Re: not listening on port
[EMAIL PROTECTED] wrote: I've installed freeradius-0.4-129 Why? I don't understand why you've gone out of your way to install an old version of the server. rest of the message deleted Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html It comes default with SUSE 8.0. I will be upgrading this as I apparently need to da a --disable-shared to get this to work with postgres. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sharing SQL connections
On Wed, 02 Jul 2003 16:40:49 -0400 Alan DeKok [EMAIL PROTECTED] wrote: Graeme Hinchliffe [EMAIL PROTECTED] wrote: Is it possible to set FreeRADIUS to share an SQL connection rather than using one for each request? Huh? It uses a pool of SQL connections, and doesn't use a connection per request. If I have the number of SQL connections say set to 10, then when I launch a large number of RADIUS requests the log files say that there isn't enough SQL connections and it seems to then reject the connection. So I get a few accepts and hundreds of rejects. My problem is that our radius servers periodically come under VERY heavy load, ie 6000+ accounts all trying to authenticate at once. This obvioulsy means all 256 RADIUS sessions fill up Huh? The NAS boxes can have more than 256 RADIUS packets outstanding. How is this achieved? I thought that the RADIUS protocol only permitted 256 sessions, (well per connection)? and stay full until all users are authenticated. This would require 256 socket connections to MySQL as I read it, That's not true at all. if I have less than 256 it rejects a lot of the requests. When all connections are in use the daemon queues additional requests until a socket becomes free. This is a little different. The server should stop accepting new packets if doesn't have the resources to process them. This will go in before 0.9. Any idea of timescale for this? Also how will it be done? hanging back on responces to slow the sender down? -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Sales : 0870 6000 971 Fax : 0870 6000 972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP that works with Freeradius
Hi everyone, I am looking to purchase a Cisco Wireless Access Point. I have a small budget, so can you recommend a low end Cisco WLAN AP that is proven to work with Freeradius? the Cisco 350 series WLAN AP? Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP that works with Freeradius
Yes, the Cisco 350 series WLAN AP works fine with FreeRadius. Roman -Puvodni zprava- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uzivatele Wei Ming Long Odeslano: 3. jula 2003 10:42 Komu: Predmet: Cisco AP that works with Freeradius Hi everyone, I am looking to purchase a Cisco Wireless Access Point. I have a small budget, so can you recommend a low end Cisco WLAN AP that is proven to work with Freeradius? the Cisco 350 series WLAN AP? Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Behaviour with accounting server down? (Cisco)
On Thu, Jul 03, 2003 at 10:30:03AM +0200, doc jones wrote: hello, what happens (what SHOULD happen) when the radius accounting server is unavailable? I know the rfc recomends the client to retransmit its accounting-request but does a failing acct server impact on the authentication server? In this case since the accounting server was down the authentication server would fail as well and no fallover was made to the other listed radius hosts, aaa authentication ppp default radius aaa accounting network default stop-only radius radius-server host x.x.x.x auth-port 1812 acct-port 1813 radius-server host x.x.x.x auth-port 1812 acct-port 1813 radius-server key * You can get failover by defining aaa groups. example: aaa group server radius acct server 1.2.3.4 auth-port 1745 acct-port 1746 ! aaa group server radius auth server 1.2.3.5 auth-port 1812 acct-port 1813 server 1.2.3.6 auth-port 1812 acct-port 1813 ! radius-server host 1.2.3.4 auth-port 1745 acct-port 1746 key X radius-server host 1.2.3.5 auth-port 1812 acct-port 1813 key Y radius-server host 1.2.3.6 auth-port 1812 acct-port 1813 key Z Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP that works with Freeradius
Hi Roman, Thanks, do you know the price? [EMAIL PROTECTED] 07/03/03 04:46PM Yes, the Cisco 350 series WLAN AP works fine with FreeRadius. Roman -Puvodni zprava- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uzivatele Wei Ming Long Odeslano: 3. jula 2003 10:42 Komu: Predmet: Cisco AP that works with Freeradius Hi everyone, I am looking to purchase a Cisco Wireless Access Point. I have a small budget, so can you recommend a low end Cisco WLAN AP that is proven to work with Freeradius? the Cisco 350 series WLAN AP? Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP that works with Freeradius
Actualy no, this piece of HW buy for my the company for a long time ago (1 year). So actualy I don't have an idea about cisco prices. Sorry. Roman -Puvodni zprava- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uzivatele Wei Ming Long Odeslano: 3. jula 2003 10:48 Komu: [EMAIL PROTECTED]; [EMAIL PROTECTED] Predmet: RE: Cisco AP that works with Freeradius Hi Roman, Thanks, do you know the price? [EMAIL PROTECTED] 07/03/03 04:46PM Yes, the Cisco 350 series WLAN AP works fine with FreeRadius. Roman -Puvodni zprava- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uzivatele Wei Ming Long Odeslano: 3. jula 2003 10:42 Komu: Predmet: Cisco AP that works with Freeradius Hi everyone, I am looking to purchase a Cisco Wireless Access Point. I have a small budget, so can you recommend a low end Cisco WLAN AP that is proven to work with Freeradius? the Cisco 350 series WLAN AP? Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP that works with Freeradius
Sure, no problem, thanks anyway. Have a nice day! Matthew [EMAIL PROTECTED] 07/03/03 05:04PM Actualy no, this piece of HW buy for my the company for a long time ago (1 year). So actualy I don't have an idea about cisco prices. Sorry. Roman -Puvodni zprava- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uzivatele Wei Ming Long Odeslano: 3. jula 2003 10:48 Komu: [EMAIL PROTECTED]; [EMAIL PROTECTED] Predmet: RE: Cisco AP that works with Freeradius Hi Roman, Thanks, do you know the price? [EMAIL PROTECTED] 07/03/03 04:46PM Yes, the Cisco 350 series WLAN AP works fine with FreeRadius. Roman -Puvodni zprava- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uzivatele Wei Ming Long Odeslano: 3. jula 2003 10:42 Komu: Predmet: Cisco AP that works with Freeradius Hi everyone, I am looking to purchase a Cisco Wireless Access Point. I have a small budget, so can you recommend a low end Cisco WLAN AP that is proven to work with Freeradius? the Cisco 350 series WLAN AP? Best regards Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuration Advice
Hi Dustin, Thanks for the pointer. I don't have / want a users file, I'm using config data stored in MySQL tables. Would multiple entries called DEFAULT work in the radcheck table ? Regards, -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: 02 July 2003 15:26 To: [EMAIL PROTECTED] Subject: Re: Configuration Advice in users file DEFAULT NAS-IP-Address == 10.10.10.1 Attribute = Value DEFAULT NAS-IP-Address == 10.10.10.2 Attribute = Value man 5 users for more info On Wed, 2 Jul 2003, Jeff Green wrote: Hi Everyone, I'm using FreeRadius 0.8.1 with MySql backend and everything's working fine. It's a great piece of s/w. I've read the O'Reilly book and read the docs but I'm stuck on a configuration issue. My question is: I have two NAS (completely different) and I want one RADIUS server with one set of user definitions (username/password). How do I get Freeradius to send different set of Reply-Items depending on the NAS the request comes from ? Many Thanks, --- Jeff Green SAPIENS (UK) Ltd t: +44 (0)1895 464000 f: +44 (0)1895 463098 url: http://www.sapiens.co.uk Heavenly thoughts, in heavenly minds .. is not the World's design Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sharing SQL connections
If I have the number of SQL connections say set to 10, then when I launch a large number of RADIUS requests the log files say that there isn't enough SQL connections and it seems to then reject the connection. So I get a few accepts and hundreds of rejects. If I remember correctly mySQL has a default max_connections setting of 100. To see the variable setting do a 'show variables'. You can add more connection when you start mysqld. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sharing SQL connections
If I remember correctly mySQL has a default max_connections setting of 100. To see the variable setting do a 'show variables'. You can add more connection when you start mysqld. It is not this limit that is being hit. If I set the SQL connections to 10, then FreeRADIUS requests you increase the value as it has ran out. If I increase the value to 256 it doesn't do this, but it increases the load on the machine by a large ammount. -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Sales : 0870 6000 971 Fax : 0870 6000 972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Migrating from CiscoSecure ACS 2.6 to Freeradius
Has anyone migrated from CiscoSecure ACS v2.6 to free radius? Any Ideas / thoughts would be helpful - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange packets from Patton
Which doesn't contain any vendor specific attributes.
OK - I might have got the wrong packet. Here are two, with the lines from
radius.log:
14:33:10.241889 10.10.20.52.who radius.radius-acct: rad-account-req 196
[id 10] Attr[ Acct_session_id{08350D00056F}
Acct_multi_session_id{08350D00056F} NAS_id{Patton} NAS_port{0}
NAS_port_type{#26}
Vendor_specific{..q~..6Nk.q~..6N.iq~..6N.Fq~..6N..q~...N...~..CN...~..CN
x..~..CN..~..CN...~...N.7N.7N.7N.7N.7N4} ]
0x 4500 00e0 1e5f 4011 1e69 0a0a 1434[EMAIL PROTECTED]
0x0010 0a0a 14fe 0201 0715 00cc 040a 00c4
0x0020 3c4a 8e9b 4477 bae8 8428 3442 a531 59abJ..Dw...(4B.1Y.
0x0030 2c0e 3038 3335 3044 3030 3035 3646 320e,.08350D00056F2.
0x0040 3038 3335 3044 3030 3035 3646 2008 506108350D00056F..Pa
0x0050 7474 6f6e 0506 3d06 tton..=.
0x0060 1a80 06e8 0014 717e e200 364e 6bd8q~..6Nk.
0x0070 717e e200 364e b069 717e e200 364e 0046q~..6N.iq~..6N.F
0x0080 717e e200 364e 0c1e 717e e200 024e q~..6N..q~...N..
0x0090 947e e200 434e 0200 947e e200 434e 780b.~..CN...~..CNx.
0x00a0 947e e200 434e 80ba 947e e200 434e 0700.~..CN...~..CN..
0x00b0 947e e200 014e f380 e200 374e .~...N..7N..
0x00c0 f380 e200 374e d18c f380 e200 374e f1ff7N..7N..
0x00d0 f380 e200 374e 0400 f380 e200 374e 80347N..7N.4
Vendor specific attribute has invalid length -2
14:55:22.123901 10.10.20.52.who radius.radius-acct: rad-account-req 196
[id 113] Attr[ Acct_session_id{08350D00057E}
Acct_multi_session_id{08350D00057E} NAS_id{Patton} NAS_port{0}
NAS_port_type{#26}
Vendor_specific{..pv...N..pv...N..pv...N..pv...N...|...N...|...N...|...N
...|...N...N...N...N...N...N...N...N..} ]
0x 4500 00e0 7410 4011 c8b7 0a0a 1434[EMAIL PROTECTED]
0x0010 0a0a 14fe 0201 0715 00cc 0471 00c4.q..
0x0020 acda 9009 35d0 a124 b3c5 e04e a0a3 67725..$...N..gr
0x0030 2c0e 3038 3335 3044 3030 3035 3745 320e,.08350D00057E2.
0x0040 3038 3335 3044 3030 3035 3745 2008 506108350D00057E..Pa
0x0050 7474 6f6e 0506 3d06 tton..=.
0x0060 1a80 06e8 011b 7076 e400 0a4e 0600pv...N..
0x0070 7076 e400 094e 0600 7076 e400 0c4e 0500pv...N..pv...N..
0x0080 7076 e400 0b4e 0500 a57c e400 0a4e 0600pv...N...|...N..
0x0090 a57c e400 094e 0600 a57c e400 0c4e 0500.|...N...|...N..
0x00a0 a57c e400 0b4e 0500 da82 e400 0a4e 0600.|...N...N..
0x00b0 da82 e400 094e 0600 da82 e400 0c4e 0500.N...N..
0x00c0 da82 e400 0b4e 0500 0f89 e400 0a4e 0600.N...N..
0x00d0 0f89 e400 094e 0600 0f89 e400 0c4e 0500.N...N..
Vendor specific attributes do not exactly fill Vendor-Specific
None of these contain Acct-Status-Type , what does piss off freeradius.
I have also such packets:
14:55:28.120846 10.10.20.52.who radius.radius-acct: rad-account-req 68
[id 113] Attr[ Acct_session_id{08350D00057E}
Acct_multi_session_id{08350D00057E} NAS_id{Patton} NAS_port{0}
NAS_port_type{#182} ]
0x 4500 0060 758d 4011 c7ba 0a0a 1434[EMAIL PROTECTED]
0x0010 0a0a 14fe 0201 0715 004c 0471 0044.L...q.D
0x0020 d906 bc70 d961 7c32 172f 4e14 6a09 ad13...p.a|2./N.j...
0x0030 2c0e 3038 3335 3044 3030 3035 3745 320e,.08350D00057E2.
0x0040 3038 3335 3044 3030 3035 3745 2008 506108350D00057E..Pa
0x0050 7474 6f6e 0506 3d06 tton..=.
These do not contain the vendor-specific part, but they also don`t contain
Accounting-Status-Type . What is the poin for NAS to send such packets?
The Vendor-Specific attribute never gets logged in radacct.
Any ideas for a quick fix? If You know, what info is in this vendor-specific
part, it would also be much help.
Cheers
Marcin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter
Please, Help me. I have made everything what the file says to rlm_sql_counter to use the counter, but when I execute radiusd - X says to me: ERROR: Cannot find a configuration entry for module sql. What is this -- _*Liyuán García Caballero*_ *Consultor Informático* *ESI, Ciego de Ávila* *Cuba*. _* Contáctame en*_ Telf: 53-033-28734 ext. 120 AIM: liyuang Yahoo,MSN: liyuangarcia. Linux para todos Con grandes prestaciones y altos rendimientos, ha, menos costos. :)
Re: Saving attributes while proxying
--- Sepp Rudel [EMAIL PROTECTED] wrote: I thought I could do the tricks with rlm_perl but I get this error: radiusd.conf: perl modules aren't allowed in 'post-proxy' sections -- they have no such method. With the attached patch against latest CVS snapshot I can use rlm_perl in pre-proxy, post-proxy, and post-auth sections. Not sure is this the most elegant solution, so handle with care. __ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com perl-pre-post.diff Description: perl-pre-post.diff
RE: Sharing SQL connections
I do think there is a way around it. I once helped get Ascend's radius to use Sybase many eons ago and we simply beefed up the machine. Why not split the load between two machines? I've got primary and secondary systems using a replicated mySQL db from one central server. I simply use dns to load balance the traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graeme Hinchliffe Sent: Thursday, July 03, 2003 7:57 AM To: [EMAIL PROTECTED] Subject: Re: Sharing SQL connections If I remember correctly mySQL has a default max_connections setting of 100. To see the variable setting do a 'show variables'. You can add more connection when you start mysqld. It is not this limit that is being hit. If I set the SQL connections to 10, then FreeRADIUS requests you increase the value as it has ran out. If I increase the value to 256 it doesn't do this, but it increases the load on the machine by a large ammount. -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Sales : 0870 6000 971 Fax : 0870 6000 972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter
=?ISO-8859-1?Q?Liyu=E1n_Garc=EDa_Caballero?= [EMAIL PROTECTED] wrote: I have made everything what the file says to rlm_sql_counter to use the counter, but when I execute radiusd - X says to me: ERROR: Cannot find a configuration entry for module sql. What is this Maybe you need to configure the SQL module, too? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sharing SQL connections
Graeme Hinchliffe [EMAIL PROTECTED] wrote: It uses a pool of SQL connections, and doesn't use a connection per request. If I have the number of SQL connections say set to 10, then when I launch a large number of RADIUS requests the log files say that there isn't enough SQL connections and it seems to then reject the connection. So I get a few accepts and hundreds of rejects. Yes... because the SQL queries are taking too long. It's simple math. The server gets 100 requests in a second, and if the SQL queries take 1/10 of a second each, it will take 10 seconds to respond to all of the requests. At which point, some will have timed out, and the NAS will have sent even more. Fix your SQL database to be faster, or run it on a faster machine. The NAS boxes can have more than 256 RADIUS packets outstanding. How is this achieved? I thought that the RADIUS protocol only permitted 256 sessions, (well per connection)? There is no connection between NAS and RADIUS server. Read the RFC's for descriptions of how more than 256 requests from one NAS are allowed. if I have less than 256 it rejects a lot of the requests. Because your SQL database is slow. Adding more SQL sockets means that even more requests can *appear* to be handled. It doesn't solve the underlying problem. The server should stop accepting new packets if doesn't have the resources to process them. This will go in before 0.9. Sory, I meant 1.0. Any idea of timescale for this? Before 1.0. Also how will it be done? Properly. hanging back on responces to slow the sender down? That won't make any difference. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installing Freeradius on Debian
Hello All, Where can i find a step-by-step to install Freeradius on Debian ? - Packages that needs to be in place. - best way to proceed - etc... Thanks __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic library
How can I determine the path in which FreeRadius picks up dynamic libraries? I am wondering about the ldap libraries. I did force it to use some lib's in the configure. ./configure --prefix=/opt/freeradius --with-experimental-modules --x-libraries=/opt/openldap/lib --x-includes=/opt/openldap/include --x-libraries=/opt/openssl-snap/lib --x-includes=/opt/openssl-snap/include thanks, Ron Wahler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding realm suffix to non-realm username.
On Thu, Jun 12, 2003 at 08:25:07PM +0200, Rob Hartzenberg wrote:
Why when using searchfor = [EMAIL PROTECTED]
Does it drop the $ (As show in previous logs)
but when using searchfor = [EMAIL PROTECTED]
It works fine?
I posted a patch while ago and, i just find that my message doesn't
appear in the archive mailing-list... here is a copy:
Subject: XLAT patch
Date: Wed, 14 May 2003 17:03:53 +0200
From: Christophe Boyanique [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[-- Attachement #1 --]
[-- Type : text/plain, Codage : 7bit, Taille : 1,0K --]
Hi,
I had problems while trying to work with rlm_attr_rewrite and especially
with a regexp containing the end of string $ character. After many
mailing-list archive searches and sources tweakings I ended up modifying
the xlat.c file by adding in the radius_xlat function the handling of \$
character, replaced by $ (patch is attached).
Now I can have things like that in the radiusd.conf:
attr_rewrite force_username {
attribute = User-Name
searchin = packet
searchfor = ^%{Called-Station-Id}\\$
#searchfor = ^[0-9]+\\$
replacewith = [EMAIL PROTECTED]:Realm}
append = no
new_attribute = no
max_matches = 1
}
and it works ! (Note the double backslash).
I don't know if this modification would break anything else and/or it
should be repeated in other xlat.c' functions... Feel free to comment :)
Christophe.
[-- Attachement #2: freeradius-xlat.patch --]
[-- Type : text/plain, Codage : 7bit, Taille : 0,2K --]
--- xlat.c.orig Wed May 14 16:55:49 2003
+++ xlat.c Wed May 14 16:05:27 2003
@@ -411,6 +411,9 @@
case 'n':
*q++ = '\n';
break;
+ case '$':
+ *q++ = '$';
+ break;
default:
*q++ = c;
*q++ = *p;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange packets from Patton
I might have got the wrong packet. Here are two, with the lines from radius.log: 0x 4500 00e0 1e5f 4011 1e69 0a0a 1434[EMAIL PROTECTED] 0x0010 0a0a 14fe 0201 0715 00cc 040a 00c4 0x0020 3c4a 8e9b 4477 bae8 8428 3442 a531 59abJ..Dw...(4B.1Y. 0x0030 2c0e 3038 3335 3044 3030 3035 3646 320e,.08350D00056F2. 0x0040 3038 3335 3044 3030 3035 3646 2008 506108350D00056F..Pa 0x0050 7474 6f6e 0506 3d06 tton..=. 0x0060 1a80 06e8 0014 717e e200 364e 6bd8q~..6Nk. 0x0070 717e e200 364e b069 717e e200 364e 0046q~..6N.iq~..6N.F 0x0080 717e e200 364e 0c1e 717e e200 024e q~..6N..q~...N.. 0x0090 947e e200 434e 0200 947e e200 434e 780b.~..CN...~..CNx. 0x00a0 947e e200 434e 80ba 947e e200 434e 0700.~..CN...~..CN.. 0x00b0 947e e200 014e f380 e200 374e .~...N..7N.. 0x00c0 f380 e200 374e d18c f380 e200 374e f1ff7N..7N.. 0x00d0 f380 e200 374e 0400 f380 e200 374e 80347N..7N.4 Vendor specific attribute has invalid length -2 that warning is correct. If we start decoding the packet, and get to the vendor specific attribute: 1a 80 - tag indicating its a VSA, and the length 06e8 - vendor ID (1768) which is assigned to Patton Electronics Company 00 14 - ID=0 and 0x14 (20) bytes attribute, meaning 20 byte attribute, with 18 bytes data 717e e200 364e 6bd8 717e e200 364e b069 717e e2 00 - the attribute tag is 0xE2, but the length is 0 bytes??? This is the problem. The length has to be atleast 2 (for the tag and length) size of data = length-2, which in this case turns out to be -2. This is where freeRadius would complain. 364e 0046 717e e200 364e 0c1e 717e e200 024e 947e e200 434e 0200 947e e200 434e 780b 947e e200 434e 80ba 947e e200 434e 0700 947e e200 014e f380 e200 374e f380 e200 374e d18c f380 e200 374e f1ff f380 e200 374e 0400 f380 e200 374e 8034 I have not decoded the other packet, but apparently Patton packs their Vendor Specific Attributes in a manner that is different from what the RFC recommends. Unfortunately the RFC does not mandate, just recommends a format, and implementors are free to choose their own. None of these contain Acct-Status-Type , what does piss off freeradius I think you need to check with your NAS/RAS vendor (Patton) why invalid accounting packets (without the Acct-Status-Type) are being sent by them. Puneet ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange packets from Patton
--- On Thu 07/03, Oliver Graf [EMAIL PROTECTED] wrote: NAS-IP and Client-IP are added by freeradius if they are missing. Timestamp is a pure freeradius added attribute IMHO. Thanks for clarifying that! Puneet ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic library
Alan DeKok [EMAIL PROTECTED] wrote: The easiest way to do it is to re-run 'configure', in the rlm_ldap directory: $ cd src/modules/rlm_ldap $ CFLAGS=-I/opt/openldap/include -I/opt/openssl-snap/include $ LDFLAGS=-L/opt/openldap/lib -L/opt/openssl-snap/lib $ export CFLAGS $ export LDFLAGS $ rm config.cache So that the old (possibly broken) things don't get picked up. $ ./configure Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.8.1 and postgresql problems
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Greetings.
I am seeing a problem with a new freeradius 0.8.1 install using
postgresql as the backend.
Authentication works fine.
Accounting Start records work fine.
Accounting stop records dont.
Here is the radiusd -x -x -x output:
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 127.0.0.1:32824, id=88, length=38
User-Name = root
Acct-Status-Type = Stop
Acct-Session-Id = 1808
modcall: entering group preacct
modcall[preacct]: module preprocess returns noop
rlm_realm: No '@' in User-Name = root, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop
modcall[preacct]: module files returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID MAY be
inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,Acct-Session-Id = 1808,User-Name = root'
rlm_acct_unique: Acct-Unique-Session-ID = c73b34e5c9f495dc.
modcall[accounting]: module acct_unique returns ok
radius_xlat: '/var/log/radius/radacct/127.0.0.1/detail-20030702'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/127.0.0.1/detail-20030702
modcall[accounting]: module detail returns ok
modcall[accounting]: module unix returns noop
radius_xlat: 'root'
rlm_sql (sql): sql_set_user escaped user -- 'root'
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2003-07-02 15:33:30',
AcctSessionTime = '', AcctInputOctets = CASE WHEN '' = '' THEN 0 E
LSE '' END, AcctOutputOctets = CASE WHEN '' = '' THEN 0 ELSE '' END,
AcctTerminateCause = '', AcctStopDelay = '0', FramedIPAddress = '',
ConnectInfo_stop = '' WHERE AcctSessionId = '1808' AND UserName = 'root' AND
NASIPAddress = '127.0.0.1' AND AcctStopTime IS NULL'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_postgresql: query: UPDATE radacct SET AcctStopTime = '2003-07-02 15:33:30',
AcctSessionTime = '', AcctInputOctets = CASE WHEN '' =
'' THEN 0 ELSE '' END, AcctOutputOctets = CASE WHEN '' = '' THEN 0 ELSE '' END,
AcctTerminateCause = '', AcctStopDelay = '0', FramedIPAd
dress = '', ConnectInfo_stop = '' WHERE AcctSessionId = '1808' AND UserName = 'root'
AND NASIPAddress = '127.0.0.1' AND AcctStopTime IS NU
LL
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: affected rows =
rlm_sql_postgresql: Postgresql check_error: s, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql_postgresql: query: UPDATE radacct SET AcctStopTime = '2003-07-02 15:33:30',
AcctSessionTime = '', AcctInputOctets = CASE WHEN '' =
'' THEN 0 ELSE '' END, AcctOutputOctets = CASE WHEN '' = '' THEN 0 ELSE '' END,
AcctTerminateCause = '', AcctStopDelay = '0', FramedIPAd
dress = '', ConnectInfo_stop = '' WHERE AcctSessionId = '1808' AND UserName = 'root'
AND NASIPAddress = '127.0.0.1' AND AcctStopTime IS NU
LL
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: affected rows =
rlm_sql_postgresql: Postgresql check_error: s, returning SQL_DOWN
rlm_sql (sql): failed after re-connect
rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR: Bad numeric input
format ''
rlm_sql (sql): Released sql socket id: 1
modcall[accounting]: module sql returns fail
modcall: group accounting returns fail
Finished request 3
Going to the next request
This seems like something wrong in the postgresql.conf accounting stop
sql, but I'm not sure what.
Any ideas?
I am happy to provide any additional debugging.
kevin
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 http://mailcrypt.sourceforge.net/
iD8DBQE/BHDm3imCezTjY0ERAivgAJ0b3qlfLc1ksczY35fD1je4czQDSgCghVGU
XbIQXJg1dc4JIo4jzmV20Q4=
=C3ZA
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help Please
Running freeradius-0.8.1/Mysql-3.23.56 and authenticating dialup user's with radcheck we cannot log sessions in the radacct database.Did we miss a radius/sql config file entry somewhere or file permission, IP table rule?My errors are: Thu Jul 3 08:46:06 2003 : Error: Invalid operator for item Password: reverting to '=='Thu Jul 3 08:46:06 2003 : Auth: Login OK: [/x] (from client private port 1 cli unknown)Thu Jul 3 08:46:08 2003 : Error: Dropping packet from client private:513 - ID: 243 due to dead request 2874 My IP rules: ACCEPT udp -- 192.168.0.251192.168.0.136 state NEW,RELATED,ESTABLISHED udp dpt:radiusACCEPT udp -- 192.168.0.251 192.168.0.136 state NEW,RELATED,ESTABLISHED udp dpt:radius-acct Should my sql operator be just equal or colon equal? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unsubscribe
Do us all a favour and visit http://lists.cistron.nl/mailman/listinfo/freeradius-users and unsubscribe there. If you had read the emails that you were receiving, you would have noted the handy HTML link at the bottom of EVERY list email that says, quite plainly, List info/subscribe/unsubscribe DP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mendez, Luis Sent: Thursday, July 03, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: unsubscribe unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unsubscribe
DP, Probably a waste of bandwidth, I've sent him 4 emails offlist with explicit instructions (cut and pasted from the freeradius site). I don't think he's reading any of his mail. Go figure. J. At 12:54 PM 7/3/03, you wrote: Do us all a favour and visit http://lists.cistron.nl/mailman/listinfo/freeradius-users and unsubscribe there. If you had read the emails that you were receiving, you would have noted the handy HTML link at the bottom of EVERY list email that says, quite plainly, List info/subscribe/unsubscribe DP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mendez, Luis Sent: Thursday, July 03, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: unsubscribe unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP // EAP-TTLS Support
Hi, We are currently porting FreeRadius to uClinux. From the lists (devel and user) I see that a couple of people have started on the implementation of both PEAP and EAP/TTLS. We can add bodies for both developement and testing to the group(s). Has any code / architecure for the modification to the upper layer (so tls can be shared) been done? I'm just trying to get a sense of how far along the projects have gotten. From the lists, I can't tell if there is a coordinated plan for the new protocol support. BTW our company has previously funded other Open source projects, so if we can help accelerate the effort, let us know. Alan, I wasn't sure if I should have posted to the devel list or the user list. If you think that it should go to the devel list, I will post there as well. ...MaTed -- Ted Ma Arcturus Networks Inc. 100-116 Spadina Ave. 416-621-0125 x206 Toronto, Ontario - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
