Radius error
I have been receiving the following error, and than radiusd is dieing: Tue Apr 23 12:00:28 2002 : Error: rlm_sql: All sockets are being used! Please increase the maximum number of sockets! Tue Apr 23 12:00:33 2002 : Error: WARNING: Unresponsive child (id 9226) for request 60860 Tue Apr 23 12:00:33 2002 : Error: rlm_sql: All sockets are being used! Please increase the maximum number of sockets! Tue Apr 23 12:00:33 2002 : Error: WARNING: Unresponsive child (id 8201) for request 60861 Tue Apr 23 12:00:33 2002 : Error: CHILD: exit on signal (11) I have increased the maximum number of sockets available, but it is still doing it. Is there some formula that should be used in determining the total maximum number of sockets? Or a good rule of thumb? Would it be possible to make it so radiusd will refuse packets when it is out of sockets, instead of dieing? .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log good access
Change log_auth to yes in radiusd.conf log_auth = yes .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andre Yuaca Sent: Tuesday, April 16, 2002 2:37 PM To: '[EMAIL PROTECTED]' Subject: Log good access My freeradius is logging only failed authentications (wrong password). It's not logging successful authentications. The program is started using: radiusd -f -z -y Best regards, Andre Yuaca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Is it possible to only enforce Simultaneous use, based on the huntgroup that the client is in? For example, we use radius for authenticating our dial-in users. We also use it for authenticating with our news server. But, I am guesing that if I was to enable Simultaneous-Use = 1, on a user, he would be able to dial in, but when he goes to login to the news server he would get a denial, because he is already dialed in. Ideally, I would like to be able to only enforce the simultaneous use on the modem huntgroups. The way it looks now, I would need to have 2 separate groups of radius servers, that use the same auth database to authenticate everything. Would there be a better way to do this? .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
I applied the patch, but I am still getting the exact same results.
.~.
/v\
-- // \\
JA /( )\
^`~`^
L I N U X
[---]
Justin AinsworthSystems Administrator
PHONE: (530) 879-5660x108 Technical Support Supervisor
FAX: (530) 879-5676Sunset Net LLC
WEB: http://www.sunset.net 1915 Mangrove Ave
EMAIL: [EMAIL PROTECTED] Chico, CA 95926
[---]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Chris Parker
Sent: Thursday, March 28, 2002 8:33 AM
To: [EMAIL PROTECTED]
Subject: RE: Proxying
At 09:46 AM 3/28/2002 -0600, Chris Parker wrote:
At 05:15 PM 3/27/2002 -0800, Justin Ainsworth wrote:
What does debug say ( radiusd -x -x -x ) about the part where
it is checking the realms?
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Proxying request from user [EMAIL PROTECTED] to
realm IPASS
modcall[authorize]: module prefix returns updated
rlm_realm: Proxying request from user IPASS/test to
realm sunset.net
modcall[authorize]: module suffix returns updated
Hmmm, that is a problem. If the request has already been
proxied, the
module should not be attempting to proxy it again.
Let me check into that.
Okay, I've added a check for 'Realm' attributes ( which rlm_realm adds
when it finds a match and forwards a request ).
It will now return 'noop' if it finds that it's already
proxied. Here's
the patch ( or update to the latest CVS ):
Index: rlm_realm.c
===
RCS file: /source/radiusd/src/modules/rlm_realm/rlm_realm.c,v
retrieving revision 1.35
diff -p -r1.35 rlm_realm.c
*** rlm_realm.c 2002/03/26 15:37:35 1.35
--- rlm_realm.c 2002/03/28 16:28:16
*** static REALM *check_for_realm(void *inst
*** 78,84
*/
if ((request-proxy != NULL) ||
(request-username == NULL)) {
! DEBUG2(rlm_realm: Request was proxied,
or no user
name. Ignoring.);
return NULL;
}
--- 78,94
*/
if ((request-proxy != NULL) ||
(request-username == NULL)) {
! DEBUG2(rlm_realm: Proxy reply, or no user
name. Ignoring.);
! return NULL;
! }
!
! /*
!* Check for 'Realm' attribute. If it exists,
then we've proxied
!* it already ( via another rlm_realm instance )
and should
return.
!*/
!
! if ( (vp = pairfind(request-packet-vps, PW_REALM))
!= NULL ) {
! DEBUG2(rlm_realm: Request already
proxied. Ignoring.);
return NULL;
}
-Chris
--
\\\|||/// \ StarNet Inc. \Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\
--
\ Wholesale Internet Services -
http://www.megapop.net
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
Also, are you sure it is proxying based on your 'prefix'
definition, and not your suffix definition?
Well, I know that it is proxying to the IPASS radius server that is
defined in the proxy.conf. And if I enter just the [EMAIL PROTECTED] it
proxies correctly to the correct radius server, and strips it correctly.
I'll bet what you are seeing is that it is finding the
'suffix' first, stripping it, and fowarding it.
What do your 'realm' stanzas look like, and what order do
they appear in your 'authorization' stanza?
This is there current definitions. I have tried switching them, and it
still does the same thing. I have also tried using a completely
different domain, and it still gets proxied to the IPASS server, but the
domain is stripped.
modules {
...
realm sunset.net {
format = suffix
delimiter = @
}
realm IPASS {
format = prefix
delimiter = /
}
...
}
authorize {
preprocess
sunset.net
IPASS
redundant {
sql1
sql2
}
}
.~.
/v\
-- // \\
JA /( )\
^`~`^
L I N U X
[---]
Justin AinsworthSystems Administrator
PHONE: (530) 879-5660x108 Technical Support Supervisor
FAX: (530) 879-5676Sunset Net LLC
WEB: http://www.sunset.net 1915 Mangrove Ave
EMAIL: [EMAIL PROTECTED] Chico, CA 95926
[---]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
This part looks fine, though I'd recommend not using the
actual realm names for the module instances.
Ok. I changed the names. We now have:
sunset.net - suffix
IPASS -prefix
authorize {
preprocess
sunset.net
IPASS
And this tells it to look for 'sunset.net' first, which it
does, and strips it and proxies it. Reverse the order here
and you'll get the behaviour you are looking for.
I have tried that. So this would be the order:
authorize {
preprocess
prefix
suffix
}
So, I decided to comment out the suffix, and it starts proxying
correctly. But as soon as I uncomment the suffix, no matter which order
they are in, the proxying stops working. And it works the other way by
commenting out the prefix, and leaving the suffix in place.
So, I guess my question is, In order for me to proxy one realm that has
a prefix and needs to NOT be stripped, and another realm, that has a
suffix and needs to be stripped, how should I setup my authorize group?
Thanks.
.~.
/v\
-- // \\
JA /( )\
^`~`^
L I N U X
[---]
Justin AinsworthSystems Administrator
PHONE: (530) 879-5660x108 Technical Support Supervisor
FAX: (530) 879-5676Sunset Net LLC
WEB: http://www.sunset.net 1915 Mangrove Ave
EMAIL: [EMAIL PROTECTED] Chico, CA 95926
[---]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
What does debug say ( radiusd -x -x -x ) about the part where
it is checking the realms?
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm IPASS
modcall[authorize]: module prefix returns updated
rlm_realm: Proxying request from user IPASS/test to realm sunset.net
modcall[authorize]: module suffix returns updated
And later on it says:
Login incorrect (Home Server says so): [[EMAIL PROTECTED]/test]
(from nas localhost port 0)
And this is what I get in the logs in the proxy:
Wed Mar 27 17:10:20 2002: Authenticate: from diamond.sunset.net -
Invalid User: IPASS/test
Wed Mar 27 17:10:20 2002: Rejecting user:IPASS/test
Either way, it doesn't appear to be proxying correctly, when both
prefix, and suffix are enabled.
.~.
/v\
-- // \\
JA /( )\
^`~`^
L I N U X
[---]
Justin AinsworthSystems Administrator
PHONE: (530) 879-5660x108 Technical Support Supervisor
FAX: (530) 879-5676Sunset Net LLC
WEB: http://www.sunset.net 1915 Mangrove Ave
EMAIL: [EMAIL PROTECTED] Chico, CA 95926
[---]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Chris Parker
Sent: Wednesday, March 27, 2002 4:59 PM
To: [EMAIL PROTECTED]
Subject: RE: Proxying
At 04:44 PM 3/27/2002 -0800, Justin Ainsworth wrote:
This part looks fine, though I'd recommend not using the actual
realm names for the module instances.
Ok. I changed the names. We now have:
sunset.net - suffix
IPASS -prefix
That's more logical. You are defining how realms are
specified in 'radiusd.conf' not what the actual realms are.
authorize {
preprocess
sunset.net
IPASS
And this tells it to look for 'sunset.net' first, which
it does, and
strips it and proxies it. Reverse the order here and
you'll get the
behaviour you are looking for.
I have tried that. So this would be the order:
authorize {
preprocess
prefix
suffix
}
That should be what you want.
So, I decided to comment out the suffix, and it starts proxying
correctly. But as soon as I uncomment the suffix, no matter which
order they are in, the proxying stops working. And it works
the other
way by commenting out the prefix, and leaving the suffix in place.
What does debug say ( radiusd -x -x -x ) about the part where
it is checking the realms?
So, I guess my question is, In order for me to proxy one
realm that has
a prefix and needs to NOT be stripped, and another realm, that has a
suffix and needs to be stripped, how should I setup my
authorize group?
Nope, it should work the way you have it setup now. See what
the debug output says. That may give you a clue what the problem is.
-Chris
--
\\\|||/// \ StarNet Inc. \Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\
--
\ Wholesale Internet Services -
http://www.megapop.net
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
