fopen problem with Freeradius

2003-07-13 Thread Yasser Ahmed Hosny 

Dear All,

I am running Freeradius Ver. 0.8.1 on a Sun Solaris machince Ver. 8 and
connecting to 4 Oracle Databases (different machines) for Authentication
and Accounting (along with Fail-over). 
My setup is as follows:
100 connections for Primary Authentication.
100 connections for Secondary Authentication.
100 connections for Primary Accounting.
100 connections for Secondary Accounting.
Once I start the Freeradius process, I can open only 253 connections out
of 400 and I got the following error:

Mon Jul 14 08:39:16 2003 : Error: Failed creating PID file
/usr/local/var/run/radiusd/radiusd.pid: Too many open files

And the process did not start.

I've tried to change some system parameters, but I've realized that I
can only change the parameter controlling the "open" files and not
"fopen", which is used by Freeradius.

I'll appreciate your help in advance.

Regards

---
Yasser Ahmed Hosny   



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

new group in "dialup-admin

2003-07-13 Thread Truong Manh Cuong 




May I ask a question about dialup-admin:
This is some code line of group-new
if ($attr_type["$key"] == 
'checkItem'){
$table = "$config[sql_groupcheck_table]";
$type = 1;
}
else if ($attr_type["$key"] == 'replyItem'){
$table = "$config[sql_groupreply_table]";
$type = 2;
}
When dies $attr_type[$key] is set value checkItem or replyItem ? in which 
file? I try to find, but couldn't see how the $table is set name == groupcheck 
or groupreply.
Anytime I add new group, it is always added in radgroupreply, not in 
radgroupcheck. why ?
 

RE: Cisco AP that works with Freeradius

2003-07-13 Thread Wei Ming Long 
Hi Roman,
does the Cisco 350 series WLAN AP also support 802.1x protocol too?

regards
Matthew

>>> [EMAIL PROTECTED] 07/03/03 04:46PM >>>
Yes, the Cisco 350 series WLAN AP works fine with FreeRadius.

Roman

> -Puvodni zprava-
> Od: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] uzivatele Wei Ming
> Long
> Odeslano: 3. jula 2003 10:42
> Komu: <
> Predmet: Cisco AP that works with Freeradius
> 
> 
> Hi everyone,
> I am looking to purchase a Cisco Wireless Access Point. I have a small
> budget, so can you recommend a low end Cisco WLAN AP that is 
> proven to work
> with Freeradius? the Cisco 350 series WLAN AP?
> 
> Best regards
> Matthew
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html 
> 

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

dialup-admin question

2003-07-13 Thread Truong Manh Cuong 



I use dialup-admin and this is my 
questions:
 
-- I open the radcheck table: user's password is 
raw, not encript. so anyone that can access to postgresql database 
then he or she can see password.
in PHP code of user_new.php3, I see password 
encript procedure, how to use this procedure ?
 
-- Why I need "bad users" table?
-- If I use radgroupcheck and use groups in this 
table for usergroup, and I don't use "radgroupreply" table, what happens ? I 
mean that I drop radgroupreply table.
 
Thanks in advance.
Manh Cuong.

Re: Rejecting authentication with SQL

2003-07-13 Thread Birzan George Cristian 
On Sun, Jul 13, 2003 at 08:46:10AM -0400, Alan DeKok wrote:
>   rlm_counter?  It adds, not subtracts, but that's easy enough to work
> with.

That works perfectly, actually. I'm probably doing it wrong, though. I
thought, why use an increasing counter, when I can just decrease the
counter and check if All-Session-Time is bigger than 0. (which, btw, in
the docs is named Max-All-Session-Time) The thing is, I'm thinking there
are other ways of doing this, without having to use rlm_slqcounter. But,
if there's nothing fundamentally wrong with it, I guess I'm going stick
with it...

Thanks for the suggestion.

-- 
Regards
Birzan George Cristian


pgp0.pgp
Description: PGP signature

radius and sql question.

2003-07-13 Thread Adam Wiecek 
Hi.

I use freeradius 8.1 on RH9 with mysql
It works perfect. (authorization from sql)
I work on some features and I've problem.
In sql.conf :
authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} 
WHERE Username = '%{SQL-User-Name}' ORDER BY id"

Now I want to pass "id" value as command line argument to Exec-Program-Wait.
I read variables.txt  
I checked such variable %{config:authorize.sql.id} or %{sql.id} but
it didn't work. 
Maybe such solution will probably work but it's rather work around for me.
Exec-Program-Wait = `/etc/raddb/check %{sql: select id from radcheck WHERE 
username = %{User-Name} and attribute = 'Password' and value = %{User-Password}}'

Regards.
-- 
Adam

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Acct-Output-Gigawords, Acct-Input-Gigawords

2003-07-13 Thread Alexander M. Pravking 
On Sun, Jul 13, 2003 at 03:46:08AM +1000, Paul Hampson wrote:
> Just looking at some of my records, would I be right in
> observing that the default *sql.conf files don't account
> for Acct-Output-Gigawords and Acct-Input-Gigawords?
> 
> In the process of repairing damage done to my Calling-Station-ID
> and NASPortId fields by too-short field lengths, I noticed
> that several of my customers had managed to get a 1 in their
> Acct-Output-Gigawords, but that hadn't been taken into account
> in the mysql table...
> 
> If I'm right and it's not being accounted for, is there any
> reason I wouldn't want to modify the query to be
> SET AcctInputOctets = %{Acct-Input-Octets} +
> (%{Acct-Input-Gigawords} * 4294967296)

Or SET AcctInputOctets
= (cast(%{Acct-Input-Gigawords:-0} as <64-bit-integer>) << 32)
+ %{Acct-Input-Octets:-0}
if binary shift is supported by DBMS.

However, default *sql schemas use numeric(N) fields for *Octets,
which 1) are slow; 2) sometimes require explicit value casting;
3) need to be expanded to numeric(20) to avoid overflows...
So I'll vote for second solution:

> Otherwise I'll add the Gigaword columns as extra columns.


You could put both of them into *sql.conf as an example,
and let admins to decide themselves which one to use :)


--
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with Session-Timeout

2003-07-13 Thread Oliver Graf 
On Sun, Jul 13, 2003 at 12:07:51PM +0400, Emel`chenko Alexander wrote:
> On Sun, 13 Jul 2003 18:00:15 +1000
> "Paul Hampson" <[EMAIL PROTECTED]> wrote:
> 
> 
> > > From: Emel`chenko Alexander
> > > Sent: Sunday, 13 July 2003 5:48 PM
> > 
> > > why radius does`t send   "Session-Timeout" to NAS if
> > 
> > > in acct_users:
> > > DEFAULT Acct-Status-Type == Start
> > > Exec-Program = "/usr/local/bin/start"
> > 
> > Exec-Program doesn't wait for attributes. You want
> > Exec-Program-Wait
>  
> 
> no, Exec-Program-Wait doesn`t wok 
> the same


H... Alan already told you that a Session-Timeout makes no sense
for Accounting pakets... so what?

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting authentication with SQL

2003-07-13 Thread Alan DeKok 
Birzan George Cristian <[EMAIL PROTECTED]> wrote:
> The way I'm currently doing this is by telling the NAS to send
> accounting updates every minute, and substracting the appropriate number
> of points, via accounting_update_query. The problem I'm facing is that I
> don't know how I can make FreeRADIUS deny authentication for a user that
> has less than the minimum of points.

  rlm_counter?  It adds, not subtracts, but that's easy enough to work
with.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Timeout

2003-07-13 Thread Alan DeKok 
Emel`chenko Alexander <[EMAIL PROTECTED]> wrote:
> why radius does`t send "Session-Timeout" if
> 
> in acct_users:

  Session-Timeout cannot be used in accounting packets.  See the
RFC's.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Rejecting authentication with SQL

2003-07-13 Thread Birzan George Cristian 
Hello

I'm having a very frustrating problem with the latest CVS version of
FreeRADIUS (though, that's barely relevant). My porblem is that I don't
know how I can design the database/configure FreeRADIUS so that I can
reject the authentication of certain users, based on the reult of a
random query.
My problem is that I have to use an accounting system based on points,
more points get used per minute during peak hours, than off peak hours.

The way I'm currently doing this is by telling the NAS to send
accounting updates every minute, and substracting the appropriate number
of points, via accounting_update_query. The problem I'm facing is that I
don't know how I can make FreeRADIUS deny authentication for a user that
has less than the minimum of points. This is, probably, happening
because of my poor understanding of how RADIUS and FreeRADIUS actually
work, but from the available documentation (which is sparse, to say the
least), I cannot figure any possible way of doing it, without using
triggers in PostgreSQL, which is, imo, the ugly way of doing it.
I would appreciate any input on this, including UTSL, as long as it's
not a dead end.

Thanks, in advance.

-- 
Regards
Birzan George Cristian


pgp0.pgp
Description: PGP signature

Re: createlang plperl

2003-07-13 Thread Peter Nixon 
On Sun July 13 2003 12:08, Umut Destan wrote:
> Hi all,
> Following the instructions Peter Nixon gives in VoIP billing;
> "createlang plperl radius" doesn't seem to succeed. (How important is
> plperl anyway?) I got the postgresql-plperl.rpm package with the same
> version as my postgresql packages (7.1.3-2) Bu when i try to createlang, if
> fails:
> ERROR: Load of file /usr/lib/pgsql/plperl.so failed:
> /usr/lib/perl5/5.00503/i386-linux/auto/Opcode/Opcode.so cannot open shared
> object file: No such file or directory. Well ofcourse Opcode.so is not
> there because I have Perl 5.6.0 and its in /usr/lib/perl5/5.6.0/ Is
> something wrong with plperl.so here?

My instructions are tested on SuSE Linux 8.1 and 8.2 with updated Postgres, 
perl and postgres module rpms (Some problems I found with the rpms caused new 
ones to be released)

You only need plperl if you are planning on writing stored procedures in perl. 
I use the following stored procedure:
CREATE OR REPLACE FUNCTION strip_dot (text) returns timestamp AS '
my $datetime = $_[0];
$datetime =~ s/^\\.*//;
return $datetime;
' language 'plperl';

to strip the leading . from the timestamps of Cisco NASes that have 
temporarily lost NTP timesync. I probably should rewrite this in Postgres 
native language, but I did not know it and did know perl at the time I wrote 
this.
If I get a chance tomorrow I will rewrite it before the next FR release.
(My wife tells me as its sunday we are going shopping now :-)

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

createlang plperl

2003-07-13 Thread Umut Destan 
Hi all,
Following the instructions Peter Nixon gives in VoIP billing;
"createlang plperl radius" doesn't seem to succeed. (How important is plperl anyway?)
I got the postgresql-plperl.rpm package with the same version as my postgresql 
packages (7.1.3-2)
Bu when i try to createlang, if fails: 
ERROR: Load of file /usr/lib/pgsql/plperl.so failed: 
/usr/lib/perl5/5.00503/i386-linux/auto/Opcode/Opcode.so cannot open shared object 
file: No such file or directory.
Well ofcourse Opcode.so is not there because I have Perl 5.6.0 and its in 
/usr/lib/perl5/5.6.0/
Is something wrong with plperl.so here?

-umut

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with Session-Timeout

2003-07-13 Thread Emel`chenko Alexander 
On Sun, 13 Jul 2003 18:00:15 +1000
"Paul Hampson" <[EMAIL PROTECTED]> wrote:


> > From: Emel`chenko Alexander
> > Sent: Sunday, 13 July 2003 5:48 PM
> 
> > why radius does`t send   "Session-Timeout" to NAS if
> 
> > in acct_users:
> > DEFAULT Acct-Status-Type == Start
> > Exec-Program = "/usr/local/bin/start"
> 
> Exec-Program doesn't wait for attributes. You want
> Exec-Program-Wait
 

no, Exec-Program-Wait doesn`t wok 
the same


> =
> Paul "TBBle" Hampson
> Bubblesworth Pty Ltd (ABN: 51 095 284 361)
> [EMAIL PROTECTED]
> 
> This is a one line proof...if we start
> sufficiently far to the left.
>   -- Cambridge University Math Department
> -
> Random signature generator 3.0 by Paul "TBBle" Hampson
> =
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Technical Support Administrator
of "NARZAN" Network

mailto:[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x with FreeRADIUS and Windows XP Supplicant

2003-07-13 Thread Nacho González-Cutre Coll 
I forgot to say I'm using EAP-TLS to implement 802.1x with FreeRadius.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: problem with Session-Timeout

2003-07-13 Thread Paul Hampson 
> From: Emel`chenko Alexander
> Sent: Sunday, 13 July 2003 5:48 PM

> why radius does`t send   "Session-Timeout" to NAS if

> in acct_users:
> DEFAULT Acct-Status-Type == Start
> Exec-Program = "/usr/local/bin/start"

Exec-Program doesn't wait for attributes. You want
Exec-Program-Wait

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

problem with Session-Timeout

2003-07-13 Thread Emel`chenko Alexander 
why radius does`t send   "Session-Timeout" to NAS if

in acct_users:
DEFAULT Acct-Status-Type == Start
Exec-Program = "/usr/local/bin/start"


in /usr/local/bin/start:

#!/bin/bash

echo "Session-Timeout = 1";


mailto:[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

802.1x with FreeRADIUS and Windows XP Supplicant

2003-07-13 Thread Nacho González-Cutre Coll 
I'm trying to setup 802.1x with a D-Link DWL900AP+ Wireless Access Point,
using FreeRADIUS 0.8.1 and Windows XP Supplicant.

Looking at the FreeRADIUS log, everything seems to be ok... In fact, the
last package sent by the FreeRADIUS server to the AP is an Access-Accept
one, with MS-MPPE-Recv-Key and MS-MPPE-Send-Key.

However, and here comes the funny thing, most times (like 80%) the Windows
XP Supplicant doesn't seem to notice this last package (it remains in the
Authorizing state, and after a few seconds, it restarts the process, sending
a new Access Request to the FreeRadius server). And I say it's funny because
a few times (like 20%) it actually works correctly, and the Windows XP
Supplicant states "Authentication Successfull". I'm doing all this while
being very close to the access point, so it's not a problem of lost
packages.

I've read the FAQ and READMEs, and I have followed Raymond McKay's and Ken
Roser's HOWTOS on setting 802.1x with XP Supplicant, but I still can't find
why this happens this way. Any ideas? Thank you very much in advance for
helping.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Session-Timeout

2003-07-13 Thread Emel`chenko Alexander 
why radius does`t send "Session-Timeout" if

in acct_users:
DEFAULT Acct-Status-Type == Start
Exec-Program = "/usr/local/bin/start"


in /usr/local/bin/start:

#!/bin/bash

echo "Session-Timeout = 1";


mailto:[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html