dialup_admin
Good day Mr. Kalevras, as your suggestion im tried to create a script to perform manual reset in GDBM database(db.monthly). I want to synchronize the update of GDBM database and MySQL. My question is after sucessfully reseting user's counter in GDBM database then how can i update user's status in dialup_admin? = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quintum Help
Could you help me to configure freeradius for quintum . I installed radius. But itis rejecting users Thank You Here is my Quintum and Radius logs RADIUS : 565661:RadiusRequest: Sending Access-Request MsgId=24 to 192.168.1.3, port 1812, Descriptor 3RADIUS : 566160:RadiusResponse: Received response, length=20, id=24, type=3RADIUS : 566160:RadiusSocket: Received ACCESS REJECT RESPONSERADIUS : 566160:RadiusResponse: Created response object 0XB05E84RADIUS : 566160:RadiusSocket: Sent ProcessAccessReject iucaCallBackSendRADIUS : 566160:RadiusHandler: Received iucaCallBackSend Access-RejectRADIUS : 566160:RadiusRequest: Client Process Marked Object=0XBBB204 MsgId=24for DeletionRADIUS : 566160:RadiusRequest: Radius Process Deleted Object=0XBBB204, MsgId=24RADIUS : 566160:RadiusRequest: destroying request object 0XBBB204RADIUS : 566160:RadiusResponse: destroying response object 0XB05E84RADIUS : 566790:RadiusRequest: Created request object 0XD34404 And Radius Log rad_recv: Access-Request packet from host 192.168.1.10:24579, id=34, length=157 Attr-4 = 0xc0a8010a Attr-1 = 0x3132333435 Attr-2 = 0x3132333435 Attr-61 = 0x Attr-31 = 0x36333037373635343634 Quintum-h323-conf-id = "h323-conf-id=33666235 36646263 31310030 003100FF" Quintum-AVPair = "h323-ivr-out=ACCESSCODE:"auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the userauth: Failed to validate the user.Login incorrect: [12345/12345] (from client quintum port 0 cli 6307765464)Delaying request 4 for 1 seconds
xlat.c bug ?
Hi, I had a problem with xlat that didn't care about last char if it was '$' or '%' or '\' so I trace it and found that if the last char was one of them the code was not executed... so if I'm not wrong this little patch should solve it thank --- xlat.c.orig Tue Mar 18 16:50:54 2003 +++ xlat.c Sat Nov 15 14:04:39 2003 @@ -398,7 +398,13 @@ continue; } - if (*++p == '\0') break; + if (*++p == '\0') { + if ((c == '%') || (c == '$') || (c == '\\')) { + *q++ = c; + *q++ = *p; + } + break; + } if (c == '\\') { switch(*p) { Alain Cocconi Net Outremer Caledonie Phone : +687 24 38 70 Fax : +687 27 12 50 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + mysql problems
Hi all, My goal is to use Freeradius with the sql module for authenticating users. I'm using version 0.9.2 (installed from rpms i created with the specfile that came with the tarball). There doesn't seem to be a wealth of information available for using the sql module, but I've been working off of this tutorial: http://www.frontios.com/freeradius.html I got everything working using /etc/shadow to authenticate users, but then I proceeded to follow the instructions for sql and have run in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server: radtest robtest test localhost 0 testing123 and i get the following result: Sending Access-Request of id 170 to 127.0.0.1:1812 User-Name = "robtest" User-Password = "test" NAS-IP-Address = radius.mydomain.com (changed the domain) NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=170, length=20 Here is a snippet of the output produced when i run in debug mode: rad_recv: Access-Request packet from host 127.0.0.1:32819, id=170, length=59 User-Name = "robtest" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '' modcall[authorize]: module "sql" returns fail for request 0 modcall: group authorize returns fail for request 0 There was no response configured: rejecting request 0 Server rejecting request 0. And here's the only entry in my radcheck table: ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | robtest | Password | == | test | ++--+---++---+ Debug mode doesn't seem to provide very verbose output when it comes time to call the sql module. I turned on sqltrace in my sql module configuration file, but no queries are showing up. I even turned on query logging on my MySQL server and none show up, which means it's not even getting to the part where it tries to find a matching user in the radcheck table. What could be preventing it from getting it that far? Any suggestions would be greatly appreciated. I've been working on this for several days now and haven't made much progress. I hope I've done enough footwork on my own to keep away the flames :) Thanks in advance, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap doesn't support multiple attribute-fields anymore?
hi, i just upgraded from freeradius 0.8.1 to 0.9.2, and i noticed that rlm_ldap doesn't support multiple (same) attribute fields anymore.. anyone knows if this is on purpose, or a programming glitch? this isn't so nice for me, since i use a lot of these multiple attributes.. for instance for cisco-avpairs & ip-routes. (i'm now using the old 0.8.1 module.. :P) grtz, dmclf -- (o< Lord of the Rings LITE(tm) //\-- by J.R.R. Tolkien V_/_Some guys take a long vacation to throw a ring into a volcano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add new Attributes to Radius
- Original Message - From: "Sanjiv Thakor" <[EMAIL PROTECTED]> > I want to be able to add new Attributes to Radius. For example > > ATTRIBUTESpecial-Group10001string > > What I want to be able to do is When a User is Authenticated, I want > Radius to be able to send me this Attribute (with its Value) in the > Reply just like the Reply-Message Attribute gets sent as part of the > Reply List. > So something like this.. > > usertest Auth-Type := CHAP, User-Password == "chappassword" > Service-Type = Login-User, > Special-Group = "temp", > Reply-Message = "Hello, %u" > > Is that even possible to do without modifying the Radius Source > Code? If it is then how do I add these New attributes? Have a look at the dictionary files. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still fighting to understand free RADIUS code
On Fri, 14 Nov 2003, German Viera wrote: > Can you tell me wich files are those , or in wich folder I can find them ??? src/main/radclient.c The function defintions are in src/include/libradius.h i think > > > - Original Message - > From: "Kostas Kalevras" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, November 14, 2003 2:57 PM > Subject: Re: Still fighting to understand free RADIUS code > > > > On Fri, 14 Nov 2003, German Viera wrote: > > > > > Hi everybody, > > > > > > I am new to free RADIUS but I found it very usefull and powerfull. I > had configured it and make it work with different porpouses, most of them > with cisco platforms. > > > Right now I am trying to develop an application where I think > freeRADIUS code could help. I would like to ask (if somebody knows) wich > modules (files) from the code are the one in charge of seting up the RADIUS > server. What I wanna do is to code an application wich hears for RADIIUS > request (at first...to understand how RADIUS protocol works) at translate > the message. But I am confused on HOW TO ? to hear the radius message . > > > > > > > > > OK ...hope someone could help me > > > > Read the radclient source. It's the easiest/best way. > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > German Viera > > > Montevideo > > > Uruguay > > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still fighting to understand free RADIUS code
Can you tell me wich files are those , or in wich folder I can find them ??? - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 14, 2003 2:57 PM Subject: Re: Still fighting to understand free RADIUS code > On Fri, 14 Nov 2003, German Viera wrote: > > > Hi everybody, > > > > I am new to free RADIUS but I found it very usefull and powerfull. I had configured it and make it work with different porpouses, most of them with cisco platforms. > > Right now I am trying to develop an application where I think freeRADIUS code could help. I would like to ask (if somebody knows) wich modules (files) from the code are the one in charge of seting up the RADIUS server. What I wanna do is to code an application wich hears for RADIIUS request (at first...to understand how RADIUS protocol works) at translate the message. But I am confused on HOW TO ? to hear the radius message . > > > > > > OK ...hope someone could help me > > Read the radclient source. It's the easiest/best way. > > > > > > > > > Regards, > > > > > > > > German Viera > > Montevideo > > Uruguay > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still fighting to understand free RADIUS code
On Fri, 14 Nov 2003, German Viera wrote: > Hi everybody, > > I am new to free RADIUS but I found it very usefull and powerfull. I had > configured it and make it work with different porpouses, most of them with cisco > platforms. > Right now I am trying to develop an application where I think freeRADIUS code > could help. I would like to ask (if somebody knows) wich modules (files) from the > code are the one in charge of seting up the RADIUS server. What I wanna do is to > code an application wich hears for RADIIUS request (at first...to understand how > RADIUS protocol works) at translate the message. But I am confused on HOW TO ? to > hear the radius message . > > > OK ...hope someone could help me Read the radclient source. It's the easiest/best way. > > > > Regards, > > > > German Viera > Montevideo > Uruguay > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still fighting to understand free RADIUS code
Hi everybody, I am new to free RADIUS but I found it very usefull and powerfull. I had configured it and make it work with different porpouses, most of them with cisco platforms. Right now I am trying to develop an application where I think freeRADIUS code could help. I would like to ask (if somebody knows) wich modules (files) from the code are the one in charge of seting up the RADIUS server. What I wanna do is to code an application wich hears for RADIIUS request (at first...to understand how RADIUS protocol works) at translate the message. But I am confused on HOW TO ? to hear the radius message . OK ...hope someone could help me Regards, German Viera Montevideo Uruguay
Radius newbie questions
Title: Radius newbie questions I just ordered the radius book, and used to use Funk software a while back. I can get logged in via freeradius but can't seem to figure out how to get foundry-privilege-level == 0 to work. I get logged in with read only permissions. rad_recv: Access-Request packet from host 10.0.5.252:1645, id=93, length=65 User-Name = "joeuser" User-Password = "joepassw0rd" Service-Type = NAS-Prompt-User NAS-IP-Address = 10.0.5.252 NAS-Port = 1 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "joeuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate modcall[authenticate]: module "unix" returns ok modcall: group authenticate returns ok Login OK: [joeuser/joepassw0rd] (from client cr1corsw2 port 1) Sending Access-Accept of id 93 to 10.0.5.252:1645 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 93 with timestamp 3fb50e3d Nothing to do. Sleeping until we see a request. This id from users file joeuser Acct-Authentic == RADIUS, Service-Type == NAS-Prompt-User, foundry-privilege-level == 0, foundry-command-string == * Any help would be greatly appreciated :-) Ted DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Add new Attributes to Radius
I want to be able to add new Attributes to Radius. For example ATTRIBUTESpecial-Group10001string What I want to be able to do is When a User is Authenticated, I want Radius to be able to send me this Attribute (with its Value) in the Reply just like the Reply-Message Attribute gets sent as part of the Reply List. So something like this.. usertest Auth-Type := CHAP, User-Password == "chappassword" Service-Type = Login-User, Special-Group = "temp", Reply-Message = "Hello, %u" Is that even possible to do without modifying the Radius Source Code? If it is then how do I add these New attributes? Thanks in advance. Any help is appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Developing RADIUS applications
The aim of my application is to receive the messages and perform different processes in Databases ...also the response to the client will vary. What I really wanna do is a billing system for cisco platforms. Using free-RADIUS (i am actually doing it) is very tedious to parse the log. A part from that I could not find the way to make it work with pre-paid scenarios. (I need to parse the log in real time to update the users file with the VSA of credit, and I could never charge different charges for the different destinations) Thank's for your answer - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 13, 2003 2:53 PM Subject: Re: Developing RADIUS applications > At 11:41 AM 11/13/2003, German Viera wrote: > >HI > > > > I would like to develop my own RADIUS application, acting as a radius > > server. I would like to know if there is come library of freeradius or > > somone has already develped something similar (for accounting ) that > > could help me in the developement process. > > The FreeRADIUS core routines are put into a 'libradius' library, which the > server calls to perform the functions. > > You can look at ./src/lib/ to see what radius functions are in the lib. > > What are you needing to create a new RADIUS server application for that the > current server cannot perform? > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP problem
=?Windows-1252?Q?Pascal_S=E9guy?= <[EMAIL PROTECTED]> wrote: > You mean that the remote radius (proxy) is broken ? some could think > FR is broken :) Those people would be wrong. The RFC's have defined the CHAP-Challenge attribute for many years. If a RADIUS server uses the authentication vector, even when a CHAP-Challenge attribute is in the packet, then that RADIUS server is crap. It's probably 6 years old, and is subject to attacks, due to security flaws in its implementation. Upgrade broken software. Breaking other (working) software to inter-operate with broken software is asking for trouble. > > It will work for you, but that patch will never go into the server. > > You find it so ugly ? The patch is nonsense. It breaks the server to inter-operate with other broken software. The patch will NEVER go into the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP problem
- Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 14, 2003 4:13 PM Subject: Re: CHAP problem > =?iso-8859-1?Q?Pascal_S=E9guy?= <[EMAIL PROTECTED]> wrote: > > The problem is that the proxy doesn't know the attribute > > CHAP-Challenge, and takes the challenge directly from the vector > > field, as says the RFC when the CHAP-challenge is not provided by > > the NAS. > > The program is broken. It's hjorribly broken, and should be fixed. You mean that the remote radius (proxy) is broken ? some could think FR is broken :) > > The solution is to copy the CHAP-Challenge in the vector when proxying. > > Someone think about undesirable side effects with doing this ? > > It will work for you, but that patch will never go into the server. You find it so ugly ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: MySQL & Cisco Call Detail
Greetings, We use the Diag fuctions to dump to a local syslog file on a machine nearby out as5300's, then use a bash script to parse it (I know, perl would be better) then upload it to a MySQL server then link the tables by Username. Works fairly well. Configuration: Radius logs standard radius logs to detail files & to mysql directly Ciscos dump diag output to a suslog file on the radius server Bash script runs once every 10 minutes and uploads the syslog data to the Mysql Server, into a seperate table. So far, unless the mysql server goes down, we have a pretty accurate picture of what goes on. On Fri, 14 Nov 2003 09:56:53 + James Green <[EMAIL PROTECTED]> wrote: > Mail_Man wrote: > > >Can someone point me in the right direction to where I can find > information > >on setting up Free Radius so that it collects all the call detail > records > >from a cisco as5300 gateway and stores it in a database? > > > >TIA > > > >-Seth > > > > > > Call detail? You mean calltracker? If so then good luck :D. > > We did it by: > > - configure the cisco to use calltracker and output it to the syslog. > - tell the cisco to forward the syslog onto a linux box > - configure the linux box to accept the incoming syslog requests and > pipe it through to a perl script > - write a perl script to accept the syslog lines, process them and store > them in the database using the ct_hndl field as the key. > > You cannot match the ct_hndl to the radius keys though, so you won't be > able to easily match the calltracker logs to the radius logs. We > contacted our cisco gold partner resellers and they contacted cisco > themselves, and no-one could figure out a reliable matching system. > Cisco advised to not bother with the radius logs, but use the > calltracker logs instead. > > Thanks, > > James Green > > -- ·William Ragsdale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS /etc/shadow
Ralf Paffrath <[EMAIL PROTECTED]> wrote: > I set Auth-Type to System but no TTLS-tunnel session would be established > and I got the following debugging output: > > ... > modcall: group authorize returns updated for request 0 > rad_check_password: Found Auth-Type EAP > rad_check_password: Found Auth-Type System > Warning: Found 2 auth-types on request for user 'HUGO' Did you READ what i wrote? > > Set Auth-Type to System for the tunneled user, The username inside of the tunnel IS different that the username outside of the tunnel, isn't it? If not, then nothing will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql: Stop packet with zero session length.
On Tue, 11 Nov 2003, DPL wrote: > Hello, > > I am running FreeRADIUS 0.9.1 on Redhat 9.0 and MySQL 4.x > with all the necessary MySQL stuff. I have been working on > setting up my radius accounting logs to go to MySQL. > > I am seeing the following errors in radius.log: > Error: rlm_sql: Stop packet with zero session length. (user '[EMAIL PROTECTED]', > nas '10.1.4.22') > > I can see the insert trying to be performed from the sql traces but I > am not sure why the accounting stop insert is failing. It's a feature of the rlm_sql module to not accept packets with zero session length. You can disable it by undefining CISCO_ACCOUNTING_HACK in the Makefiles and recompiling rlm_sql. > > Any suggestions or guidance on how to troubleshoot the problem > would be appreciated. > > Thanks, > > Dave > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP problem
=?iso-8859-1?Q?Pascal_S=E9guy?= <[EMAIL PROTECTED]> wrote: > The problem is that the proxy doesn't know the attribute > CHAP-Challenge, and takes the challenge directly from the vector > field, as says the RFC when the CHAP-challenge is not provided by > the NAS. The program is broken. It's hjorribly broken, and should be fixed. > The solution is to copy the CHAP-Challenge in the vector when proxying. > Someone think about undesirable side effects with doing this ? It will work for you, but that patch will never go into the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file to mysql?
On Fri, 14 Nov 2003, Anson Rinesmith wrote: > I have used the documentation and have a working implementation of > freeRadius/MySQL running on FreeBSD. Is there a setting to turn on to make > the /var/log/radius.log file go to a db as well? No > > > > Anson Rinesmith > > Internet Operations Manager > > Big River Telephone Company > > 800-455-1608 x106 > > 573-382-0555 > > www.bigrivertelephone.com > > > > Real People. Real Service. Real Simple. > > > > > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log file to mysql?
I have used the documentation and have a working implementation of freeRadius/MySQL running on FreeBSD. Is there a setting to turn on to make the /var/log/radius.log file go to a db as well? Anson Rinesmith Internet Operations Manager Big River Telephone Company 800-455-1608 x106 573-382-0555 www.bigrivertelephone.com Real People. Real Service. Real Simple. <>
CHAP problem
Hello, I have experienced a problem with CHAP when proxying authentication to a client where the proxy rejects all authentication. I solved the problem by patching the FR code myself and I think this should be fixed in future releases: The problem is that the proxy doesn't know the attribute CHAP-Challenge, and takes the challenge directly from the vector field, as says the RFC when the CHAP-challenge is not provided by the NAS. Well, when FR receives a request he systematically build a CHAP-Challenge attribute from the vector field if there isn't already one provided by the NAS. And when he proxys, he systematically builds a new random vector field, patching the challenge for the client. The solution is to copy the CHAP-Challenge in the vector when proxying. Someone think about undesirable side effects with doing this ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed login (log_badlogins script)
On Fri, 14 Nov 2003, apellido jr., wilfredo p wrote: > dialup_admin failed login doesnt show any report > > -- > sql debug > - > > # login time server terminate cause callerid > DEBUG(SQL,MYSQL DRIVER): Query: SELECT > AcctStopTime,UserName,NASIPAddress,NASPortId,AcctTerminateCause,CallingStationId > FROM radacct WHERE AcctStopTime <= '2003-11-14 > 20:20:24' AND AcctStopTime >= '2003-11-14 19:50:24' ^^ Isn't it clear? The failed logins page will by default only show the last 30 minutes (or as many as you configure it through the general_most_recent_fl configuration directive as IS described in admin.conf) > AND (AcctTerminateCause LIKE 'Login-Incorrect%' OR > AcctTerminateCause LIKE 'Invalid-User%' OR > AcctTerminateCause LIKE 'Multiple-Logins%') ORDER BY > AcctStopTime desc LIMIT 10; > DEBUG(SQL,MYSQL DRIVER): Query Result: > > - > > when i tried to run log_badlogins, it take so long to > end. any suggestion, comment? thanks That's what it is supposed to do. It does the equivalent of a tail -f radius.log and logs the failed logins in the database. It should run all the time. > > > = > wilfredo pahilanga apellido jr. > technical support > mactan online > bacolod city, philippines > +63 34 4348311 > > If you can't hear me, it's because i'm in parentheses. > > __ > Do you Yahoo!? > Protect your identity with Yahoo! Mail AddressGuard > http://antispam.yahoo.com/whatsnewfree > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
failed login (log_badlogins script)
dialup_admin failed login doesnt show any report -- sql debug - # login time server terminate cause callerid DEBUG(SQL,MYSQL DRIVER): Query: SELECT AcctStopTime,UserName,NASIPAddress,NASPortId,AcctTerminateCause,CallingStationId FROM radacct WHERE AcctStopTime <= '2003-11-14 20:20:24' AND AcctStopTime >= '2003-11-14 19:50:24' AND (AcctTerminateCause LIKE 'Login-Incorrect%' OR AcctTerminateCause LIKE 'Invalid-User%' OR AcctTerminateCause LIKE 'Multiple-Logins%') ORDER BY AcctStopTime desc LIMIT 10; DEBUG(SQL,MYSQL DRIVER): Query Result: - radacct table mysql> select * from radacct; +---+---+--+--+---++---+-+-+-+-+---+---+--+-+--+-+--+--+-++-++---+ | RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | NASIPAddress | NASPortId | NASPortType | AcctStartTime | AcctStopTime| AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStopDelay | +---+---+--+--+---++---+-+-+-+-+---+---+--+-+--+-+--+--+-++-++---+ | 1 | | 235cd91b0ffaca7b433075696d487b93 | cache| | 127.0.0.1 | 1645 | NULL| 2003-11-13 22:02:03 | 2003-11-13 22:02:03 | 0 | NULL | NULL | NULL | 0 |0 | | | Login-Incorrect | NULL| NULL | | NULL | NULL | | 2 | | 2f1a4527f658172f1be13fb44f7f0589 | cache| | 127.0.0.1 | 1645 | NULL| 2003-11-13 22:03:06 | 2003-11-13 22:03:06 | 0 | NULL | NULL | NULL | 0 |0 | | | Invalid-User (rlm_counter: Maxim | NULL| NULL | | NULL | NULL | | 3 | | 70f79c55f8ecac877d7e68ca72c9c871 | cache| | 127.0.0.1 | 1645 | NULL| 2003-11-13 22:05:18 | 2003-11-13 22:05:18 | 0 | NULL | NULL | NULL | 0 |0 | | | Outside allowed timespan (time a | NULL| NULL | | NULL | NULL | | 4 | | f123f3b60856f7247c8faa92c1c771ab | cache| | 127.0.0.1 | 1645 | NULL| 2003-11-13 22:19:25 | 2003-11-13 22:19:25 | 0 | NULL | NULL | NULL | 0 |0 | | | Outside allowed timespan (time a | NULL| NULL | | NULL | NULL | | 5 | 0316 | | cache| | 203.177.29.204 | 6 | Async | 2003-11-14 00:00:53 | 2003-11-14 00:11:54 | 661 | | 33600 V42bis | 33600 V42bis |8352 | 5246 | | | | Framed-User | PPP | 203.177.29.211 | 0 | 0 | | 6 | 0317 | | cache| | 203.177.29.204 | 6 | Async | 2003-11-14 00:14:23 | 2003-11-14 00:38:28 | 0 | | 33600 V42bis | | 0 | 0 | | | | Framed-User | PPP | 203.177.29.211 | 0 | 0 | | 7 | 0318 | | cache| | 203.177.29.204 | 6 | Async | 2003-11-14 00:41:22 | 2003-11-14 00:51:23 | 601 | | 33600 V42bis | 33600 V42bis |8235 | 5692 | |
Re: Management Tools
On Wed, 12 Nov 2003, Anson Rinesmith wrote: > > > Are there any web based management interfaces, for easily seeing what a user > is doing? (connection speed, time oneline, etc) Polling freeRadius/MySQL, > and getting the NAS IP and Port and querying the NAS for that information. dialupadmin > > > > > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time limits
On Fri, 14 Nov 2003, James Green wrote: > Alan DeKok wrote: > > >James Green <[EMAIL PROTECTED]> wrote: > > > > > >>For example, if [EMAIL PROTECTED] logged in, we might have him on a 2 hours > >>per day access permitted tariff. > >> > >> > > > > rlm_counter > > > > > > I guess then rlm_sqlcounter is the only way forward, since rlm_counter > doesn't have any documentation that I can detect? Daa?? Can you please just do a search for counter in radiusd.conf? > > James > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timing out user after missed accounting updates
Hi all, In brief, I'm looking for a way to assume users are logged out if their NAS missed x accounting updates (or alternatively, no update for y seconds). The use case is as follows: We have a number of wireless hotspots at the end of unreliable links. We use RADIUS accounting to bill users per minute. We have a problem that occasionally a link to a hotspot will go down for 10 mins, at which point users tend to give up and wander off. That's OK, except that we're left with a zombie RADIUS session that never gets a STOP packet. The only way we can think to fix it is to assume the hotspot is dead if it misses, say, 3 UPDATEs, and then generate STOP events internally. This will leave some users on when we think they're not, but that's better than the present situation. I've seen this done before in a German ISP, but using a heavily hacked radius server. Can anyone suggest a neat way to achieve it? Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strip both prefix and suffix with proxy
hello all i have a problem which i can't still solve. maybe there is solution, but i can't find it:( situation: i must use suffix @blabla for every accounts. for some accounts i want use prefix too - because auth proxying. i'm planning use prefixes only for non-local accounts, but there is special group of users which want duplicate his accounting info to non local server, but authorize locally. i create prefix for this group and i add it into proxy configuration with two accthost entries. now i need strip suffix for this special group before authorization, because i don't want store usernames with suffixes into my backend (which is currently ldap). but when realm aaa is matched, imho, i can strip only this realm. example: username: [EMAIL PROTECTED] proxy: realm aaa { accthost host1:1813 accthost LOCAL nostrip/strip // only one from this } users: DEFAULT Auth-Type := LDAP, Ldap-Group == "aaa-group", Suffix == "@blabla" ... thanks -- member of Advanced InternetWorks group -> http://www.ainetworks.sk professional home page -> http://tibor.pittich.sk personal home page -> http://c0re.phuture.sk pgp0.pgp Description: PGP signature
Re: Time limits
Alan DeKok wrote: James Green <[EMAIL PROTECTED]> wrote: For example, if [EMAIL PROTECTED] logged in, we might have him on a 2 hours per day access permitted tariff. rlm_counter I guess then rlm_sqlcounter is the only way forward, since rlm_counter doesn't have any documentation that I can detect? James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL & Cisco Call Detail
Mail_Man wrote: Can someone point me in the right direction to where I can find information on setting up Free Radius so that it collects all the call detail records from a cisco as5300 gateway and stores it in a database? TIA -Seth Call detail? You mean calltracker? If so then good luck :D. We did it by: - configure the cisco to use calltracker and output it to the syslog. - tell the cisco to forward the syslog onto a linux box - configure the linux box to accept the incoming syslog requests and pipe it through to a perl script - write a perl script to accept the syslog lines, process them and store them in the database using the ct_hndl field as the key. You cannot match the ct_hndl to the radius keys though, so you won't be able to easily match the calltracker logs to the radius logs. We contacted our cisco gold partner resellers and they contacted cisco themselves, and no-one could figure out a reliable matching system. Cisco advised to not bother with the radius logs, but use the calltracker logs instead. Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Status... rlm_ldap problem
On Fri, 14 Nov 2003, Rohaizam Abu Bakar wrote: > > any comments in below problem...?? > > --haizam > > - Original Message - > From: "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 12, 2003 8:59 AM > Subject: Re: Status... rlm_ldap problem > > > > I've sent all the error log/debug output before .. but Kostas ask me to > > troubleshoot more but i do not know where to start. I will > explain > > again below: > > > > Problem A > > > > - Problem only exist when using FreeBSD 5.1 - with freeradius 0.9.2 & also > > 0.9.0 (not tested in 0.9.1) > > - My LDAP server working fine all along(tested using manual ldapsearch > when > > problem happen) When runing ldapsearch did you bind with the problematic DNs or with the admin DN? I would suggest trying to bind with the user DNs and see what happens Also check out the ldap server logs for the freeradius bind operations. There should be something there that will explain what's happening. If there isn't run the ldap server in debug mode. I don't think there's much else to do in rlm_ldap to fix the problem. > > > > > > i) Error from radius.log > > > > Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: > > uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to > x.x.x.x:389 > > failed: timeout > > Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: > > uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to > x.x.x.x:389 > > failed: timeout > > Mon Oct 20 18:37:03 2003 : Error: rlm_ldap: > > uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to > x.x.x.x:389 > > failed: timeout > > > > > > ii) From debug output > > > > ... > > rlm_ldap: performing search in ou=People,dc=jaring,dc=my, with filter > > (uid=spts) > > rlm_ldap: checking if remote access for spts is allowed by dialupAccess > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 21600 & > > op=11 > > rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value > > Van-Jacobson-TCP-IP & op=11 > > rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 > > rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & > op=11 > > rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & > > op=11 > > rlm_ldap: user spts authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap1" returns ok for request 561 > > modcall: group redundant returns ok for request 561 > > modcall: group authorize returns ok for request 561 > > rad_check_password: Found Auth-Type LDAP > > auth: type "LDAP" > > modcall: entering group Auth-Type for request 561 > > modcall: entering group redundant for request 561 > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "spts" with password "" > > rlm_ldap: user DN: > > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my > > rlm_ldap: (re)connect to 61.6.32.201:389, authentication 1 > > rlm_ldap: bind as > > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to > > 61.6.32 > > .201:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: ldap_result() > > rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind > > to 61.6.32.201:389 fai > > led: timeout > > rlm_ldap: ldap_connect() failed > > modcall[authenticate]: module "ldap1" returns fail for request 561 > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "spts" with password "" > > rlm_ldap: user DN: > > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my > > rlm_ldap: (re)connect to 61.6.32.97:389, authentication 1 > > rlm_ldap: bind as > > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to > > 61.6.32 > > .97:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: ldap_result() > > rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind > > to 61.6.32.97:389 fail > > ed: timeout > > rlm_ldap: ldap_connect() failed > > modcall[authenticate]: module "ldap2" returns fail for request 561 > > modcall: group redundant returns fail for request 561 > > modcall: group Auth-Type returns fail for request 561 > > auth: Failed to validate the user. > > Login incorrect: [spts] (from client jhb34 port 239 cli 072270533) > > Delaying request 561 for 1 seconds > > Finished request 561 > > Going to the next request > > . > > > > > > Problem B > > > > > > - ADDED to above problem.. I'm still having "Unresponsive child" problem > > - LDAP working fine... > > - not that critical compare to above... > > > > i) From radius.log > > > > Wed Nov 12 00:59:52 2003 : Error: WARNING: Unresponsive child (id > 136795136) > > for request 322196 > > Wed Nov 12 01:00:13 2003 : Error: WARNING: Unresponsive child (id > 136585216) > > for request 322292 > > Wed Nov 12 08:42:48 2003 : Error: WARNING: Unresponsive child
Re: EAP/TTLS /etc/shadow
> Ralf Paffrath <[EMAIL PROTECTED]> wrote: > > I'm running a snapshot version of freeradius with EAP/TTLS for authN. > > My supplicant is SecureW2. Everything works fine as long as I put in the > > plaintext user-password in "users" configuration file and didn' set > > Auth-Type, e.g. username User-Password == "blabla". > > Ok... > > > I absolutely don't like plaintext passwords in some files so I tried > > freeradius out to use /etc/shadow but with no success. > > Plain-text passwords aren't much of a problem from a security > perspective. They also allow you to do CHAP authentication, which is > impossible with /etc/passwd. > > > Auth-Type := EAP doesn't work: > > ... > > auth: type "EAP" > > modcall: entering group authenticate for request 5 > > rlm_eap: EAP-Message not found > > Exactly. Don't set "Auth-Type := EAP". EVER. > > > Any idea? > > Set Auth-Type to System for the tunneled user, and read the > debugging output of the server. I note that you did NOT post that > debugging output, which is the ONLY relevant thing here. I set Auth-Type to System but no TTLS-tunnel session would be established and I got the following debugging output: ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'HUGO' auth: type "System" modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. ... This output led me to the assumption that Auth-Type set to System is wrong, so I set Auth-Type to EAP. When I didn't set Auth-Type, e.g User-Password "blabla" and set DEFAULT Auth-Type += System Fall-Through = YES I can authenticate with plaintext password and with /etc/passwd , so I got two valid passwords. With both passwords TTLS-tunnel sessions were established, weird! Ralf. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupAccess attribute
On Thu, 13 Nov 2003, Rick Whitley wrote: > If noone else is using eDirectory for ldap access is there an example of > mapping the dialupAccess attribute for other ldap servers? > > thanks > > rick... > Rom.5:8 > > >>> [EMAIL PROTECTED] 11/11/03 11:29AM >>> > I have freeradius running on RH 9 doing ldap authentication to > eDirectory within ttls. The one thing I can't find is how to map the > dialupAccess attribute to eDirectory. We would like to be able to deny > access based on the value of this. Is anyone using eDirectory for ldap > with freeRadius? Any insight would be most appreciated. See doc/RADIUS-LDAPv3.schema It contains a definition for the dialupaccess attribute. You can use that in your ldap server. > > thanks > > > rick... > Rom.5:8 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin statistic report?
On Thu, 13 Nov 2003, apellido jr., wilfredo p wrote: > Good day, why isnt it User Statistic and Statistic > Report doesnt show anthing? The User Statistics page will use the totacct tables. So they should contain data for the page to display it (the data is created by runing the tot_stats script in the bin folder). IN any case enable sql debugging in dialupadmin and you should be able to figure out what is happening. > > = > wilfredo pahilanga apellido jr. > technical support > mactan online > bacolod city, philippines > +63 34 4348311 > > If you can't hear me, it's because i'm in parentheses. > > __ > Do you Yahoo!? > Protect your identity with Yahoo! Mail AddressGuard > http://antispam.yahoo.com/whatsnewfree > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add Delete Modify Users
On Thu, 13 Nov 2003, Sanjiv Thakor wrote: > I am new to using this Radius Server so please bear with me. When I change > a user's password in the users file or make some other change to the user's > profile like change the Auth-Type from PAP to CHAP or something I have to > restart the radius server. Is there a more dynamic way to do this? Yes, move your users file to a database (sql or ldap). > > Thanks in advance. > > Sanjiv > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: Status... rlm_ldap problem
any comments in below problem...?? --haizam - Original Message - From: "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 8:59 AM Subject: Re: Status... rlm_ldap problem > I've sent all the error log/debug output before .. but Kostas ask me to > troubleshoot more but i do not know where to start. I will explain > again below: > > Problem A > > - Problem only exist when using FreeBSD 5.1 - with freeradius 0.9.2 & also > 0.9.0 (not tested in 0.9.1) > - My LDAP server working fine all along(tested using manual ldapsearch when > problem happen) > > > i) Error from radius.log > > Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: > uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 > failed: timeout > Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: > uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 > failed: timeout > Mon Oct 20 18:37:03 2003 : Error: rlm_ldap: > uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 > failed: timeout > > > ii) From debug output > > ... > rlm_ldap: performing search in ou=People,dc=jaring,dc=my, with filter > (uid=spts) > rlm_ldap: checking if remote access for spts is allowed by dialupAccess > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 21600 & > op=11 > rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value > Van-Jacobson-TCP-IP & op=11 > rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 > rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 > rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & > op=11 > rlm_ldap: user spts authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap1" returns ok for request 561 > modcall: group redundant returns ok for request 561 > modcall: group authorize returns ok for request 561 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type for request 561 > modcall: entering group redundant for request 561 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "spts" with password "" > rlm_ldap: user DN: > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my > rlm_ldap: (re)connect to 61.6.32.201:389, authentication 1 > rlm_ldap: bind as > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to > 61.6.32 > .201:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: ldap_result() > rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind > to 61.6.32.201:389 fai > led: timeout > rlm_ldap: ldap_connect() failed > modcall[authenticate]: module "ldap1" returns fail for request 561 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "spts" with password "" > rlm_ldap: user DN: > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my > rlm_ldap: (re)connect to 61.6.32.97:389, authentication 1 > rlm_ldap: bind as > uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to > 61.6.32 > .97:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: ldap_result() > rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind > to 61.6.32.97:389 fail > ed: timeout > rlm_ldap: ldap_connect() failed > modcall[authenticate]: module "ldap2" returns fail for request 561 > modcall: group redundant returns fail for request 561 > modcall: group Auth-Type returns fail for request 561 > auth: Failed to validate the user. > Login incorrect: [spts] (from client jhb34 port 239 cli 072270533) > Delaying request 561 for 1 seconds > Finished request 561 > Going to the next request > . > > > Problem B > > > - ADDED to above problem.. I'm still having "Unresponsive child" problem > - LDAP working fine... > - not that critical compare to above... > > i) From radius.log > > Wed Nov 12 00:59:52 2003 : Error: WARNING: Unresponsive child (id 136795136) > for request 322196 > Wed Nov 12 01:00:13 2003 : Error: WARNING: Unresponsive child (id 136585216) > for request 322292 > Wed Nov 12 08:42:48 2003 : Error: WARNING: Unresponsive child (id 135698432) > for request 15206 > > > ii) My ldap setting in radiusd.conf - maybe tuning is needed here. > > > max_request_time = 30 > delete_blocked_requests = no > cleanup_delay = 5 > max_requests = 256000 > hostname_lookups = yes > allow_core_dumps = no > > start_servers = 20 > max_servers = 1024 > min_spare_servers = 10 > max_spare_servers = 20 > > > ldap ldap2 { > server = "10.1.1.1" > identity = "cn=Sysadmin,ou=Applications,dc=jaring,dc=my" > password = XX > basedn = "ou=People,dc=jaring,dc=my" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > start_tls = no >