fopen problem with Freeradius
Dear All, I am running Freeradius Ver. 0.8.1 on a Sun Solaris machince Ver. 8 and connecting to 4 Oracle Databases (different machines) for Authentication and Accounting (along with Fail-over). My setup is as follows: 100 connections for Primary Authentication. 100 connections for Secondary Authentication. 100 connections for Primary Accounting. 100 connections for Secondary Accounting. Once I start the Freeradius process, I can open only 253 connections out of 400 and I got the following error: Mon Jul 14 08:39:16 2003 : Error: Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid: Too many open files And the process did not start. I've tried to change some system parameters, but I've realized that I can only change the parameter controlling the "open" files and not "fopen", which is used by Freeradius. I'll appreciate your help in advance. Regards --- Yasser Ahmed Hosny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new group in "dialup-admin
May I ask a question about dialup-admin: This is some code line of group-new if ($attr_type["$key"] == 'checkItem'){ $table = "$config[sql_groupcheck_table]"; $type = 1; } else if ($attr_type["$key"] == 'replyItem'){ $table = "$config[sql_groupreply_table]"; $type = 2; } When dies $attr_type[$key] is set value checkItem or replyItem ? in which file? I try to find, but couldn't see how the $table is set name == groupcheck or groupreply. Anytime I add new group, it is always added in radgroupreply, not in radgroupcheck. why ?
RE: Cisco AP that works with Freeradius
Hi Roman, does the Cisco 350 series WLAN AP also support 802.1x protocol too? regards Matthew >>> [EMAIL PROTECTED] 07/03/03 04:46PM >>> Yes, the Cisco 350 series WLAN AP works fine with FreeRadius. Roman > -Puvodni zprava- > Od: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] uzivatele Wei Ming > Long > Odeslano: 3. jula 2003 10:42 > Komu: < > Predmet: Cisco AP that works with Freeradius > > > Hi everyone, > I am looking to purchase a Cisco Wireless Access Point. I have a small > budget, so can you recommend a low end Cisco WLAN AP that is > proven to work > with Freeradius? the Cisco 350 series WLAN AP? > > Best regards > Matthew > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup-admin question
I use dialup-admin and this is my questions: -- I open the radcheck table: user's password is raw, not encript. so anyone that can access to postgresql database then he or she can see password. in PHP code of user_new.php3, I see password encript procedure, how to use this procedure ? -- Why I need "bad users" table? -- If I use radgroupcheck and use groups in this table for usergroup, and I don't use "radgroupreply" table, what happens ? I mean that I drop radgroupreply table. Thanks in advance. Manh Cuong.
Re: Rejecting authentication with SQL
On Sun, Jul 13, 2003 at 08:46:10AM -0400, Alan DeKok wrote: > rlm_counter? It adds, not subtracts, but that's easy enough to work > with. That works perfectly, actually. I'm probably doing it wrong, though. I thought, why use an increasing counter, when I can just decrease the counter and check if All-Session-Time is bigger than 0. (which, btw, in the docs is named Max-All-Session-Time) The thing is, I'm thinking there are other ways of doing this, without having to use rlm_slqcounter. But, if there's nothing fundamentally wrong with it, I guess I'm going stick with it... Thanks for the suggestion. -- Regards Birzan George Cristian pgp0.pgp Description: PGP signature
radius and sql question.
Hi. I use freeradius 8.1 on RH9 with mysql It works perfect. (authorization from sql) I work on some features and I've problem. In sql.conf : authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" Now I want to pass "id" value as command line argument to Exec-Program-Wait. I read variables.txt I checked such variable %{config:authorize.sql.id} or %{sql.id} but it didn't work. Maybe such solution will probably work but it's rather work around for me. Exec-Program-Wait = `/etc/raddb/check %{sql: select id from radcheck WHERE username = %{User-Name} and attribute = 'Password' and value = %{User-Password}}' Regards. -- Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Output-Gigawords, Acct-Input-Gigawords
On Sun, Jul 13, 2003 at 03:46:08AM +1000, Paul Hampson wrote: > Just looking at some of my records, would I be right in > observing that the default *sql.conf files don't account > for Acct-Output-Gigawords and Acct-Input-Gigawords? > > In the process of repairing damage done to my Calling-Station-ID > and NASPortId fields by too-short field lengths, I noticed > that several of my customers had managed to get a 1 in their > Acct-Output-Gigawords, but that hadn't been taken into account > in the mysql table... > > If I'm right and it's not being accounted for, is there any > reason I wouldn't want to modify the query to be > SET AcctInputOctets = %{Acct-Input-Octets} + > (%{Acct-Input-Gigawords} * 4294967296) Or SET AcctInputOctets = (cast(%{Acct-Input-Gigawords:-0} as <64-bit-integer>) << 32) + %{Acct-Input-Octets:-0} if binary shift is supported by DBMS. However, default *sql schemas use numeric(N) fields for *Octets, which 1) are slow; 2) sometimes require explicit value casting; 3) need to be expanded to numeric(20) to avoid overflows... So I'll vote for second solution: > Otherwise I'll add the Gigaword columns as extra columns. You could put both of them into *sql.conf as an example, and let admins to decide themselves which one to use :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with Session-Timeout
On Sun, Jul 13, 2003 at 12:07:51PM +0400, Emel`chenko Alexander wrote: > On Sun, 13 Jul 2003 18:00:15 +1000 > "Paul Hampson" <[EMAIL PROTECTED]> wrote: > > > > > From: Emel`chenko Alexander > > > Sent: Sunday, 13 July 2003 5:48 PM > > > > > why radius does`t send "Session-Timeout" to NAS if > > > > > in acct_users: > > > DEFAULT Acct-Status-Type == Start > > > Exec-Program = "/usr/local/bin/start" > > > > Exec-Program doesn't wait for attributes. You want > > Exec-Program-Wait > > > no, Exec-Program-Wait doesn`t wok > the same H... Alan already told you that a Session-Timeout makes no sense for Accounting pakets... so what? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting authentication with SQL
Birzan George Cristian <[EMAIL PROTECTED]> wrote: > The way I'm currently doing this is by telling the NAS to send > accounting updates every minute, and substracting the appropriate number > of points, via accounting_update_query. The problem I'm facing is that I > don't know how I can make FreeRADIUS deny authentication for a user that > has less than the minimum of points. rlm_counter? It adds, not subtracts, but that's easy enough to work with. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Emel`chenko Alexander <[EMAIL PROTECTED]> wrote: > why radius does`t send "Session-Timeout" if > > in acct_users: Session-Timeout cannot be used in accounting packets. See the RFC's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting authentication with SQL
Hello I'm having a very frustrating problem with the latest CVS version of FreeRADIUS (though, that's barely relevant). My porblem is that I don't know how I can design the database/configure FreeRADIUS so that I can reject the authentication of certain users, based on the reult of a random query. My problem is that I have to use an accounting system based on points, more points get used per minute during peak hours, than off peak hours. The way I'm currently doing this is by telling the NAS to send accounting updates every minute, and substracting the appropriate number of points, via accounting_update_query. The problem I'm facing is that I don't know how I can make FreeRADIUS deny authentication for a user that has less than the minimum of points. This is, probably, happening because of my poor understanding of how RADIUS and FreeRADIUS actually work, but from the available documentation (which is sparse, to say the least), I cannot figure any possible way of doing it, without using triggers in PostgreSQL, which is, imo, the ugly way of doing it. I would appreciate any input on this, including UTSL, as long as it's not a dead end. Thanks, in advance. -- Regards Birzan George Cristian pgp0.pgp Description: PGP signature
Re: createlang plperl
On Sun July 13 2003 12:08, Umut Destan wrote: > Hi all, > Following the instructions Peter Nixon gives in VoIP billing; > "createlang plperl radius" doesn't seem to succeed. (How important is > plperl anyway?) I got the postgresql-plperl.rpm package with the same > version as my postgresql packages (7.1.3-2) Bu when i try to createlang, if > fails: > ERROR: Load of file /usr/lib/pgsql/plperl.so failed: > /usr/lib/perl5/5.00503/i386-linux/auto/Opcode/Opcode.so cannot open shared > object file: No such file or directory. Well ofcourse Opcode.so is not > there because I have Perl 5.6.0 and its in /usr/lib/perl5/5.6.0/ Is > something wrong with plperl.so here? My instructions are tested on SuSE Linux 8.1 and 8.2 with updated Postgres, perl and postgres module rpms (Some problems I found with the rpms caused new ones to be released) You only need plperl if you are planning on writing stored procedures in perl. I use the following stored procedure: CREATE OR REPLACE FUNCTION strip_dot (text) returns timestamp AS ' my $datetime = $_[0]; $datetime =~ s/^\\.*//; return $datetime; ' language 'plperl'; to strip the leading . from the timestamps of Cisco NASes that have temporarily lost NTP timesync. I probably should rewrite this in Postgres native language, but I did not know it and did know perl at the time I wrote this. If I get a chance tomorrow I will rewrite it before the next FR release. (My wife tells me as its sunday we are going shopping now :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
createlang plperl
Hi all, Following the instructions Peter Nixon gives in VoIP billing; "createlang plperl radius" doesn't seem to succeed. (How important is plperl anyway?) I got the postgresql-plperl.rpm package with the same version as my postgresql packages (7.1.3-2) Bu when i try to createlang, if fails: ERROR: Load of file /usr/lib/pgsql/plperl.so failed: /usr/lib/perl5/5.00503/i386-linux/auto/Opcode/Opcode.so cannot open shared object file: No such file or directory. Well ofcourse Opcode.so is not there because I have Perl 5.6.0 and its in /usr/lib/perl5/5.6.0/ Is something wrong with plperl.so here? -umut - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with Session-Timeout
On Sun, 13 Jul 2003 18:00:15 +1000 "Paul Hampson" <[EMAIL PROTECTED]> wrote: > > From: Emel`chenko Alexander > > Sent: Sunday, 13 July 2003 5:48 PM > > > why radius does`t send "Session-Timeout" to NAS if > > > in acct_users: > > DEFAULT Acct-Status-Type == Start > > Exec-Program = "/usr/local/bin/start" > > Exec-Program doesn't wait for attributes. You want > Exec-Program-Wait no, Exec-Program-Wait doesn`t wok the same > = > Paul "TBBle" Hampson > Bubblesworth Pty Ltd (ABN: 51 095 284 361) > [EMAIL PROTECTED] > > This is a one line proof...if we start > sufficiently far to the left. > -- Cambridge University Math Department > - > Random signature generator 3.0 by Paul "TBBle" Hampson > = > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Technical Support Administrator of "NARZAN" Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with FreeRADIUS and Windows XP Supplicant
I forgot to say I'm using EAP-TLS to implement 802.1x with FreeRadius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with Session-Timeout
> From: Emel`chenko Alexander > Sent: Sunday, 13 July 2003 5:48 PM > why radius does`t send "Session-Timeout" to NAS if > in acct_users: > DEFAULT Acct-Status-Type == Start > Exec-Program = "/usr/local/bin/start" Exec-Program doesn't wait for attributes. You want Exec-Program-Wait -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with Session-Timeout
why radius does`t send "Session-Timeout" to NAS if in acct_users: DEFAULT Acct-Status-Type == Start Exec-Program = "/usr/local/bin/start" in /usr/local/bin/start: #!/bin/bash echo "Session-Timeout = 1"; mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x with FreeRADIUS and Windows XP Supplicant
I'm trying to setup 802.1x with a D-Link DWL900AP+ Wireless Access Point, using FreeRADIUS 0.8.1 and Windows XP Supplicant. Looking at the FreeRADIUS log, everything seems to be ok... In fact, the last package sent by the FreeRADIUS server to the AP is an Access-Accept one, with MS-MPPE-Recv-Key and MS-MPPE-Send-Key. However, and here comes the funny thing, most times (like 80%) the Windows XP Supplicant doesn't seem to notice this last package (it remains in the Authorizing state, and after a few seconds, it restarts the process, sending a new Access Request to the FreeRadius server). And I say it's funny because a few times (like 20%) it actually works correctly, and the Windows XP Supplicant states "Authentication Successfull". I'm doing all this while being very close to the access point, so it's not a problem of lost packages. I've read the FAQ and READMEs, and I have followed Raymond McKay's and Ken Roser's HOWTOS on setting 802.1x with XP Supplicant, but I still can't find why this happens this way. Any ideas? Thank you very much in advance for helping. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout
why radius does`t send "Session-Timeout" if in acct_users: DEFAULT Acct-Status-Type == Start Exec-Program = "/usr/local/bin/start" in /usr/local/bin/start: #!/bin/bash echo "Session-Timeout = 1"; mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html