Radius error
I have been receiving the following error, and than radiusd is dieing: Tue Apr 23 12:00:28 2002 : Error: rlm_sql: All sockets are being used! Please increase the maximum number of sockets! Tue Apr 23 12:00:33 2002 : Error: WARNING: Unresponsive child (id 9226) for request 60860 Tue Apr 23 12:00:33 2002 : Error: rlm_sql: All sockets are being used! Please increase the maximum number of sockets! Tue Apr 23 12:00:33 2002 : Error: WARNING: Unresponsive child (id 8201) for request 60861 Tue Apr 23 12:00:33 2002 : Error: CHILD: exit on signal (11) I have increased the maximum number of sockets available, but it is still doing it. Is there some formula that should be used in determining the total maximum number of sockets? Or a good rule of thumb? Would it be possible to make it so radiusd will refuse packets when it is out of sockets, instead of dieing? .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log good access
Change log_auth to yes in radiusd.conf log_auth = yes .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andre Yuaca Sent: Tuesday, April 16, 2002 2:37 PM To: '[EMAIL PROTECTED]' Subject: Log good access My freeradius is logging only failed authentications (wrong password). It's not logging successful authentications. The program is started using: radiusd -f -z -y Best regards, Andre Yuaca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use
Is it possible to only enforce Simultaneous use, based on the huntgroup that the client is in? For example, we use radius for authenticating our dial-in users. We also use it for authenticating with our news server. But, I am guesing that if I was to enable Simultaneous-Use = 1, on a user, he would be able to dial in, but when he goes to login to the news server he would get a denial, because he is already dialed in. Ideally, I would like to be able to only enforce the simultaneous use on the modem huntgroups. The way it looks now, I would need to have 2 separate groups of radius servers, that use the same auth database to authenticate everything. Would there be a better way to do this? .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
I applied the patch, but I am still getting the exact same results. .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Parker Sent: Thursday, March 28, 2002 8:33 AM To: [EMAIL PROTECTED] Subject: RE: Proxying At 09:46 AM 3/28/2002 -0600, Chris Parker wrote: At 05:15 PM 3/27/2002 -0800, Justin Ainsworth wrote: What does debug say ( radiusd -x -x -x ) about the part where it is checking the realms? modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm IPASS modcall[authorize]: module prefix returns updated rlm_realm: Proxying request from user IPASS/test to realm sunset.net modcall[authorize]: module suffix returns updated Hmmm, that is a problem. If the request has already been proxied, the module should not be attempting to proxy it again. Let me check into that. Okay, I've added a check for 'Realm' attributes ( which rlm_realm adds when it finds a match and forwards a request ). It will now return 'noop' if it finds that it's already proxied. Here's the patch ( or update to the latest CVS ): Index: rlm_realm.c === RCS file: /source/radiusd/src/modules/rlm_realm/rlm_realm.c,v retrieving revision 1.35 diff -p -r1.35 rlm_realm.c *** rlm_realm.c 2002/03/26 15:37:35 1.35 --- rlm_realm.c 2002/03/28 16:28:16 *** static REALM *check_for_realm(void *inst *** 78,84 */ if ((request-proxy != NULL) || (request-username == NULL)) { ! DEBUG2(rlm_realm: Request was proxied, or no user name. Ignoring.); return NULL; } --- 78,94 */ if ((request-proxy != NULL) || (request-username == NULL)) { ! DEBUG2(rlm_realm: Proxy reply, or no user name. Ignoring.); ! return NULL; ! } ! ! /* !* Check for 'Realm' attribute. If it exists, then we've proxied !* it already ( via another rlm_realm instance ) and should return. !*/ ! ! if ( (vp = pairfind(request-packet-vps, PW_REALM)) != NULL ) { ! DEBUG2(rlm_realm: Request already proxied. Ignoring.); return NULL; } -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\ -- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
Also, are you sure it is proxying based on your 'prefix' definition, and not your suffix definition? Well, I know that it is proxying to the IPASS radius server that is defined in the proxy.conf. And if I enter just the [EMAIL PROTECTED] it proxies correctly to the correct radius server, and strips it correctly. I'll bet what you are seeing is that it is finding the 'suffix' first, stripping it, and fowarding it. What do your 'realm' stanzas look like, and what order do they appear in your 'authorization' stanza? This is there current definitions. I have tried switching them, and it still does the same thing. I have also tried using a completely different domain, and it still gets proxied to the IPASS server, but the domain is stripped. modules { ... realm sunset.net { format = suffix delimiter = @ } realm IPASS { format = prefix delimiter = / } ... } authorize { preprocess sunset.net IPASS redundant { sql1 sql2 } } .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
This part looks fine, though I'd recommend not using the actual realm names for the module instances. Ok. I changed the names. We now have: sunset.net - suffix IPASS -prefix authorize { preprocess sunset.net IPASS And this tells it to look for 'sunset.net' first, which it does, and strips it and proxies it. Reverse the order here and you'll get the behaviour you are looking for. I have tried that. So this would be the order: authorize { preprocess prefix suffix } So, I decided to comment out the suffix, and it starts proxying correctly. But as soon as I uncomment the suffix, no matter which order they are in, the proxying stops working. And it works the other way by commenting out the prefix, and leaving the suffix in place. So, I guess my question is, In order for me to proxy one realm that has a prefix and needs to NOT be stripped, and another realm, that has a suffix and needs to be stripped, how should I setup my authorize group? Thanks. .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying
What does debug say ( radiusd -x -x -x ) about the part where it is checking the realms? modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm IPASS modcall[authorize]: module prefix returns updated rlm_realm: Proxying request from user IPASS/test to realm sunset.net modcall[authorize]: module suffix returns updated And later on it says: Login incorrect (Home Server says so): [[EMAIL PROTECTED]/test] (from nas localhost port 0) And this is what I get in the logs in the proxy: Wed Mar 27 17:10:20 2002: Authenticate: from diamond.sunset.net - Invalid User: IPASS/test Wed Mar 27 17:10:20 2002: Rejecting user:IPASS/test Either way, it doesn't appear to be proxying correctly, when both prefix, and suffix are enabled. .~. /v\ -- // \\ JA /( )\ ^`~`^ L I N U X [---] Justin AinsworthSystems Administrator PHONE: (530) 879-5660x108 Technical Support Supervisor FAX: (530) 879-5676Sunset Net LLC WEB: http://www.sunset.net 1915 Mangrove Ave EMAIL: [EMAIL PROTECTED] Chico, CA 95926 [---] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Parker Sent: Wednesday, March 27, 2002 4:59 PM To: [EMAIL PROTECTED] Subject: RE: Proxying At 04:44 PM 3/27/2002 -0800, Justin Ainsworth wrote: This part looks fine, though I'd recommend not using the actual realm names for the module instances. Ok. I changed the names. We now have: sunset.net - suffix IPASS -prefix That's more logical. You are defining how realms are specified in 'radiusd.conf' not what the actual realms are. authorize { preprocess sunset.net IPASS And this tells it to look for 'sunset.net' first, which it does, and strips it and proxies it. Reverse the order here and you'll get the behaviour you are looking for. I have tried that. So this would be the order: authorize { preprocess prefix suffix } That should be what you want. So, I decided to comment out the suffix, and it starts proxying correctly. But as soon as I uncomment the suffix, no matter which order they are in, the proxying stops working. And it works the other way by commenting out the prefix, and leaving the suffix in place. What does debug say ( radiusd -x -x -x ) about the part where it is checking the realms? So, I guess my question is, In order for me to proxy one realm that has a prefix and needs to NOT be stripped, and another realm, that has a suffix and needs to be stripped, how should I setup my authorize group? Nope, it should work the way you have it setup now. See what the debug output says. That may give you a clue what the problem is. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\ -- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html