Cleaning up request 9 ID 55 with timestamp 3e42857f Sending Access-Reject of id 56 to 10.12.1.254:1645 Waking up in 2 seconds... rad_recv: Access-Request packet from host 10.12.1.254:1645, id=57, length=100 NAS-IP-Address = 10.12.1.254 NAS-Port = 15 NAS-Port-Type = Async User-Name = jlelizeu == this is a User Called-Station-Id = 33550998 Calling-Station-Id = 1130311497 User-Password = afrnf1 Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = jlelizeu, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 96 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for jlelizeu radius_xlat: '((uid=jlelizeu)(employeetype=active))' radius_xlat: 'ou=pessoal,o=fazenda,o=sp.gov,c=br' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pessoal,o=fazenda,o=sp.gov,c=br, with filter ((uid=jlelizeu)(employeetype=active)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jlelizeu authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type LDAP auth: Failed to validate the user. So have you added the ldap module in your authenticate section? Particularly in the LDAP {} section Login incorrect: [jlelizeu/afrnf1] (from client intragov port 15 cli 1130311497) Delaying request 11 for 1 seconds Finished request 11 Going to the next request Waking up in 2 seconds... --- Walking the entire request list --- Kostas Kalevras wrote: On Thu, 6 Feb 2003, Gustavo Lozano wrote: Does anyone have such scenario running? We want to setup freerad against Iplanet Directory server using rlm_ldap. Just to know good/bad experiences Works just perfect -- _ __ Gustavo A. Lozano Noldata Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED]
Re: Fw: Freeradius and IplanetDirectory Server
On Thu, 6 Feb 2003, Alexandre wrote: hi Kostas i have ldap module in my authentication directive i coment many entries in ldap.attrmap file so, now the request check only this: checkItem Auth-Type radiusAuthType but not ok because the user cant authenticate ! see the log: --- Walking the entire request list --- Cleaning up request 29 ID 188 with timestamp 3e42995b Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.12.1.254:1645, id=189, length=103 NAS-IP-Address = 10.12.1.254 NAS-Port = 2 NAS-Port-Type = Async User-Name = nytaniguchi Called-Station-Id = 45880998 Calling-Station-Id = 1145230164 User-Password = taniguchi Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = nytaniguchi, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 97 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for nytaniguchi radius_xlat: 'uid=nytaniguchi' radius_xlat: 'ou=pessoal,o=fazenda,o=sp.gov,c=br' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pessoal,o=fazenda,o=sp.gov,c=br, with filter uid=nytaniguchi rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user nytaniguchi authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type LDAP The ldap module is *not* called in the authenticate section. Could you post your authenticate section? auth: Failed to validate the user. Login incorrect: [nytaniguchi/taniguchi] (from client intragov port 2 cli 1145230164) Delaying request 30 for 1 seconds Finished request 30 Going to the next request --- Walking the entire request list --- -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Freeradius and IplanetDirectory Server
yes ! see the radius.conf: Auth-Type := LDAP ldap { #server = ldap.your.domain server = diretorio.sede.fazenda.sp.gov.br identity = cn=directory manager password = ___passowrd ___ #ASA #basedn = o=My Org,c=UA basedn = ou=pessoal,o=fazenda,o=sp.gov,c=br #filter = (uid=%u{Stripped-User-Name:-%{User-Name}}) filter = uid=%u # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 50 #password_header = {clear} password_attribute = userPassword # groupname_attribute = cn timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes #access_attr_used_for_allow = yes } Kostas Kalevras wrote: On Thu, 6 Feb 2003, Alexandre wrote: hi Kostas i have ldap module in my authentication directive i coment many entries in ldap.attrmap file so, now the request check only this: checkItem Auth-Type radiusAuthType but not ok because the user cant authenticate ! see the log: --- Walking the entire request list --- Cleaning up request 29 ID 188 with timestamp 3e42995b Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.12.1.254:1645, id=189, length=103 NAS-IP-Address = 10.12.1.254 NAS-Port = 2 NAS-Port-Type = Async User-Name = nytaniguchi Called-Station-Id = 45880998 Calling-Station-Id = 1145230164 User-Password = taniguchi Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = nytaniguchi, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 97 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for nytaniguchi radius_xlat: 'uid=nytaniguchi' radius_xlat: 'ou=pessoal,o=fazenda,o=sp.gov,c=br' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pessoal,o=fazenda,o=sp.gov,c=br, with filter uid=nytaniguchi rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user nytaniguchi authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type LDAP The ldap module is *not* called in the authenticate section. Could you post your authenticate section? auth: Failed to validate the user. Login incorrect: [nytaniguchi/taniguchi] (from client intragov port 2 cli 1145230164) Delaying request 30 for 1 seconds Finished request 30 Going to the next request --- Walking the entire request list --- -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html .+-wèþ˱Êâmïî˱Êâmäzm§ÿðÃëyêÚv+¬¢¸?+-þë®Èm
Re: freeradius not reading Auth-Type from MySQL
Robert Canary [EMAIL PROTECTED] wrote: Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html.but then agian half of the docs are spelling Jacobs*o*n, instead Jacobs*e*n.. From RFC 2865: [10] Jacobson, V., Compressing TCP/IP headers for low-speed serial links, RFC 1144, February 1990. What your saying makes perfect sense, of course. You suggest it be put in the radcheck, or the radgroupcheck? Either one, depending on your local config. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Handling duplicate users across many servers.
OK, I have 4 different radius locations. They all replicate to one-another Every 15 minutes so that I can provide local authentication to each NAS server in 4 different cities. All of the NASes report their accounting packets to the same freeradius server. As such, 3 of the 4 locations do not have radwtmp files, since they dont receive any accounting packets. I want to be able to handle duplicate users, but radwtmp wont prove anything on those 3 systems, since its empty. Anyone have any ideas? Regards, Justin Wheeler -- Computer programmer (n): Red-eyed mammal capable of communicating with electronics and inanimate equipment. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP/NAS MAC string format list
On Tuesday, February 4, 2003, at 09:41 AM, Aron Silverton wrote: Cisco 1100 (IOS) (Other models?) Orinoco (All models?) xx-xx 3COM (All models?) Others? Apple AirPort Base Station (Snow and Extreme): Default: Orinoco Style xx-xx Alternate: Cisco style - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling duplicate users across many servers.
Justin Wheeler [EMAIL PROTECTED] wrote: All of the NASes report their accounting packets to the same freeradius server. As such, 3 of the 4 locations do not have radwtmp files, since they dont receive any accounting packets. I want to be able to handle duplicate users, but radwtmp wont prove anything on those 3 systems, since its empty. Anyone have any ideas? radrelay should do the trick. I'm not sure that you can give it 2-3 destination servers, but you should be able to relay 1-2, 2-3, 3-4 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maximum/Ideal/Suggested number of users(current and possible)
Greetings - I am doing research regarding whether or not to replace our Windows 2000 ADS/Radius server with .? In this search I have come across Cistron/FreeRadius; however, I have not seen any benchmarks/suggested maximum number of users. I welcome any suggestions. Thanks! Tim Rich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling duplicate users across many servers.
On Thu, Feb 06, 2003 at 08:27:07AM -0500, Alan DeKok wrote: Justin Wheeler [EMAIL PROTECTED] wrote: All of the NASes report their accounting packets to the same freeradius server. As such, 3 of the 4 locations do not have radwtmp files, since they dont receive any accounting packets. I want to be able to handle duplicate users, but radwtmp wont prove anything on those 3 systems, since its empty. Anyone have any ideas? radrelay should do the trick. I'm not sure that you can give it 2-3 destination servers, but you should be able to relay 1-2, 2-3, 3-4 radrelay can only replicate to one destination server. You could output the logs to 3 separate 'combined detail files' and run three instances of radrelay on the primary accounting server though. That might be easier. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum/Ideal/Suggested number of users(current and possible)
Let me be the first to point out that Cistron and FreeRadius are completely different systems. This is the FreeRadius list - not the cistron list. Maximum number of SUBSCRIBERS is dependent upon: how many requests per peak minute/hour/whatever processing power/system architecture/etc how you store your user data In other words, your mileage may vary and there are no magic answers to this question for FreeRadis or any other software. But the system is damn efficient, especially running a datbase behind it if you have a large subscribers. I would bet somebody on here is running in excess of 100K subscribers. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Rich, Jr. Sent: Thursday, February 06, 2003 12:33 PM To: '[EMAIL PROTECTED]' Subject: Maximum/Ideal/Suggested number of users(current and possible) Greetings - I am doing research regarding whether or not to replace our Windows 2000 ADS/Radius server with .? In this search I have come across Cistron/FreeRadius; however, I have not seen any benchmarks/suggested maximum number of users. I welcome any suggestions. Thanks! Tim Rich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP/NAS MAC string format list
Andreas Wolf wrote: On Tuesday, February 4, 2003, at 09:41 AM, Aron Silverton wrote: Cisco 1100 (IOS) (Other models?) Orinoco (All models?) xx-xx 3COM (All models?) Others? Apple AirPort Base Station (Snow and Extreme): Default: Orinoco Style xx-xx Alternate: Cisco style - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the AirPort update. Is that the same for the password component as well? Any restrictions on upper- or lowercase? Is changing the style configurable, or does it work automagicaly? -- Aron J. Silverton Senior Staff Research Engineer Motorola Laboratories, Networks and Infrastructure Research Motorola, Inc. mailto: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling duplicate users across many servers.
Ah ha. I didn't even know radrelay existed. :) I think I can get this all figured out then. Thanks Alan and Simon. Regards, Justin Wheeler -- Computer programmer (n): Red-eyed mammal capable of communicating with electronics and inanimate equipment. On Thu, 6 Feb 2003, Simon wrote: On Thu, Feb 06, 2003 at 08:27:07AM -0500, Alan DeKok wrote: Justin Wheeler [EMAIL PROTECTED] wrote: All of the NASes report their accounting packets to the same freeradius server. As such, 3 of the 4 locations do not have radwtmp files, since they dont receive any accounting packets. I want to be able to handle duplicate users, but radwtmp wont prove anything on those 3 systems, since its empty. Anyone have any ideas? radrelay should do the trick. I'm not sure that you can give it 2-3 destination servers, but you should be able to relay 1-2, 2-3, 3-4 radrelay can only replicate to one destination server. You could output the logs to 3 separate 'combined detail files' and run three instances of radrelay on the primary accounting server though. That might be easier. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling duplicate users across many servers.
On Thu, Feb 06, 2003 at 01:47:55PM -0500, Justin Wheeler wrote: OK, stupid question then. What's radrelay? See: doc/radrelay man 8 radrelay freeradius-base-dir/bin/radrelay The docs are slightly out of date, but you shouldn't have any problems getting it running. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP/NAS MAC string format list
On Thursday, February 6, 2003, at 10:55 AM, Aron Silverton wrote: Thanks for the AirPort update. Is that the same for the password component as well? Any restrictions on upper- or lowercase? It illustrates how the MAC address is used in the AirPort Admin Utility - all lower case for both formats. Is changing the style configurable, or does it work automagicaly? It is configurable via AirPort Admin Utility. Any news on where this info could eventually be documented? Thanks, -Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP/NAS MAC string format list
Andreas Wolf [EMAIL PROTECTED] wrote: Any news on where this info could eventually be documented? doc/mac-addresses? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Freeradius and IplanetDirectory Server
On Thu, 6 Feb 2003, Alexandre wrote: yes ! see the radius.conf: The *authenticate* section: authenticate{ [ blah blah blah ] } Auth-Type := LDAP ldap { #server = ldap.your.domain server = diretorio.sede.fazenda.sp.gov.br identity = cn=directory manager password = ___passowrd ___ #ASA #basedn = o=My Org,c=UA basedn = ou=pessoal,o=fazenda,o=sp.gov,c=br #filter = (uid=%u{Stripped-User-Name:-%{User-Name}}) filter = uid=%u # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 50 #password_header = {clear} password_attribute = userPassword # groupname_attribute = cn timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes #access_attr_used_for_allow = yes } Kostas Kalevras wrote: On Thu, 6 Feb 2003, Alexandre wrote: hi Kostas i have ldap module in my authentication directive i coment many entries in ldap.attrmap file so, now the request check only this: checkItem Auth-Type radiusAuthType but not ok because the user cant authenticate ! see the log: --- Walking the entire request list --- Cleaning up request 29 ID 188 with timestamp 3e42995b Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.12.1.254:1645, id=189, length=103 NAS-IP-Address = 10.12.1.254 NAS-Port = 2 NAS-Port-Type = Async User-Name = nytaniguchi Called-Station-Id = 45880998 Calling-Station-Id = 1145230164 User-Password = taniguchi Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = nytaniguchi, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 97 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for nytaniguchi radius_xlat: 'uid=nytaniguchi' radius_xlat: 'ou=pessoal,o=fazenda,o=sp.gov,c=br' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=pessoal,o=fazenda,o=sp.gov,c=br, with filter uid=nytaniguchi rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user nytaniguchi authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type LDAP The ldap module is *not* called in the authenticate section. Could you post your authenticate section? auth: Failed to validate the user. Login incorrect: [nytaniguchi/taniguchi] (from client intragov port 2 cli 1145230164) Delaying request 30 for 1 seconds Finished request 30 Going to the next request --- Walking the entire request list --- -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ??¬?)?£?.n?+·??{.n?+·?I???0???y??v+¬???X¬·?¬z»??? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum/Ideal/Suggested number of users (current and possible)
Thanks, Tim - Then some details are available: We currently serve ~1500 users, max concurrent connection = 96 users. The proposed radius server is a Compaq Proliant DL380, Dual 2.4 Xenon CPU, 4 GB memory, attached to a SAN. This server is running Redhat 7.3 (testing to move to Redhat AS 2.1). The device making Radius requests is a Cisco 5300 Access server connected to 4-24 Channel T-1's. These devices are connected on a 10/100 Ethernet segment. This is the bulk of our business - and would need 99.999 availability. Our peak usage is 5 hours a day, but still only see about 60 current connections. Typical connection length is between 8 and 20 minutes. The growth of our company is anticipated to be added users of ~ 10,000 this year, as we just signed a large contract. Our ratio of users/available (concurrent) connections is about 1/15. (this means ~ 660 concurrent connections, and would have to add a Cisco AS 5400 to the mix to make this work) Would FreeRadius provide the robustness, reliability and scalability that we are looking for? Tim -Original Message- From: Tim D. McCracken [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 06, 2003 1:54 PM To: [EMAIL PROTECTED] Subject: RE: Maximum/Ideal/Suggested number of users(current and possible) Let me be the first to point out that Cistron and FreeRadius are completely different systems. This is the FreeRadius list - not the cistron list. Maximum number of SUBSCRIBERS is dependent upon: how many requests per peak minute/hour/whatever processing power/system architecture/etc how you store your user data In other words, your mileage may vary and there are no magic answers to this question for FreeRadis or any other software. But the system is damn efficient, especially running a datbase behind it if you have a large subscribers. I would bet somebody on here is running in excess of 100K subscribers. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Rich, Jr. Sent: Thursday, February 06, 2003 12:33 PM To: '[EMAIL PROTECTED]' Subject: Maximum/Ideal/Suggested number of users(current and possible) Greetings - I am doing research regarding whether or not to replace our Windows 2000 ADS/Radius server with .? In this search I have come across Cistron/FreeRadius; however, I have not seen any benchmarks/suggested maximum number of users. I welcome any suggestions. Thanks! Tim Rich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying problems (or utter stupidity ?) again...
OK. I still haven't managed to get the damn solution working, even with the helpful hints from Chris and Alan, and even after trying very hard I still get proxy calls (and subsequent Access-Reject) for people who shouldn't trigger them. Here is what I finally put in radgroupcheck : mysql SELECT * FROM radgroupcheck WHERE GroupName='internix'; ++---+---+---+--+ | id | GroupName | Attribute | Value | op | ++---+---+---+--+ | 6 | internix | No-Such-Attribute | | := | | 23 | internix | Auth-Type | Local | := | | 25 | internix | Fall-Through | No| := | ++---+---+---+--+ 3 rows in set (0.00 sec) I think at least here, I've got nothing wrong. Now, onto the users file : # This one is special for one of our customers DEFAULT Service-Type == Call-Check, Auth-Type += Accept # This is the one that should be triggering the proxying. Note I was # under the impression from Alan's message that telling the program that # the Auth-Type was Local and there was no fall-through would be enough # but since it didn't work, I added that condition (without success :-( DEFAULT Auth-Type != Local, Proxy-To-Realm += alien The proxy.conf has only one realm : alien { type= radius authhost= xxx.xx.xxx.xx:1812 accthost= xxx.xx.xxx.xx:1813 secret = x } And the 'authorize' section in radiusd.conf is like : authorize { preprocess sql files suffix } And here is what happens when I try to authenticate a local user with that configuration : rad_recv: Access-Request packet from host 194.79.150.4:43827, id=237, length=59 User-Name = xx User-Password = xx NAS-IP-Address = 255.255.255.255 NAS-Port-Id = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok radius_xlat: 'xx' rlm_sql (sql): sql_set_user escaped user -- 'xx' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE UserName = 'xx' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.UserName = 'xx' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE UserName = 'xx' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.UserName = 'xx' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: check items User-Password == xx No-Such-Attribute := Auth-Type := Local ^^ Here, Auth-Type is clearly set to Local... Fall-Through := No ^^ and without a fall-through... rlm_sql: reply items Idle-Timeout = 1800 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Reply-Message = Welcome to Monaco Internet dial-up server Simultaneous-Use = 1 Port-Limit = 1 Ascend-Maximum-Channels = 1 No-Such-Attribute := rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok users: Matched DEFAULT at 216 modcall[authorize]: module files returns ok rlm_realm: No '@' in User-Name = xx, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop modcall: group authorize returns ok Sending Access-Request of id 1 to xxx.xx.xxx.xx:1812 ^^ ... but the software insists to proxy the request anyway (?!?!?). User-Name = xx User-Password = 7\030YCkY9\265\345\226an\303(\256} NAS-IP-Address = 255.255.255.255 NAS-Port-Id = 0 Proxy-State = 237 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host xxx.xx.xxx.xx:1812, id=1, length=25 ^ Of course, this doesn't work as expected. Proxy-State = 0x323337 Login incorrect (Home Server says so): [xx/xx] (from client dev900 port 0) Delaying request 0 for 1 seconds Finished request 0 I'm clearly missing something. But what ? I tried all sort of weird things to avoid this problem (a Proxy-To-Realm attribute pointing all group members to a fake realm with a LOCAL authhost, for example), all to no avail (except if « no response » is more of a success than « access rejected », but I
RE: Maximum/Ideal/Suggested number of users (current and possible )
At 02:20 PM 2/6/2003 -0500, Tim Rich, Jr. wrote: Thanks, Tim - Then some details are available: We currently serve ~1500 users, max concurrent connection = 96 users. The proposed radius server is a Compaq Proliant DL380, Dual 2.4 Xenon CPU, 4 GB memory, attached to a SAN. This server is running Redhat 7.3 (testing to move to Redhat AS 2.1). Wow, that's quite a bit of overkill. If you need 5 9's of reliability then I would look at dumping that server for a couple smaller/cheaper servers so that you have multiple servers instead of single one. Configure those multiple servers on your nas ( you mention it's a cisco so it can support quite a few ). Then, if one server happens to go down, your NAS will failover automatically to one of the others. The growth of our company is anticipated to be added users of ~ 10,000 this year, as we just signed a large contract. Our ratio of users/available (concurrent) connections is about 1/15. (this means ~ 660 concurrent connections, and would have to add a Cisco AS 5400 to the mix to make this work) Would FreeRadius provide the robustness, reliability and scalability that we are looking for? I have on good authority of FreeRADIUS running far less capacity servers supporting an order or two larger userbase than what you are describing. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum/Ideal/Suggested number of users (current and possible)
Performance: I presently run 148 ports on a 400 MHz Solaris system that all runs a very busy e-mail server. At that I average about 75% idle cpu cycles. I doubt that FR's contribution to the load would be measurable. I do use MySQL back-end. Reliability: No standalone computer achieves 5 9's of reliability on it's own. I run FR on two servers, and you should too if reliability is important. IMHO a database backend makes redundant servers a little easier, but you will get differences of opinion on this. One great thing about a database backend on FR is that there is no need to restart the server every time you add a user. With 10K subs I would definitely recommend a DB backend. As to which one, everbody is different. I use MySQL, but would use Oracle if cost was not a factor. Other's use Postgres, and I think some even use MSSQL Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Rich, Jr. Sent: Thursday, February 06, 2003 1:20 PM To: '[EMAIL PROTECTED]' Subject: RE: Maximum/Ideal/Suggested number of users (current and possible) Thanks, Tim - Then some details are available: We currently serve ~1500 users, max concurrent connection = 96 users. The proposed radius server is a Compaq Proliant DL380, Dual 2.4 Xenon CPU, 4 GB memory, attached to a SAN. This server is running Redhat 7.3 (testing to move to Redhat AS 2.1). The device making Radius requests is a Cisco 5300 Access server connected to 4-24 Channel T-1's. These devices are connected on a 10/100 Ethernet segment. This is the bulk of our business - and would need 99.999 availability. Our peak usage is 5 hours a day, but still only see about 60 current connections. Typical connection length is between 8 and 20 minutes. The growth of our company is anticipated to be added users of ~ 10,000 this year, as we just signed a large contract. Our ratio of users/available (concurrent) connections is about 1/15. (this means ~ 660 concurrent connections, and would have to add a Cisco AS 5400 to the mix to make this work) Would FreeRadius provide the robustness, reliability and scalability that we are looking for? Tim -Original Message- From: Tim D. McCracken [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 06, 2003 1:54 PM To: [EMAIL PROTECTED] Subject: RE: Maximum/Ideal/Suggested number of users(current and possible) Let me be the first to point out that Cistron and FreeRadius are completely different systems. This is the FreeRadius list - not the cistron list. Maximum number of SUBSCRIBERS is dependent upon: how many requests per peak minute/hour/whatever processing power/system architecture/etc how you store your user data In other words, your mileage may vary and there are no magic answers to this question for FreeRadis or any other software. But the system is damn efficient, especially running a datbase behind it if you have a large subscribers. I would bet somebody on here is running in excess of 100K subscribers. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Rich, Jr. Sent: Thursday, February 06, 2003 12:33 PM To: '[EMAIL PROTECTED]' Subject: Maximum/Ideal/Suggested number of users(current and possible) Greetings - I am doing research regarding whether or not to replace our Windows 2000 ADS/Radius server with .? In this search I have come across Cistron/FreeRadius; however, I have not seen any benchmarks/suggested maximum number of users. I welcome any suggestions. Thanks! Tim Rich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum/Ideal/Suggested number of users (current and possible )
I would agree with everything Chris said. I think I said about the same thing in a different way. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Parker Sent: Thursday, February 06, 2003 1:31 PM To: [EMAIL PROTECTED] Subject: RE: Maximum/Ideal/Suggested number of users (current and possible ) At 02:20 PM 2/6/2003 -0500, Tim Rich, Jr. wrote: Thanks, Tim - Then some details are available: We currently serve ~1500 users, max concurrent connection = 96 users. The proposed radius server is a Compaq Proliant DL380, Dual 2.4 Xenon CPU, 4 GB memory, attached to a SAN. This server is running Redhat 7.3 (testing to move to Redhat AS 2.1). Wow, that's quite a bit of overkill. If you need 5 9's of reliability then I would look at dumping that server for a couple smaller/cheaper servers so that you have multiple servers instead of single one. Configure those multiple servers on your nas ( you mention it's a cisco so it can support quite a few ). Then, if one server happens to go down, your NAS will failover automatically to one of the others. The growth of our company is anticipated to be added users of ~ 10,000 this year, as we just signed a large contract. Our ratio of users/available (concurrent) connections is about 1/15. (this means ~ 660 concurrent connections, and would have to add a Cisco AS 5400 to the mix to make this work) Would FreeRadius provide the robustness, reliability and scalability that we are looking for? I have on good authority of FreeRADIUS running far less capacity servers supporting an order or two larger userbase than what you are describing. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add new configuration attributes
Hi, I have two questions about adding new attributes to configuration data. 1) I would like to be able to add my own attributes to the realm entries in clients.conf and proxy.conf. Is this possible? What I have in mind would like something like this, for clients.conf: client some.host.org { secret= testing123 shortname= localhost myAttribute = someValue } Then I would need a way to read that from within an RLM module, in my case an EAP sub-module. 2) To implement my new EAP type, I may also need to define a config parameter in radiusd.conf that would apply to all authentication sessions at that RADIUS server for that EAP type. It appears EAP-TLS already does this, but a quick checklist of things to implement would help. My radiusd.conf would look like this: eap { default_eap_type = newType timer_expire = 60 md5 { } newType { newAttribute = someValue } } Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying problems (or utter stupidity ?) again...
Jacques Caruso [EMAIL PROTECTED] wrote: OK. I still haven't managed to get the damn solution working, even with the helpful hints from Chris and Alan, and even after trying very hard I still get proxy calls (and subsequent Access-Reject) for people who shouldn't trigger them. Here is what I finally put in radgroupcheck : mysql SELECT * FROM radgroupcheck WHERE GroupName='internix'; ++---+---+---+--+ | id | GroupName | Attribute | Value | op | ++---+---+---+--+ | 6 | internix | No-Such-Attribute | | := | What the heck is that line for? # This is the one that should be triggering the proxying. Note I was # under the impression from Alan's message that telling the program that # the Auth-Type was Local and there was no fall-through would be enough # but since it didn't work, I added that condition (without success :-( DEFAULT Auth-Type != Local, Proxy-To-Realm += alien That won't work, unfortunately. The '!=' check for Auth-Type isn't supported. And the 'authorize' section in radiusd.conf is like : authorize { preprocess sql files suffix } That means pass the users through 'files', and then ALSO through 'suffix'. The 'Fall-Through = Yes' attribute works ONLY inside of the 'users' file, and doesn't affect the handling of the 'authorize' section. What you want to do here is read 'doc/configurable_failover', which allows you to set up fail-over of fall-through between different modules in 'authorize' I'm clearly missing something. But what ? I tried all sort of weird things to avoid this problem (a Proxy-To-Realm attribute pointing all group members to a fake realm with a LOCAL authhost, for example) That should work. modcall: group authorize returns ok Sending Access-Request of id 1 to xxx.xx.xxx.xx:1812 ^^ ... but the software insists to proxy the request anyway (?!?!?). Something, somewhere, is telling it to proxy that request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add new configuration attributes
Dave Mason [EMAIL PROTECTED] wrote: I have two questions about adding new attributes to configuration data. 1) I would like to be able to add my own attributes to the realm entries in clients.conf and proxy.conf. Is this possible? Sure, if you edit the source code. But why would it be a good idea? What I have in mind would like something like this, for clients.conf: client some.host.org { secret= testing123 shortname= localhost myAttribute = someValue } Then I would need a way to read that from within an RLM module, in my case an EAP sub-module. You're talking about a solution, not a problem. Describe the problem, and we can probably come up with a better solution. 2) To implement my new EAP type, I may also need to define a config parameter in radiusd.conf that would apply to all authentication sessions at that RADIUS server for that EAP type. That's what the module configuration is for. It appears EAP-TLS already does this, but a quick checklist of things to implement would help. My radiusd.conf would look like this: eap { default_eap_type = newType timer_expire = 60 md5 { } newType { newAttribute = someValue } } That's nice, but what problem are you trying to solve? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter problem
Keith Ballard [EMAIL PROTECTED] wrote: When I try and use it I get the error when it processes the 'users' file: Syntax error: Previous line is missing a trailing comma for entry DEFAULT. If the entry looks OK, try deleting it, and re-typing it. Also watch for whitespace in lines that are otherwise blank. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum/Ideal/Suggested number of users (current and possible )
Thanks, Tim and Chris! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to implement Class and Vendor-Specific attributes, accounting question
Hi, I have a couple of questions about accounting... 1) As I mentioned in a previous question, I'm writing a new EAP type. To support the accounting procedure we want to use, I may need to return Access-Accept with a Class or Vendor-Specific attribute. Could you advise me how to do this from with rlm_eap framework? The data to include in the attribute will be obtained from another system by my new rlm_eap_newType module. My guess is that somehow rlm_eap_newType needs to pass this back up to whatever routine finally builds the RADIUS message. (My first thought was eap_authenticate/eap_compose, but theyre obviuosly for the EAP attribute only. I would need to go up one more level.) 2) My second question concerns how to process the incoming accounting data from the client. I have not studied accounting as much as authentication, so I'm a little rusty. From radiusd.conf it appears that accounting is an RLM module, but I don't see an rlm_acct in the modules directory. I looked through src/main/acct.c and found the rad_accounting() function that looks to be where everything happens, along with the stuff in modules.c. When accounting data comes in (including Class or Vendor-Specific attributes) I'll need to parse it and send it to a backend system, but I'm not sure where to put that code. Thanks for any help you might have, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP/NAS MAC string format list
Andreas Wolf wrote: On Thursday, February 6, 2003, at 10:55 AM, Aron Silverton wrote: Thanks for the AirPort update. Is that the same for the password component as well? Any restrictions on upper- or lowercase? It illustrates how the MAC address is used in the AirPort Admin Utility - all lower case for both formats. Is changing the style configurable, or does it work automagicaly? It is configurable via AirPort Admin Utility. Any news on where this info could eventually be documented? I'm compiling a spreadsheet locally. I've received an offer from somebody with CVS access to check it in. Once I have a few more entries, I'll convert it to ASCII, provide some explanation, and ask that it be added to the repository. Thanks, -Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Aron -- Aron J. Silverton Senior Staff Research Engineer Motorola Laboratories, Networks and Infrastructure Research Motorola, Inc. mailto: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Help! Can't compile rlm_sql_oracle on solaris
Chris, My compiler is now 64 bit (with a bit of work), but I still can't link. Any ideas? BTW: since I'm not subscribed to the list, can you reply all so I can see it as well. thanks, --ck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS quit of it's own accord
Alternatively, you can do what we did and set up a cron job that does the same thing, and notifies us with a text message on our cellphones. It was originally written for radius servers that run two processes. There are probably cleaner ways to do this, but I'll leave that as an exercise for the reader: /usr/local/bin/fradprocheck: #! /bin/sh # Shell script to check if FreeRadius RADIUS daemon is running. # # If there is no radiusd process running, verify all radiusd # processes are dead and restart radiusd services. # # List all processes that have radiusd in them, excluding the grep # command in the command itself (-v option), then pipe it to the word count # utility wc, then pipe it to awk to strip leading blanks. # if [ `ps -auxww | grep radiusd | grep -v grep | wc -l | awk '{ print $1 }'` -lt 1 ] then # Restart FreeRadius service /f/sbin/radiusd # Send message to cell phones cat /etc/radprocheck.txt|mail -s Radiusd restarted cellphones@domain fi -Original Message- While not solving the actual problem, you could monitor radiusd with something like djb's supervise. That would at least get things going again automatically if something like this happens. See 'doc/supervise-radiusd.txt'. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Help! Can't compile rlm_sql_oracle on solaris
At 04:28 PM 2/6/2003 -0500, Chayim I. Kirshen wrote: Chris, My compiler is now 64 bit (with a bit of work), but I still can't link. Any ideas? BTW: since I'm not subscribed to the list, can you reply all so I can see it as well. Can you reprint the error you are seeing? Also, can you show the output of 'file foo' where foo is the rlm_sql.o file and the oracle lib that isn't working? Also, please list the output of 'ldd oraclefoo' where oraclefoo is the library that is failing to link. -Chris thanks, --ck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying problems (or utter stupidity ?) again...
Without repeating what Alan and Chris said: On Thu, 6 Feb 2003, Jacques Caruso wrote: The proxy.conf has only one realm : alien { type= radius Shouldn't that be: realm alien { type= radius just wondrin', Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Help! Can't compile rlm_sql_oracle on solaris
Well, I solved the rlm_sql_oracle issue (thanks Chris): Here's what I needed to do: 1. recompile my gcc for 64 bit. This means use a 32 bit gcc to bootstrap binutils, and then create a 64 bit compiler. 2. export LD_LIBRARY_PATH=/lib:/path-to-compiler/lib And that was great. Except I've got this new issue where I can't use libcrypt.so because of a linker error. Here's my new error and the gcc line that's generating it. I haven't compiled glibc on Solaris yet (and so far I'm happily avoiding it). gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../include -o .libs/radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -L/export/home/chayim/freeradius/src/lib /export/home/chayim/freeradius/src/lib/.libs/libradius.so -lcrypt /export/home/chayim/freeradius/libltdl/.libs/libltdl.so -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -R/shared/toolchain//lib ld: fatal: file /lib/libcrypt.so: wrong ELF class: ELFCLASS32 ld: fatal: File processing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status On Thu, 2003-02-06 at 16:37, Chris Parker wrote: At 04:28 PM 2/6/2003 -0500, Chayim I. Kirshen wrote: Chris, My compiler is now 64 bit (with a bit of work), but I still can't link. Any ideas? BTW: since I'm not subscribed to the list, can you reply all so I can see it as well. Can you reprint the error you are seeing? Also, can you show the output of 'file foo' where foo is the rlm_sql.o file and the oracle lib that isn't working? Also, please list the output of 'ldd oraclefoo' where oraclefoo is the library that is failing to link. -Chris thanks, --ck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement Class and Vendor-Specific attributes, accounting question
Dave Mason [EMAIL PROTECTED] wrote: 1) As I mentioned in a previous question, I'm writing a new EAP type. To support the accounting procedure we want to use, I may need to return Access-Accept with a Class or Vendor-Specific attribute. Could you advise me how to do this from with rlm_eap framework? Look at src/modules/rlm_example/rlm_example.c 2) My second question concerns how to process the incoming accounting data from the client. I have not studied accounting as much as authentication, so I'm a little rusty. From radiusd.conf it appears that accounting is an RLM module, but I don't see an rlm_acct in the modules directory. I looked through src/main/acct.c and found the rad_accounting() function that looks to be where everything happens, along with the stuff in modules.c. When accounting data comes in (including Class or Vendor-Specific attributes) I'll need to parse it and send it to a backend system, but I'm not sure where to put that code. Huh? You don't have to parse anything, that's the point of the module system. Look at the 'accounting' section for modules which do accounting. Then look in those modules, and read their accounting routines. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Help! Can't compile rlm_sql_oracle on solaris
At 04:51 PM 2/6/2003 -0500, Chayim I. Kirshen wrote: Well, I solved the rlm_sql_oracle issue (thanks Chris): Here's what I needed to do: 1. recompile my gcc for 64 bit. This means use a 32 bit gcc to bootstrap binutils, and then create a 64 bit compiler. 2. export LD_LIBRARY_PATH=/lib:/path-to-compiler/lib Here is what I do to set a 64-bit solaris env: ( assuming you've installed 64-bit version of gcc in /usr/local/gcc-v9 ) PATH=/usr/local/gcc-v9/bin:$PATH LD_LIBRARY_PATH=/usr/local/gcc-v9/lib:$LD_LIBRARY_PATH CFLAGS=-mcpu=v9 -Wa,-xarch=v9a CXXFLAGS=$CFLAGS export PATH LD_LIBRARY_PATH CFLAGS CXXFLAGS And that was great. Except I've got this new issue where I can't use libcrypt.so because of a linker error. Here's my new error and the gcc line that's generating it. I haven't compiled glibc on Solaris yet (and so far I'm happily avoiding it). gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../include -o .libs/radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -L/export/home/chayim/freeradius/src/lib /export/home/chayim/freeradius/src/lib/.libs/libradius.so -lcrypt /export/home/chayim/freeradius/libltdl/.libs/libltdl.so -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -R/shared/toolchain//lib ld: fatal: file /lib/libcrypt.so: wrong ELF class: ELFCLASS32 ld: fatal: File processing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status Note that you above set '/lib' explicitly to be the first place for ld to look. Try removing the '/lib' from the front of your LD_LIBRARY_PATH. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting script for freeradius
Hi, I'm wondering how people gather accounting information from , say, either the details files or mysql database? is there some existing scripts somewhere that doing this? TIA, jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
I am still a little puzzeled why on mine, it will reject a user because no Auth-Type is designated? While others have the Auth-Type in radgroupreply and no Auth-Type in their users file, and everthing is fine. Has something changed in the src between builds?? I am curenty running the freeradius-0.8.1 Alan DeKok wrote: Robert Canary [EMAIL PROTECTED] wrote: Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html.but then agian half of the docs are spelling Jacobs*o*n, instead Jacobs*e*n.. From RFC 2865: [10] Jacobson, V., Compressing TCP/IP headers for low-speed serial links, RFC 1144, February 1990. What your saying makes perfect sense, of course. You suggest it be put in the radcheck, or the radgroupcheck? Either one, depending on your local config. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Help! Can't compile rlm_sql_oracle on solaris
About 2 minutes before your email came in I just stumbled across something similar. Here's exactly what I had to do: 1. build binutils: options --target=sparcv9-sun-solaris2 2. build gcc: options -host=sparcv9-sun-solaris2 --with-gnu-as --with-gnu-ar --with-as=/path-to/as --with-ar=/path-to/ar 3. OHOME=/path-to/oraclehome LD_LIBRARY_PATH=/lib:/path-to-gcc/lib export OHOME LD_LIBRARY_PATH 4. build freeradius: - options are only specific to my install. nothing fancy occurred 5. deploy! Thanks a tonne for all your help. I hope this list is useful to the next person. Note, to those interested in compiling the gcc for solaris (repeatably), I will be posting a document on my website (www.gnupower.net) in the upcoming week/month depending on time. cheers, --ck Here is what I do to set a 64-bit solaris env: ( assuming you've installed 64-bit version of gcc in /usr/local/gcc-v9 ) PATH=/usr/local/gcc-v9/bin:$PATH LD_LIBRARY_PATH=/usr/local/gcc-v9/lib:$LD_LIBRARY_PATH CFLAGS=-mcpu=v9 -Wa,-xarch=v9a CXXFLAGS=$CFLAGS export PATH LD_LIBRARY_PATH CFLAGS CXXFLAGS And that was great. Except I've got this new issue where I can't use libcrypt.so because of a linker error. Here's my new error and the gcc line that's generating it. I haven't compiled glibc on Solaris yet (and so far I'm happily avoiding it). gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../include -o .libs/radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -L/export/home/chayim/freeradius/src/lib /export/home/chayim/freeradius/src/lib/.libs/libradius.so -lcrypt /export/home/chayim/freeradius/libltdl/.libs/libltdl.so -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -R/shared/toolchain//lib ld: fatal: file /lib/libcrypt.so: wrong ELF class: ELFCLASS32 ld: fatal: File processing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status Note that you above set '/lib' explicitly to be the first place for ld to look. Try removing the '/lib' from the front of your LD_LIBRARY_PATH. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add new configuration attributes
Hi Alan, Good point, I'll back up a little. The EAP type I'm working on is EAP-SIM, currently in draft state. After EAP/Response/Identity I send EAP/Request/SIM/Start, and the client returns EAP/Response/SIM/Start. My next step is to send EAP/Request/SIM/Challenge, but first I need to get a configurable amount of authentication data from an HLR. That is, rlm_eap_sim needs to know how much data to ask for. At first I thought I needed to allow the amount of data to be configured per client realm (my first question earlier), but after doing some more homework it's probably OK to configure it per node (my second question). I'm still curious if it's possible to add new config parameters to a client entry in clients.conf. (proxy.conf looks unnecessary now.) Let me know if you have another suggestion for that kind of behavior. As for adding a new parameter to radiusd.conf, I can study EAP-TLS to see how that works. Thanks, Dave Alan DeKok wrote: Dave Mason [EMAIL PROTECTED] wrote: I have two questions about adding new attributes to configuration data. 1) I would like to be able to add my own attributes to the realm entries in clients.conf and proxy.conf. Is this possible? Sure, if you edit the source code. But why would it be a good idea? What I have in mind would like something like this, for clients.conf: client some.host.org { secret= testing123 shortname= localhost myAttribute = someValue } Then I would need a way to read that from within an RLM module, in my case an EAP sub-module. You're talking about a solution, not a problem. Describe the problem, and we can probably come up with a better solution. 2) To implement my new EAP type, I may also need to define a config parameter in radiusd.conf that would apply to all authentication sessions at that RADIUS server for that EAP type. That's what the module configuration is for. It appears EAP-TLS already does this, but a quick checklist of things to implement would help. My radiusd.conf would look like this: eap { default_eap_type = newType timer_expire = 60 md5 { } newType { newAttribute = someValue } } That's nice, but what problem are you trying to solve? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum/Ideal/Suggested number of users (current and possible)
On Thu, 6 Feb 2003, Tim Rich, Jr. wrote: Thanks, Tim - Then some details are available: We currently serve ~1500 users, max concurrent connection = 96 users. The proposed radius server is a Compaq Proliant DL380, Dual 2.4 Xenon CPU, 4 GB memory, attached to a SAN. This server is running Redhat 7.3 (testing to move to Redhat AS 2.1). The device making Radius requests is a Cisco 5300 Access server connected to 4-24 Channel T-1's. These devices are connected on a 10/100 Ethernet segment. This is the bulk of our business - and would need 99.999 availability. Our peak usage is 5 hours a day, but still only see about 60 current connections. Typical connection length is between 8 and 20 minutes. The growth of our company is anticipated to be added users of ~ 10,000 this year, as we just signed a large contract. Our ratio of users/available (concurrent) connections is about 1/15. (this means ~ 660 concurrent connections, and would have to add a Cisco AS 5400 to the mix to make this work) Would FreeRadius provide the robustness, reliability and scalability that we are looking for? Tim Here is our setup: Greek School Network. 4170 schools connecting through ISDN lines A few thousand dialup accounts 51 access servers. Two of them are Cisco 5800 and the rest are Cisco 3640/3660. We have two radius servers, one serving the South of Greece (including Attika which hosts the main 5800 access server with 600 lines) and the other serving the North of Greece (which includes the other 5800 with 150 lines). Both radius servers act as a backup for the other. The user database is in LDAP (iPlanet DS5.1) while the accounting is maintained in MySQL+InnoDB databases. Each server replicates the accounting information through radrelay to the other one. That way we maintain full accounting on each server and can enforce national double login detection and also have nice redundancy. The LDAP and MySQL databases are hosted on the same machines as are the radius servers (meaning we have 2 LDAP/MySQL/RADIUS servers). The machines are Sun E450 with 1GB RAM and Solaris 8 each We do a lot of attribute rewriting through the attr_rewrite module and we have also enabled the detail accounting module for radrelay to work. The schools connect on demand (when there is a request for something from the internet) so we get a *lot* of connections. For weekdays we get around 10 connections per day. Here is a typical top output. As you can see freeradius has no problem handling the load. PID USERNAME THR PRI NICE SIZE RES STATE TIMECPU COMMAND 25361 root 23 580 8160K 5448K sleep 35:45 0.34% radiusd 2923 mysql121 590 193M 108M sleep 73.2H 0.28% mysqld 21750 nobody 4 580 26M 16M sleep 0:43 0.21% httpd 19294 nobody 3 350 3904K 2992K sleep 1:56 0.21% libhttpd.ep 685 nobody28 580 254M 156M sleep 953:04 0.18% ns-slapd Alan, how about creating a success stories web page in the freeradius site? That could save a few mails asking about the scalability of the server -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with Exec-program-wait
I have been trying to execute a perl script using Exec-Program-Wait. First I created an SH file called exec-program-wait, then from inside the sh program, I run ./myperlscript I get this error: radius_xlat: '/usr/tarka/bin/exec-program-wait' Exec-Program: /usr/tarka/bin/exec-program-wait /usr/tarka/bin/exec-program-wait: ./myperlscript: No such file or directory Exec-Program-Wait: value-pairs: Reply-Message += Hello, %u, Exec-Program: returned: 0 My purpose is to run the perl script, rather than SH. And it seems this is the only way I can figure out how. Can any help? Thanks. Chhai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I did Bizarre stuff with my pussy
Title: Untitled Document OK GUYS I HAVE FINALLY EVEN SHOCKED MY SELFI HOPE I DIDN'T RUIN MY COOTER FOR EVERLAST NIGHT MY NEW BOYFRIEND GOT HIS ENTIRE FIST IN MY LOVE TACOPEDRO THE TACO EATER WOULD HAVE BEEN OFFENDED.WE FILMED THE ENTIRE THING...HOT SAUCE AND GUACAMOLE AND ALL... I CAN LET YOU IN FOR 1 DAY TO CHECK THIS WEIRD SHIT OUT FOR FREE BEFORE WE HAVE TO CHARGE YA.I KINDA LIKED IT. HUMAN TACO CARLA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: I did Bizarre stuff with my pussy
Title: Untitled Document Great The spam has found the list :) John Hengstler -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of samanthaSent: Thursday, February 06, 2003 5:58 PMTo: [EMAIL PROTECTED]Subject: I did Bizarre stuff with my pussy OK GUYS I HAVE FINALLY EVEN SHOCKED MY SELFI HOPE I DIDN'T RUIN MY COOTER FOR EVERLAST NIGHT MY NEW BOYFRIEND GOT HIS ENTIRE FIST IN MY LOVE TACOPEDRO THE TACO EATER WOULD HAVE BEEN OFFENDED.WE FILMED THE ENTIRE THING...HOT SAUCE AND GUACAMOLE AND ALL...I CAN LET YOU IN FOR 1 DAY TO CHECK THIS WEIRD SHIT OUT FOR FREE BEFORE WE HAVE TO CHARGE YA.I KINDA LIKED IT.HUMAN TACOCARLA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client-ip.??
Hii list, I am new to freeradius. I am basically using it toget the msisdn (cli) of the message sender in a WAP enviornment, as my WAP gateway does not support cli. However for mapping the msisdn, i also need the dynamic ip assigned to client phone on a gprs network. I am able to catch the msisdn, but i am getting only the ip of my NAS instead of the original client ip (mobile phone's ip). Can you please tell me how to get that? Any configuration to be done or the attribute/parameter i need to access in order to get the client-ip. appreciate your help. Thanx in advance. best regards amit sehgal
Re: help with Exec-program-wait
Chhai Thach wrote: I have been trying to execute a perl script using Exec-Program-Wait. First I created an SH file called exec-program-wait, then from inside the sh program, I run ./myperlscript I get this error: radius_xlat: '/usr/tarka/bin/exec-program-wait' Exec-Program: /usr/tarka/bin/exec-program-wait /usr/tarka/bin/exec-program-wait: ./myperlscript: No such file or directory Exec-Program-Wait: value-pairs: Reply-Message += Hello, %u, Exec-Program: returned: 0 My purpose is to run the perl script, rather than SH. And it seems this is the only way I can figure out how. Can any help? Thanks. Exec-Program-Wait = '/your/perl/script' ? @+ -- DouRiX [MISERICORDE, n. A dagger which in mediaeval warfare was used by the foot soldier to remind an unhorsed knight that he was mortal. -- Ambrose Bierce] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ScanMail Message: To Recipient Match eManager setting and take action.
eManager Notification * The following mail was blocked since it contains sensitive content. Source mailbox: [EMAIL PROTECTED] Destination mailbox(es): [EMAIL PROTECTED] Rule/Policy: Sexually Explicit Action: Quarantine to D:\Program Files\Trend\SMCF\Quarantine\2003-02-07\00-26-09.34627 Content filter has detected a sensitive e-mail. *** End of message * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ScanMail Message: To Recipient Match eManager setting and take action.
eManager Notification * The following mail was blocked since it contains sensitive content. Source mailbox: [EMAIL PROTECTED] Destination mailbox(es): [EMAIL PROTECTED] Rule/Policy: Sexual Content Action: Quarantine to C:\Program Files\Trend\SMCF\Quarantine\2003-02-07\00-27-15.29410 Content filter has detected a sexual content e-mail. *** End of message * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
porting mipsel platform problem
Dear all, I want to port freeradius into mipsel platform, but I got the problem. Does anyone can give me a hand to resolve this problem. Thank you.My config and error message as follow: Configure: ./configure --target=mipsel-linux --enable-static --enable-fast-install without-pic --without-threads --without-snmp --without-rlm-acct_unique --without-rlm-always --without-rlm-counter --without-rlm-cram --without-rlm-dbm --without-rlm-detail --without-rlm-digest --without-rlm-example --without-rlm-expr --without-rlm-ippool --without-rlm-krb5 --without-rlm-ldap --without-rlm-pam --without-rlm-perl --without-rlm-python --without-rlm-radutmp --without-rlm-smb --without-rlm-sql --without-rlm-sqlcounter --without-rlm-x99_token --with-ltdl-include=./libltdl/ --without-rlm-eap_tls Error Message: mipsel-linux-gcc -g -O2 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -c mainconfig.c /home/jeffery/projects/freeradius-mipsel/libtool --mode=link mipsel-linux-gcc -export-dynamic -dlopen self \ -g -O2 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -L../lib -o radiusd \ radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -lcrypt -lnsl -lresolv -lradius \ -lltdl -dlpreopen ../modules/rlm_acct_unique/rlm_acct_unique.la -dlpreopen ../modules/rlm_always/rlm_always.la -dlpreopen ../modules/rlm_attr_filter/rlm_attr_filter.la -dlpreopen ../modules/rlm_attr_rewrite/rlm_attr_rewrite.la -dlpreopen ../modules/rlm_chap/rlm_chap.la -dlpreopen ../modules/rlm_detail/rlm_detail.la -dlpreopen ../modules/rlm_eap/rlm_eap.la -dlpreopen ../modules/rlm_expr/rlm_expr.la -dlpreopen ../modules/rlm_fastusers/rlm_fastusers.la -dlpreopen ../mo dules/rlm_files/rlm_files.la -dlpreopen ../modules/rlm_mschap/rlm_mschap.la -dlpreopen ../modules/rlm_ns_mta_md5/rlm_ns_mta_md5.la -dlpreopen ../modules/rlm_pap/rlm_pap.la -dlpreopen ../modules/rlm_preprocess/rlm_preprocess.la -dlpreopen ../modules/rlm_realm/rlm_realm.la -dlpreopen ../modules/rlm_sql/rlm_sql.la -dlpreopen ../modules/rlm_unix/rlm_unix.la mkdir .libs rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c extracting global C symbols from `../modules/rlm_acct_unique/.libs/librlm_acct_unique.a' /usr/bin/nm: rlm_acct_unique.o: Bad value extracting global C symbols from `../modules/rlm_always/.libs/librlm_always.a' /usr/bin/nm: rlm_always.o: Bad value extracting global C symbols from `../modules/rlm_attr_filter/.libs/librlm_attr_filter.a' /usr/bin/nm: rlm_attr_filter.o: Bad value extracting global C symbols from `../modules/rlm_attr_rewrite/.libs/librlm_attr_rewrite.a' /usr/bin/nm: rlm_attr_rewrite.o: Bad value extracting global C symbols from `../modules/rlm_chap/.libs/librlm_chap.a' /usr/bin/nm: rlm_chap.o: Bad value extracting global C symbols from `../modules/rlm_detail/.libs/librlm_detail.a' /usr/bin/nm: rlm_detail.o: Bad value extracting global C symbols from `../modules/rlm_eap/.libs/librlm_eap.a' /usr/bin/nm: rlm_eap.o: Bad value /usr/bin/nm: eap.o: Bad value /usr/bin/nm: mem.o: Bad value /usr/bin/nm: state.o: Bad value extracting global C symbols from `../modules/rlm_expr/.libs/librlm_expr.a' /usr/bin/nm: rlm_expr.o: Bad value extracting global C symbols from `../modules/rlm_fastusers/.libs/librlm_fastusers.a' /usr/bin/nm: rlm_fastusers.o: Bad value extracting global C symbols from `../modules/rlm_files/.libs/librlm_files.a' /usr/bin/nm: rlm_files.o: Bad value extracting global C symbols from `../modules/rlm_mschap/.libs/librlm_mschap.a' /usr/bin/nm: rlm_mschap.o: Bad value /usr/bin/nm: deskey.o: Bad value /usr/bin/nm: desport.o: Bad value /usr/bin/nm: smbpass.o: Bad value extracting global C symbols from `../modules/rlm_ns_mta_md5/.libs/librlm_ns_mta_md5.a' /usr/bin/nm: rlm_ns_mta_md5.o: Bad value extracting global C symbols from `../modules/rlm_pap/.libs/librlm_pap.a' /usr/bin/nm: rlm_pap.o: Bad value extracting global C symbols from `../modules/rlm_preprocess/.libs/librlm_preprocess.a' /usr/bin/nm: rlm_preprocess.o: Bad value extracting global C symbols from `../modules/rlm_realm/.libs/librlm_realm.a' /usr/bin/nm: rlm_realm.o: Bad value extracting global C symbols from `../modules/rlm_sql/.libs/librlm_sql.a' /usr/bin/nm: rlm_sql.o: Bad value /usr/bin/nm: sql.o: Bad value extracting global C symbols from `../modules/rlm_unix/.libs/librlm_unix.a' /usr/bin/nm: rlm_unix.o: Bad value /usr/bin/nm: cache.o: Bad value /usr/bin/nm: compat.o: Bad value (cd .libs gcc -c -fno-builtin -fno-rtti -fno-exceptions radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT mipsel-linux-gcc .libs/radiusdS.o -g -O2 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -o radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o