Re: Easy User Interface?
As for configuring the server... {scratching head} ...that isn't available.
Once the servr is configured, it shouldn't require very much fiddling
with, but it would be nice to be able to change more than just user
accounts. Eventualy it would be nice to be able to maintain realms, and
NAS configurations as well.
Yes. this would be trivially possible by way of storing this information
in SQL, however as has been discussed previously on the list this can
open the server up to a DoS attack, therefore the NAS and realms info
should be stored in SQL, but not accessed in real time but rather loaded
once on server start up and SIGHUP.
As yet no-one has stepped up to the plate with code to impliment this :-)
Cheer
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Alfonso Gallegos wrote: Can anybody tell me if FreeRadius will work with a Nortel VPN Contivity Gateway? In other words, is FreeRadius limited to work with specific vendor products or can it authenticate any client type? It should work with any device that supports RADIUS. Some devices have Vendor Specific Additions to the RADIUS spec, in which case FreeRADIUS needs to needs to know about the extensions by way of a dictionary file. There is no Nortel specific dictionary in FreeRADIUS at this time, probably because it doesn't need one. If you find out that it does feel free to tell us and we will update FreeRADIUS :-) Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius
ali hadim wrote: are you runing radius server with windows platform? No. FreeRADIUS is designed to run on Unix and Linux only. and can I using connection php for radius server? What do you want to do with it? Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One suggestion about the default config file
Alan DeKok wrote: Damjan <[EMAIL PROTECTED]> wrote: The FreeRadius default config file is pretty much complete and working right out of the box. It's only that for some more advanced features the admin *must* make some local changes. Yup. I've noticed that a lot of questions asked here are due to people not having the patience to read the config file in full, or beeing confused by options not relevant to te problem thay are trying to solve. If they're not willing to read the configuration file, then they're probably not willing to read answers to their questions on the list. See previous flamewars. I propose a sollution to this, one that's easy to implement on one hand, but will reduce the confusion some people have about configuring freeradius: I think the config file should be split in several smaller files, inculded by the main file (for ex. eap.conf, ldap.conf ...) sql.conf is a good exaple how this actually works. I'm not sure that would help, and I don't see it as necessary. Apache has one large http.conf file, and no one seems to have problems with it. Actually this is not entirely correct, at least not with vendor supplied versions of apache. On SuSE Linux httpd.conf is actually split into about 6 different files, for standard config, vhosts, sslconfig, aditional modules etc Having said that, radius.conf is significantly shorter than httpd.conf and I am not sure if the ldap config which is currently less that one screen long in vim (at my resolution) really warrants a separate file. Cheers Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apologies; Ignoring Request from unknown client 192.168.2.102:2786
Justin Bailey wrote:
I apologize for my last post that did not adhere to all of the list
guidelines. I'll try again.
I just installed freeRadius 0.9.3 on RedHat Linux 6.2. Everything ran
smoothly until testing. When I attempt to use NTRadPing to test the
radius server, I receive the following message in debugging mode:
rad_recv: Access-Request packet from host 192.168.2.102:2786, id=7,
length=44
Ignoring request from unknown client 192.168.2.102:2786
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
I have the following entry already in the clients.conf file.
client 192.168.2.102 {
secret = testMe
}
Did you restart FreeRADIUS after adding the entry to clients.conf?
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin with PostgreSQL and NetSNMP support
http://www.peternixon.net/tmp/dialupadmin-pg-netsnmp.tar.bz I have not yet had time to look at it. Cheers Peter On Monday 01 December 2003 18:00, Guy Fraser wrote: > I sent the tarball to Peter Nixon. > > Since I changed all the filename extensions from .php3 to .php, a patch > would be twice as > large, unless I did some trickery. I'll look into it. > > Kostas Kalevras wrote: > >On Fri, 28 Nov 2003, Guy Fraser wrote: > >>Hmm... > >> > >>The updated version of dialup admin I sent in didn't seem to show > >>up on the list. > >> > >>The attachment was 70kB, I presume thats why. > >> > >>Where should I send this updated source, so it can be tested, and > >>put into the main source? > > > >I 'd rather prefer a patch to the current CVS version rather than the > > whole thing. Either put it on a web page somewhere, or send it to me > > directly. Though i don't use postgresql > > > >>-- > >>Guy Fraser > >>Network Administrator > >>The Internet Centre > >>780-450-6787 , 1-888-450-6787 > >> > >>There is a fine line between genius and lunacy, fear not, walk the > >>line with pride. Not all things will end up as you wanted, but you > >>will certainly discover things the meek and timid will miss out on. > >> > >> > >> > >> > >>- > >>List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > > > >-- > >Kostas Kalevras Network Operations Center > >[EMAIL PROTECTED]National Technical University of Athens, Greece > >Work Phone: +30 210 7721861 > >'Go back to the shadow' Gandalf > > > >- > >List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MRTG graphing from radacct sql data
On Monday 01 December 2003 00:53, Joe Maimon wrote: > Hello all, > > I have put togetother a couple scripts and a program that allows me to > MRTG graph dialup users from the radius accounting sql table. > > Very unpolished. If anyone is interested in helping me develop/test, > please drop me a line. > > Thanks, > Hi Joe Please send me a copy also. Note: I mailed you direct but your server thinks my cable connected postfix server is from a spammers IP range :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script to move account flat files to MySQL
Zoup wrote: On Sunday 30 November 2003 08:07, Alan DeKok wrote: Zoup <[EMAIL PROTECTED]> wrote Huh? WHat do you mean by that? What scripts are you talking about There is no "secret" CVS repository of scripts. It's all public, and all scripts are distributed with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html those scripts are *not* on the cvs or anywhere else but this list :) users2mysqlfile.pl , users2pgsqlfile.pl ! :) i know its all public , i think its better to package this script with freeradius :) After I have time (Maybe tomorrow depending on workload) to look at the code in those scripts I may (with Alan's permission) add them to cvs. Regards Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script to move account flat files to MySQL
[EMAIL PROTECTED] wrote: Hello, I am working on getting the radius account logs to write to MySQL, in the mean time I am still logging accounting information to flat files. I am looking for a script that will take my daily accounting flat files and insert them into MySQL. Does anyone know of any scripts that will do this? I have been looking around and have not found any. there is a script in src/accounting that can do this. It is currently h323 specific, although you can trivially modify it to work with the standard database schema. Let me know if you have trouble with it.. Regards Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql Traffic Accounting Update
Didi Rieder wrote:
--On Friday, November 28, 2003 06:13:30 PM +0200 Peter Nixon
<[EMAIL PROTECTED]> wrote:
In any case I have added your suggested changes to sql.conf in the
mainline cvs. However can you please double check your suggestions and
compare with Arthur's patch for postgres. His patch does some checks that
yours does not.. If you come up with a revised patch feel free to mail it
to me directly and I will commit it.
we use now the following query with freeradius 0.93, an Oracle database
and Cisco NASes:
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', ''), \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE \
AcctSessionId = '%{Acct-Session-Id}' AND \
UserName = '%{SQL-User-Name}' AND \
NASIPAddress= '%{NAS-IP-Address}' AND \
AcctStopTime IS NULL"
It works just fine since a few weeks.
OK. I have commited it to mainline cvs.
If you have time can you please compare the rest of the oracle queries
to the ones in postgresql.conf and see if any of them can be used also.
I believe they should pretty much "just work" on oracle, but I do not
have an oracle box :-(
You may need to have a look at the postgres schema too..
Thanks
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin with PostgreSQL and NetSNMP support
Guy Fraser wrote: Hmm... The updated version of dialup admin I sent in didn't seem to show up on the list. The attachment was 70kB, I presume thats why. Where should I send this updated source, so it can be tested, and put into the main source? Mail it to me directly.. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql Traffic Accounting Update
Peter Nixon wrote:
Arthur B Olsen wrote:
The Acct-Interim-Interval does not update the acctinputoctets and
acctoutputoctets in postgresql as it does in files.
I dont know if this is the desired behavior, or if this is a mistake.
But to correct/change this, you can change your postgresql.conf like
this:
# accounting_update_query = "UPDATE ${acct_table1} \
# SET FramedIPAddress = NULLIF('%{Framed-IP-Address}',
'')::inet \
# WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' \
# AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime
IS NULL"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = NULLIF('%{Framed-IP-Address}',
'')::inet, \
AcctInputOctets =
(('%{Acct-Input-Gigawords:-0}'::bigint << 32) +
'%{Acct-Input-Octets:-0}'::bigint), \
AcctOutputOctets =
(('%{Acct-Output-Gigawords:-0}'::bigint << 32) +
'%{Acct-Output-Octets:-0}'::bigint) \
WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime
IS NULL"
And your accounting will be updated with the interval set with
Acct-Interim-Interval.
Commited. thanks
After thinking about this patch a little I have added an extra line in
addition to your suggested ones. It updates AcctSessionTime also. The
final query is:
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
AcctSessionTime = (EXTRACT(EPOCH FROM(now()::timestamp with time zone
- AcctStartTime::timestamp with time zone - '%{Acct-Delay-Time:-0}'::inter
val)))::BIGINT, \
AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) +
'%{Acct-Input-Octets:-0}'::bigint), \
AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32
) + '%{Acct-Output-Octets:-0}'::bigint) \
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL
-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
If there is any MySQL users around, they might like to take a look at
some of the queries we are using in postgresql.conf and see if they can
be ported to MySQL. There is several sanity checks and also automatic
adjustment of Start and Stop times to take out accounting skew that only
happens if you use postgresql currently...
Any takers??
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql Traffic Accounting Update
Arthur B Olsen wrote:
The Acct-Interim-Interval does not update the acctinputoctets and acctoutputoctets in
postgresql as it does in files.
I dont know if this is the desired behavior, or if this is a mistake.
But to correct/change this, you can change your postgresql.conf like this:
# accounting_update_query = "UPDATE ${acct_table1} \
# SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet \
# WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' \
# AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) +
'%{Acct-Input-Octets:-0}'::bigint), \
AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) +
'%{Acct-Output-Octets:-0}'::bigint) \
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
And your accounting will be updated with the interval set with Acct-Interim-Interval.
Commited. thanks
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql Traffic Accounting Update
Didi Rieder wrote: --On Wednesday, November 26, 2003 01:13:48 AM +0200 Peter Nixon <[EMAIL PROTECTED]> wrote: Thanks. I will check this into CVS tomorrow. I asked this list about this issue some week ago: http://www.mail-archive.com/[EMAIL PROTECTED]/msg21337.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg21425.html but nobody wanted to comment on that. So, thanks to Arthur for bringing up the topic again! Hi Didi Unfortunately I get alot of email and therefore bulk delete alot of the messages I recieve from mailing lists :-( In this instance your email went to the users list (which I rarely have time to read) as opposed to the devel list which is where discussion of changes usually happens. It also didn't contains the words "Postgres" or "VoIP" which are the 2 bits of FreeRADIUS I mostly am involved with. I can't say as to why no-one else replied to you, other than to say most of the other developers are fairly busy also :-) In any case I have added your suggested changes to sql.conf in the mainline cvs. However can you please double check your suggestions and compare with Arthur's patch for postgres. His patch does some checks that yours does not.. If you come up with a revised patch feel free to mail it to me directly and I will commit it. Regards Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PostgreSQL
David Cadenas wrote: Hi! I have a problem when I load the radiusd -X rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0 rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radius rlm_sql_postgresql: Postgresql error 'could not connect to server: Connection refused ?Is the server running on host localhost and accepting ?TCP/IP connections on port 5432? ' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. The database radius exists, and the postgresql is running in init.d. Is there any file where you can define the port in the connection? Thanks DAvid Did you enable the postgres TCP socket? Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql Traffic Accounting Update
After checking back through the cvs history it seems that it has never
been like this. I am currently out of the office on holiday, but I will
certainly check this in in the near future.
Cheers
Peter
David wrote:
I had this problem with mysql and Dustin Doris mentioned the sql.conf file
for you it would be the postgresql.conf file. You need to change the update
statement to update the rest of the information. I am not sure why it does
not do it by default.
David
David Blood
Account Executive
SpeedyQuick Networks, Inc
Boise, Id
www.speedyquick.net
208.284.5505
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Peter Nixon
Sent: Tuesday, November 25, 2003 4:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Postgresql Traffic Accounting Update
Arthur B Olsen wrote:
The Acct-Interim-Interval does not update the acctinputoctets and
acctoutputoctets in postgresql as it does in files.
I dont know if this is the desired behavior, or if this is a mistake.
But to correct/change this, you can change your postgresql.conf like this:
# accounting_update_query = "UPDATE ${acct_table1} \
# SET FramedIPAddress = NULLIF('%{Framed-IP-Address}',
'')::inet \
# WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' \
# AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS
NULL"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = NULLIF('%{Framed-IP-Address}',
'')::inet, \
AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint
<< 32) + '%{Acct-Input-Octets:-0}'::bigint), \
AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint
<< 32) + '%{Acct-Output-Octets:-0}'::bigint) \
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS
NULL"
And your accounting will be updated with the interval set with
Acct-Interim-Interval.
Thanks.
I will check this into CVS tomorrow.
Peter
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql Traffic Accounting Update
Arthur B Olsen wrote:
The Acct-Interim-Interval does not update the acctinputoctets and acctoutputoctets in
postgresql as it does in files.
I dont know if this is the desired behavior, or if this is a mistake.
But to correct/change this, you can change your postgresql.conf like this:
# accounting_update_query = "UPDATE ${acct_table1} \
# SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet \
# WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' \
# AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) +
'%{Acct-Input-Octets:-0}'::bigint), \
AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) +
'%{Acct-Output-Octets:-0}'::bigint) \
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
And your accounting will be updated with the interval set with Acct-Interim-Interval.
Thanks.
I will check this into CVS tomorrow.
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are there any downfalls of using SuSE Linux versus other flavors Linux/Unix with FreeRadius?
On Friday 07 November 2003 17:36, Michael Melanson wrote: > Folks > > It was not my intent to start a "Holy War". > My appologies. > > > Allow me to explain. Maybe I should have don this from the word go. > I do not speak a lick of Linux, period. > I have not a clue on how to use it. Having said that I am seeking your > > experieince, insight and knowledge on the easiest and fastest way to > get freeradius up and running with the least amount of learning curve. > > Does this make sense? I am not saying I want to do a "quick & dirty" > setup. > > We are mix of primarily Netware 6, with winblows servers along with > RedHat boxes. > > >From some the feedback thus far, it make sense to either looks at > > RedHat Fedora or > SUSE at this point. Having reduced it to these two options which is > better for a Linux > illiterate like me to start with? I have done some research and the > comment that was > made was > "IF you can install windows you can install SuSE" Any truth to it? I am a FreeRADIUS developer.. I have used SuSE for 5 years. I can use SuSE but I struggle to do alot of things in Windows. I maintain the FreeRADIUS RPM spec file for SuSE Linux and frequently sync patches with the SuSE maintainer. I build SuSE rpms of FreeRADIUS for my own servers and sometimes get around to uploading them to freeradius.org My SuSE FreeRADIUS P4 servers handle up to 500 radius accounting requests per second with a Postgresql backend. RedHat annoys/confuses the hell out of me, but then I like things to just work :-) I hope that helps.. Others will probably disagree with my last statement. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script/create-users.pl - db support
On Friday 07 November 2003 17:13, Ulrich Walcher wrote: > Hi list, > I enhanced create-users.pl to write 'new' unique users directly to > Postgres or MySQL DBs if required. > As my knowledge in perl is limited someone will find some things are not > written in the most efficient way. Anyway, some people are using it and > so far it's working properly. > Uli Thanks Ulrich I will take a look at this.. In future can you post things like this (ie. code) to the devel list as not all the developers keep a close eye on the users list. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: maybe it's a really newbie/lame question
On Fri October 17 2003 14:25, wiking wrote: > Hi there! > > i've got a really stupid problem here, and maybe it cannot be solved any > way but here it is: > i want to get the following informations (accounting fields) from > freeradius server, when a user authenticated himself: > Acct-Session-Time > Acct-Input-Packets > Acct-Output-Packets > > is it possible anyway, or i just want a service from radius server that it > is not build for? The information you want is available in the "Stop" accounting records. This type of information is not available in authentication packets. In any case there is not data passed until after Authentication happens, so the values would always be 0. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Random auth failure issue
Yup. Looks like a MySQL bug. Try upgrading or switch to another DB :-) Peter On Thu August 28 2003 22:15, Mark Hennessy wrote: > From debug output: > > rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect > 0 > modcall[accounting]: module "sql" returns fail > > Well, that answers that I guess. > > -- > Mark P. Hennessy [EMAIL PROTECTED] > > On Thu, 28 Aug 2003, Mark Hennessy wrote: > > Date: Thu, 28 Aug 2003 15:02:13 -0400 (EDT) > > From: Mark Hennessy <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: Random auth failure issue > > > > I know this question might be a bit vague, but... > > What might cause a freeRADIUS server to start returning failed > > authentication responses when correct information is given after it > > has been running successfully and returning correct responses for many > > days. I have to kill radiusd and restart it to get it to accept requests > > again. I am using freeRADIUS with MySQL providing the access information > > to freeRADIUS and catching accounting data. What other information > > should I be providing and what else should I look at? > > > > Relevant systems in use: > > freeRADIUS 0.9.0 release > > MySQL 4.0.13 with linuxthreads > > FreeBSD 4.8 > > > > -- > > Mark P. Hennessy [EMAIL PROTECTED] > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LOg to syslog
On Thu August 28 2003 11:50, Roberto Pioli wrote: > It is possible to log to syslog freeradius log's? No, not directly. You would not want to do this anyway as syslog can be quite slow.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the max users freeradius supported
On Wed August 27 2003 03:35, 黄建波 wrote: > Peter Nixon: >Thank you for your reply!And I want to know wether Freeradius can > support 3 Simultaneous users online! Yes. It can support any number of users you want as long as you use and appropriate SQL backend and have enough processor and RAM available. FreeRADIUS does not have any inherent limitation on the number of users. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the max users freeradius supported
On Tue August 26 2003 18:05, Alan DeKok wrote: > "=?GB2312?Q?=BB=C6=BD=A8=B2=A8?=" <[EMAIL PROTECTED]> wrote: > > I am Chinese.My System have about 2-3 Simultaneous > > users,and the Freeradius's version is 0.8.Can the Freeradius > > support? > > Yes. I would suggest an SQL back-end, and a fairly large machine. > You may have periods of large activity. > > I would also suggest running 0.9.0, as it contains a number of bug > fixes over 0.8 Further to Alan's suggestion I will make the following suggestions, none of them are mandatory, but this is how I would do it in your case. * Use Postgresql as a DB backend. You may find MySQL good enough for you (Or may own Oracle which is great :-), but in my experience Postgres is better than MySQL under high loads. Others may disagree with me. * If you have the budget for it and reliability is and issue, use 3 (or more) machines where you have 2 identical machines acting as RADIUS servers and one machine with fast hard disks acting as the DB backend. (If you wish you can have mutiple DBs. It all depends on budget) * Set all of your NAS boxes with both RADIUS servers listed, but have 50% with one RADIUS server as the primary, and the rest with the other RADIUS server as the primary. You don't say if you need to do accounting on the fly or not. If you do wish to have the Accounting records going directly to a DB rather than post processed, your DB server will need to be quite fast and have FAST DISKS. Hope that helps -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: High CPU load
On Tue August 26 2003 10:53, Costas Christonis wrote: > Hi to all, > > > We were trying to install freeradius 0.9 but the linux machine had high > cpu load (over 90%) when we were strting ridusd deamon. Does anyone had the > same problem ? With version 0.8 we had no problem... More info please... What modules? What load? What Linux? Is there a DB backend? etc etc.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting with Quintum
On Mon August 25 2003 07:14, [EMAIL PROTECTED] wrote: > Hi there, > > I have a Quintum AS800 used for terminating calls. I'm running the CDR > server utility to calculate the minutes generated by it and then make > accounting. I have heard that I can do the whole things with Freeradius. > Can any one there who can help me in this regards that how can I set up > the whole things and which configuration I need to add in quintum & > freeeradius. Hmm.. Have a look in the src/billing directory It contains some info about seting up FreeRadius to do VoIP accounting with Cisco gateways. You should be able to modify the code there to work with Quintum, or maybe just use the default FreeRadius with a Postgres backend (without the schema changes in src/billing). It really depends on your requirements. I wrote the cisco specific stuff, but I dont have quintum, although I will help you where I can. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+mysql prepaid (block time)
On Tue August 26 2003 07:41, Scott wrote: > I have freeradius running and authenticating/accounting via mysql. Very > slick. > > I can see the accounting showing up in mysql with an accurate > AcctSessionTime. Is there a way to keep a running total of these times per > user and authenticate not only on the basis of password but also on the > value of the total connection time? > > I've searched the web and found some references to some python hacks but > not really come across anything concrete. It shouldn't be too difficult to do with some stored procedures on your DB, but as you are using MySQL you will probably have to do it another way. A small amount of Perl or Python could also do it.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS now part of Red Hat Linux
On Mon August 18 2003 14:39, Sepp Rudel wrote: > Just FYI: freeradius RPM is now part of latest RHL > beta (severn). If not already, at least now it's clear > that freeradius is/will be the default radiusd for Linux. So finally RH sees the light. SuSE, Debian and several other distributons have had FreeRadius included for several versions now :-) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSA hack problem
On Tue August 19 2003 07:55, Dmitry Melekhov wrote: > Hello! > > I have following in preprocess: > >with_cisco_vsa_hack = yes > > > But I have following in detail : > >h323-call-origin = "h323-call-origin=proxy" > h323-call-type = "h323-call-type=VoIP" > > Do I have something wrong in configuration or this feature doesn't work? Which version are you using? If not 0.9.0 then upgrade... It should work, I have been using it for a long time, although versions prior to 0.7 (I think) were broken and needed a patch. If you do have a new version of FR did you restart it after setting that option?? Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Static Route Assignment
On Thu August 7 2003 20:01, Steve Hutchison wrote: > Is there a way to assign static routes to a customer that is dialing into a > NAS and have the route then distributed via BGP? I have multiple NAS's in > which the customer can land on and need a dynamic answer > > I am looking at applying Cisco-AVPair "ip:route=1.1.1.1 255.255.255.0 > 2.2.2.2" to a customer that is dialing into a NAS w/ multiple ISDN Bri > lines and then distributing via BGP.. Hmm.. Not sure if you want to do it with BGP, OSPF might be more what you are looking for. I have done this with OSPF before. It depends if your NAS supports it, nothing much to do with FreeRadius (except you can assign the routes/IPs from RADIUS if your NAS supports it) Look at your NAS documentation.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgres performance issues
On Tue August 12 2003 20:51, Jeff Sullivan wrote: > Alan, > Is the post-process part of freeradius? I did not see it anywhere. > Or do you have a custom tool that I could use? Hi Jeff Check out my h323detail2db.pl script in src/billing It is easily modifyable to work with the standard postgres schema, and if you send me your new version once you have modified it we can add it to FreeRadius also :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SuSE 8.2 rpms
Hi List SuSE users may find the following useful: ftp://ftp.freeradius.org/pub/radius/rpm/suse -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is the minimal attributes that must be in START, INTERIM UPDATE and STOP packets
On Fri August 8 2003 01:10, Aime wrote: > Hello All, > > What are the minimal attributes to use to issue > START , INTERIM UPDATE and STOP radius packet ? This is set on your NAS. Read the documentation for your NAS and it shoudl tell you how to enable these features. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin - postgresql
On Wed August 6 2003 14:21, Truong Manh Cuong wrote: > Hi all, > I use PostgresSQL and I have problem with database: > freeradius dies when user connects to server so I must change > radacct::AcctStart/StopTime : datetime -> TIMESTAMP with time zone > > in Dialup_admin::user_finger.php3 > SELECT ... WHERE AcctStopTime = '0' > > And error report: query-error. AcctStopTime is NULL in database, not = 0. I > don't know how to correct it. > So at page online user page, I can't show online user with > SELECT ... WHERE AcctStopTime = '0' Hi Truong I was the one who commited the changes in the default way that data is stored in Postgres. The changes regarding NULLs were discussed on the devel list but I guess whoever looks after dialup admin was not watching :-) We will discuss and get back to you. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet - MAC authentication problems
On Fri August 8 2003 19:01, Mike Hall wrote: > Hi, > > I work for a major University and we have been using Freeradius to do > MAC authentication with Orinoco (Avaya,Proxim) based access point for > about 2 years. We have had no problems, and loved our decision to > implement Freeradius instead of a commercial package. > > Now, many departments want to use the Cisco Aironet line. To our dismay, > we have discovered that they do not authenticate in the same way as the > Orinoco units. I think it has something to do with the Cisco-AVPair > string which is sent to the radius server and/or the Attribute Value > fields. I also think it has related to the Auth-Type string and/or the > dictionary.cisco file. We use a Mysql database to store the user-names > (MAC Addresses). The little info I have found on the internet is very > unclear on what I should to fix this. I have all the output of > mysql/freeradius, but it has been a nightmare trying to decipher it. > > Has anyone ran across this problem, and if so, could you please tell > what I can do to make Freeradius compatible with Cisco Aironet access > points? I can send you any info/logs about our setup that you need. I > cannot begin to tell you how much I will appreciate any help you can > give us. If you send us the debug output of when an Orinoco unit authenticates and when a cisco tries to authenticate we will try to help you. Maybe others have cisco AP's and can help you, but I don't unfortunately. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sample config on Redhat with proxy
On Wed August 6 2003 07:54, Michael Kearey wrote: > Dick Lau wrote: > > Hi All, > > > > I'm frist time try the radius server. May I ask who can post the > > freeradius on redhat here? Or where can I find the details study manuel? > > > > Thanks > > I found this > http://people.redhat.com/twoerner/SRPMS/freeradius-0.8.1-6.src.rpm > > It's handy, though is not up date version. You could use the rpm to > base a build from new source. There are up to date spec files for SuSE and RedHat as well as debian build files in the source tarball... It's really very easy :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql - dialup-admin
On Thu August 7 2003 12:29, Truong Manh Cuong wrote: > I wonder is there anyone use postgresql for freeradius? there is so many > thing I have to fix if I want to use postgres. > But freeradius staffs do not fix it. or may be I do wrong ? Tell us and we will either fix the problems or explain to you why we did it that way :-) > is there any type like this: > CREATE TABLE badusers ( > id int(10) DEFAULT '0' NOT NULL auto_increment, > ... > "Date"timestamp with timezone DEFAULT '-00-00 00:00:00' NOT > NULL, > ... ); What do you wish this table to do? There is no such table in MySQL either, so I think you are mistaken if you believe this is a Postgres "problem". We can add such a table if there is a reason and the general public will find it useful. Please explain.. > and with postgresql_db.sql, every fields must have " " when they are > declared, but I don't see, so as the result, my db will have tables with > all fields in lowercase > Here is my sql file that fixed.(file attact) What is wrong with that? Lower case field names are much better all round. Why would you want case sensitive field names?? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql - dialup-admin
On Thu August 7 2003 12:54, Truong Manh Cuong wrote:
> I try to create table in dialup_admin/sql directory, and it come to fail.
> ERROR: parser: parse error at or near "("
> and dialup_admin will not work with database fields in lower case. because
> of query sentence like this: SELECT UserName,AcctStopTime ... FROM..WHERE
> UserName ..
> and the result of that query sentence will differ to SELECT
> username,acctstoptime ... FROM..WHERE username ..
hmm. They are sql tables for MySQL, not Postgres. I have not used dialup_admin
before, but I will take a look at it.
> If all database is in lower case, I must change all code (PHP file) in
> dialup_admin. do you understand ?
This should not be the case. Have you tested this? Postgres is case
insensitive by default, and should work with FieldName as well as fieldname
in a SQL query.
Please confirm if you have actually tested this.
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
On Tue August 5 2003 08:32, SIMICRO ML wrote: > Peter Nixon wrote: > > On Tue August 5 2003 06:37, Evren Yurtesen wrote: > > > > Its like saying that example B is faster than example A in the following > > scenario: > > > > A) You need to call your girlfriend. You know her number, so you dial it > > and talk to her. > > > > B) You need to call your girlfriend, You don't know her number so you > > call your secretary and ask her to look it up in the phone book. Your > > secretary looks up the number, calls you back and give it to you, then > > you call your girlfriend. > > > > Which do you thing is faster?? Bzzzt. WRONG ANSWER. Just because the > > phone book has a great, wonderfully efficient index, and your secretary > > is very good at using it, doesn't mean that it's faster than having the > > number in your own head > > ... and what if you had _millions_ of girlfriends :-D Yes. Like all analogies it not perfect, but it does illistrate the point we were talking about. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
On Mon August 4 2003 20:34, Steven Fries wrote: > Maybe you're both right? But who really wants to win a "Who's the bigger > nerd contest"? If I have a small set of users, I'm using the flat file. But > if my user list growsno doubt use SQL. The best thing for me is I don't > have to write fancy text handlers to parse through the users file, I just > use SQL statements. Yes > So as far as speed, it's negligible either way. Separation of datanow > that's where it's at.. Yes. You are right in both instances, but we were arguing speed. If you read my initial email on this thread you will see that I said that asking a backend for information will be _slower_ than consulting an in memory list. Slower is a relative term. ı never said it was too slow and I never said that you should not use a DB because of it. I simply argued that if you pick a DB backend that you do it for the right reasons. Speed is not one of them. You can argue ram disks, or separate servers until you are blue in the face, but on identical hardware, especially if it is memory constrained standalone FreeRdius should be quicker. This is the mailing list for an Open Source project. Argueing about how one fast one implimentation or another is is definately on topic. If we get better code, or better documentation of even a better understanding of how things work out of the discussion thats great.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
On Tue August 5 2003 06:37, Evren Yurtesen wrote: > Well, if that is such a big problem then you can do a memory disk and > store your db files in memory disk. That would then definetely work > better than freeradius itself. How much are the memory prices now anyhow. You could. This again uses more memory, which was one of the things you said you save by using a DB. You can't have it both ways. > About the operating system stuff, the load of exchanging few messages in > memory can not be so overwhelming compared to an inefficient search of a > few hundred thousands of users from a text database even when its in > memory already. What is so inefficient about the search algorithm used by FreeRadius. (I have not looked currently) If is IS slow, then once again, we can simply use the "efficient" algorithm from MySQL instead of the one currently in use. > There so many programs running in background usually that I am sure that > many programs trigger the kernel context switching already even when > freeradius is searching from the users file. Now the point is if the > search is faster then it would be interrupted less since it would take > less time to finish. Thus using SQL would yet improve performance anyhow > since the searches would take a lot less time. You are again basing your arguement on the hypothesis that FreeRadius uses an incredibly inefficient algorithm to search though memory. It would literally have to be several orders of magnitude slower than the search algorithm used by MySQL for them to be _even_ in terms of speed due to disk/context switch/socket/parsing overhead. I simply don't believe that this is the case. If you show me a benchmark that proves this, I will shutup about it, but what you are saying currently just does not make sense. Even if it were true, it would be very simple to fix it (ie. Copy the algorithm that MySQL uses into FreeRadius). > Look at some statistics > http://cs.nmu.edu/~benchmark/index.php?page=context > The context switching occurs in microseconds. Lets try to calculate how > many context switching operations can be done in a second? Needless to > remind that a microsecond is 10^-6 of a second. > > Then think about how much difference would it take to search 10 > entries from users file in memory or in sql database. In which sql > already optimize the data to be searched. Then find out how many context > switching can be done in that much time :) > > I am certainly uncertain about how much overhead it cause for freeradius > to call to mysql and back but it can not be so much. It is enough to make a difference :-) > Plus if you have > 10 users you do not want to reload the users file :) think about > reading 10 users from the disk. Now is that more efficient? in every > stupid reload. Then calculate the people who change their passwords or > new customers coming and new accounts added. This is a seperate issue. We already agreed on this issue. I never told you otherwise. > You cant possible argue that using users file is faster. I can and I am. If you are willing to provide benchmarks that prove otherwise then I will agree that you are right. (And probably rewrite the search algorithm in FR to make it faster :-) Until that time, what you are saying goes against common sense. Its like saying that example B is faster than example A in the following scenario: A) You need to call your girlfriend. You know her number, so you dial it and talk to her. B) You need to call your girlfriend, You don't know her number so you call your secretary and ask her to look it up in the phone book. Your secretary looks up the number, calls you back and give it to you, then you call your girlfriend. Which do you thing is faster?? Bzzzt. WRONG ANSWER. Just because the phone book has a great, wonderfully efficient index, and your secretary is very good at using it, doesn't mean that it's faster than having the number in your own head.... > But perhaps the > difference is so little when you have few thousand users that you can > omit the difference. > > Evren > > Peter Nixon wrote: > > On Tue August 5 2003 05:34, Evren Yurtesen wrote: > >>Thats totally wrong, so you say same cpu works on both db lookups and > >>freeradius, now when freeradius is making a lookup inside users file > >>which is in ram, the same cpu doesnt work on db lookups in memory or > >>what? so thats out of question. > > > > I am sorry to tell you Evren, but you ARE wrong. Even if you forget for a > > moment the fact that a DB server has to fetch the data from the disk and > > FreeRadius does not, It is MUCH more efficient for FreeRadius to search > > it's own memory space than to ask another program to supply the data. > > > > Askin
Re: Advantages of Using SQL ?
On Tue August 5 2003 05:34, Evren Yurtesen wrote: > Thats totally wrong, so you say same cpu works on both db lookups and > freeradius, now when freeradius is making a lookup inside users file > which is in ram, the same cpu doesnt work on db lookups in memory or > what? so thats out of question. I am sorry to tell you Evren, but you ARE wrong. Even if you forget for a moment the fact that a DB server has to fetch the data from the disk and FreeRadius does not, It is MUCH more efficient for FreeRadius to search it's own memory space than to ask another program to supply the data. Asking another program (A DB server or any other program) even if that program already has the data in memory is very slow comparitively as it forces a kernel context switch to load the other program onto the CPU, then another context switch to load FreeRadius onto the CPU. Put simply you are wrong. Please read up about CPU design and operating system context switches before argueing this any more. > but mysql is optimized for that kind of lookups, there is huge > difference. then again, you can increase the mysql memory cache that > mysql can cache the whole db inside the ram if it is small enough. It is not. There is not. You are wrong. Even if you have the entire DB inside ram (which would nullify your point of using a DB instead of a client file to save on RAM usage) the CPU still has to switch the running context from FR -> DB -> FR which flushes all CPU caches and is very slow. not to mention the fact that there is TCP (or UNIX) socket overhead to slow things down. Of course there is also Parsing and reparsing of SQL statements etc etc.. > Now about searching in ram is better than using a database backend. I > wonder why companies do not store their database data in text files and > load them to ram :) They do. Of course they do. It is always faster to load data at run time than look it up later. using a DB is easier/better for maintenence. It is NOT faster. > now the problem is that also everytime you reload > radius it reloads the whole file since it cant know where the changed > data is. Thus uses far more cpu. this ONLY happens at startup. how can it possibly use more CPU than requesting from disk for every query???!!! > It is definetely not a good thing if > you want your users to change their passwords from web, then you need to > write to users file and reload radius if you do not use sql. Yes. As mentioned before. DB is good for easy maintenence, NOT speed. > If you use > sql you can create a user which can only change some parts of the > database and limit the access. It is even more secure when configured > properly. It is 100 times easier to write a php script which does that > than writing it in c or perl We were argueing about speed, not other issues. DBs are good, but you are VERY wrong about them being faster than a memory search of the clients file.. If case you were wondering I maintain the postgresql configs and driver for FreeRadius, and run a DB backend with many GB of data in it.. Trust me, I know what I am talking about more than you do :-) Peter > Graeme Hinchliffe wrote: > > On Mon, 4 Aug 2003 18:01:07 +0200 > > > > "Andrea Coppini" <[EMAIL PROTECTED]> wrote: > >>>DB backends are good, and save alot of admin, but don't expect them to > >> > >>be > >> > >>>faster than a memory scan :-) > >> > >>I haven't done any tests, but I would presume an SQL backend would be > >>more 'robust' than freeradius. > >> > >>The way I see it, having 1 request a minute is definitely faster with a > >>users file in memory, but when the load hits and you have 10,000 hits > >>per minute, freeradius would grind to a halt having to look up the > >>credentials and handling all NAS comms simultaneously, while freeradius > >>+ sql would just continue doing their respective jobs as normal. > > > > But as the same CPU would be working on the DB lookups AND the freeRADIUS > > code as well, it would slow down by a much larger factor. You would now > > have 2 processes sharing the memory and CPU resources and bus of the > > system etc.. > > > > Fact is Disk access is horribly slow compared to memory. > > > > Look at the spec of a fairly old (now) PC.. 100MHz FSB.. so thats around > > 100,000,000*4 bytes per SECOND which is a tiny bit faster than a HDD > > don't you think. > > > > Just look at the clock speed of your PC.. even if the data wasn't indexed > > in memory and was searched in a linear manner it would still be extremely > > quick in comparison to a db. > > > > Graeme > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
On Mon August 4 2003 19:01, Andrea Coppini wrote: > > DB backends are good, and save alot of admin, but don't expect them to > > be > > > faster than a memory scan :-) > > I haven't done any tests, but I would presume an SQL backend would be > more 'robust' than freeradius. > > The way I see it, having 1 request a minute is definitely faster with a > users file in memory, but when the load hits and you have 10,000 hits > per minute, freeradius would grind to a halt having to look up the > credentials and handling all NAS comms simultaneously, while freeradius > + sql would just continue doing their respective jobs as normal. If that were the case, it would only be because of a bug in FreeRadius. Much more system resources are used by SQL+Radius than just by Radius. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advantages of Using SQL ?
On Mon August 4 2003 21:53, Evren Yurtesen wrote: > think about it yourself, > > -easy data manipulation, > -reload of freeradius is not needed > -nice web interface dialup_admin > -you can make your own web interface with php easily with sql connectivity. Yes. These are all correct.. > These are what I can think of at the moment. I also think it would be > faster than using users file and freeradius would use less memory since > it doesnt load the whole users file to memory (I think it loads it?!) > if you have many users for example. SQL is also designed for quick data > retrieval so if you plan to have many users than it would give better > performance when the server needs to find one user. Actually, you are wrong on this point I think. FreeRadius _would_ use less memory, that is correct, although memory usage should not be an issue, however using a SQL server as an Authentication backend _must_ be slower than a userlist that is already in memory. Just think about what happens.. FreeRadius with users file: * Request comes in * FreeRadius checks if the user is valid from its copy of the users file in memory * FreeRadius responds to the NAS with allow or deny FreeRadius with DB backend for Authentication: * Request comes in * FreeRadius sends a SQL query to the DB. * DB does an index search for the username * DB loads the usename records from disk into memory * DB Sends the username record back to FreeRadius * FreeRadius responds to the NAS with allow or deny Which do you think will be faster?? > Perhaps you should also ask to yourself, what is the disadvantage? See above. DB backends are good, and save alot of admin, but don't expect them to be faster than a memory scan :-) > Evren > > Patrick wrote: > > hi, > > > > im a freeradius newbie but i was wondering if there are any major > > advantages to running freeradius on an sql auth system or not ? other > > than of course the obvious stuff like being able to replicate the tables > > etc... > > > > Thanks > > P > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Has anyone been able to get rlm_sql to auth users
OK. But I was under the impression that text fields had issues with indexing still. Am I wrong here? (Yes I need to do some more reading on this issue :-) Peter On Sat August 2 2003 02:05, Guy Fraser wrote: > It has been brought up in the [EMAIL PROTECTED] mailing list, > buy the developers. > > The reason given is that "varchar(x)" checks to make sure the data is > not larger than 'x' bytes, but "text" does not. > > If the application handles the data size constraints there is no reason > for the database to check again. > > Guy > > Peter Nixon wrote: > >On Fri, 1 Aug 2003 05:53 am, Guy Fraser wrote: > >>I have the new release now. > >> > >>I see that there has been some work done with the postgres sql file, the > >>main difference between the new one and the one I setup was that I used > >>'text' instead of 'varchar(x)' because it is faster. > > > >Are you sure about this? Can you point me to some documentation? > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Has anyone been able to get rlm_sql to auth users
On Fri, 1 Aug 2003 05:53 am, Guy Fraser wrote: > I have the new release now. > > I see that there has been some work done with the postgres sql file, the > main difference between the new one and the one I setup was that I used > 'text' instead of 'varchar(x)' because it is faster. Are you sure about this? Can you point me to some documentation? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Help
On Fri August 1 2003 01:18, [EMAIL PROTECTED] wrote: > Hi there, I'm new to this group and would like to contribute by helping out > with creating the man pages from the rlm* files. I'm gonna start with the > following two if no one else has. > > 1. rlm_digest > 2. rlm_krb5 Cool. Post them to the list when you are done :-) -- Peter Nixon mailto:[EMAIL PROTECTED] Phone: +90 535 3707 126 http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc the West won the world not by the superiority of its ideas or values or religion but rather by its superiority in applying organized violence. Westerners often forget this fact, non-Westerners never do. -- Samuel P. Huntington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie-ish HUP question (0.9.0) (solution - a bug?)
Yup. I spotted that also. I will try to clean them up over the next few days.
If you have some time can you give current CVS a whirl and see if it works for
you.
The function now looks like:
static int sql_destroy_socket(SQLSOCK *sqlsocket, SQL_CONFIG *config)
{
rlm_sql_postgres_sock *pg_sock = sqlsocket->conn;
free(pg_sock);
return 0;
}
There is some NASTY code in some of the DB drivers.. Other people are welcome
to help me clean them up :-)
Peter
On Thu July 31 2003 21:15, Alex Chen wrote:
> This not_implemented function is also present in other SQL driver modules,
> e.g. DB2.
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of
> > Alan DeKok
> > Sent: Thursday, July 31, 2003 7:08 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Newbie-ish HUP question (0.9.0) (solution - a bug?)
> >
> > Peter Nixon <[EMAIL PROTECTED]> wrote:
> > > If I have time (and no one else beats me to it) I will
> >
> > implement this
> >
> > > tonight..
> >
> > Please also get rid of the "not_implemented" function in
> > sql_postgresql.c. It's evil.
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie-ish HUP question (0.9.0) (solution - a bug?)
On Thu, 31 Jul 2003 02:45 pm, Fenn Bailey wrote: > > > try to comment any change you did on it, just in order to > > > follow the normal > > > course of the application. > > > > Thanks for the tip, the main problem is it does it even if I > > don't touch any > > files at all, eg: just start it and issue a HUP. I have also > > found, it does > > the same thing with any signal sent to the process; it outputs > > that "Error: > > sql_postgresql: calling unimplemented" message and dies. Probably > > not a good > > thing :) > > OK, did some further testing and have come to the conclusion it is a bug > (developers, opinions ;) > > Basically, without looking at it in too much detailed, I worked out that > the daemon was calling sql_destroy_socket on the rlm_sql_postgres module, > which doesn't implement the method. Since calls to non implemented > functions causes an exit(), the whole daemon (almost) silently dies > whenever a HUP (or other signal that would cause a call to > sql_destroy_socket). > > I implemented the destroy_socket function (it just does nothing) and > rebuild and voila - all good now :) I would like to propose (I'm willing to > do this myself if desired by the team via a patch or whatever) to both fix > this bug, and have the not_implemented function at least die with some > useful information. > > The output now (on my version) looks like this upon being given a HUP: > --- > Thu Jul 31 21:31:29 2003 : Info: Reloading configuration files. > Thu Jul 31 21:31:30 2003 : Error: sql_postgresql: sql_destroy_socket called > erroneously > Thu Jul 31 21:31:30 2003 : Error: sql_postgresql: sql_destroy_socket called > erroneously > Thu Jul 31 21:31:30 2003 : Error: sql_postgresql: sql_destroy_socket called > erroneously > Thu Jul 31 21:31:30 2003 : Error: sql_postgresql: sql_destroy_socket called > erroneously > Thu Jul 31 21:31:30 2003 : Error: sql_postgresql: sql_destroy_socket called > erroneously > Thu Jul 31 21:31:30 2003 : Info: rlm_sql (sql): Driver rlm_sql_postgresql > (module rlm_sql_postgresql) loaded and linked > Thu Jul 31 21:31:30 2003 : Info: rlm_sql (sql): Attempting to connect to > [EMAIL PROTECTED]:/freerad > Thu Jul 31 21:31:30 2003 : Info: Ready to process requests. > --- > > Either way, I hope I helped out someone else who may be suffering the same > issue. If I have time (and no one else beats me to it) I will implement this tonight.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Uninstall
On Thu, 31 Jul 2003 05:59 am, Fenn Bailey wrote: > > rm -rf $radiusdprefix > > > > :) > > Just being slightly newbie friendly, but don't actually literally run the > above. You never know what it might do ;) > > Basically, there is no 'uninstall' as such unless you build and installed > it as a debian package (go debian!). Or SuSE or RedHat or any of the other packages :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Has anyone been able to get rlm_sql to auth users
On Tue July 29 2003 22:26, Guy Fraser wrote: > I was trying to get the PostgreSQL driver working. It should "just work" (tm) > The SQL tables need to be fixed significantly, I have fixed some of the > data types and have the tables functional. They are function and should not need "fixing". I overhauled the postgres schema and queries just before 0.9.0 release and have had several positive reports. > With so little documentation for rlm_sql it is very difficult to work with. It is actually documented rather well. Have you looked in the docs directory and in postgres.conf? Its pretty straight forward.. > I have made my own patch for Cistron 1.6.7-rc4 that allows accounting > directly to a PostgreSQL db. Are we talking about FreeRadius or Cistron?? > I would be willing to work on fixing some of the rlm_sql parts, but > first I would like to know if anyone has already got it working. Many, Many people are using FreeRadius, rlm_sql and all of the db drivers in a production environment. I will publish the results of a survey I took a few weeks ago tomorrow. (I have been too busy up until now) > I noticed in the source that the functions used to connect to the db > will cause a "crash" if the connection fails. I can look into using the > functions that allow reconnection and possibly some kind of "buffering" > for extended failures. They should not. Please be specific. WHICH functions? What are the problems with them? We welcome patches, but it seems you have not really looked at rlm_sql very deeply, or are running an incredibly old version. Please feel free to post any fixes/changes to the list so that we can look at them. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unprintable characters in the password
On Tue July 29 2003 18:06, Alan DeKok wrote: > Yasser Ahmed Hosny <[EMAIL PROTECTED]> wrote: > > I've downloaded ver 0.9.0 and I've compiled it on 64-bit and again, I've > > got the same results. Please find the debug messages below. > > All I can say is that it appears that parts of the code are not > 64-bit clean. > > If you can get me an account on a 64-bit machine I can "ssh" into, I > may be able to spend some time looking at it. I believe SourceForge has some AMD64 machines in their compilefarm.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with rlm_sql_freetds
On Tue July 29 2003 21:04, [EMAIL PROTECTED] wrote: > I am wanting to connect to a MSSQL server via freetds. After I do a > successful install, I get the following when I try to start radius (radiusd > -X). > > rlm_sql (sql): Could not link driver rlm_sql_freetds: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the > search path of your system's ld. > radiusd.conf[10]: sql: Module instantiation failed. freetds is unsupported. I suggest you either connect to MSSQL via odbc (if you must use MSSQL) or switch to Postgresql (An opensource RDMBS with more features than MSSQL and no license fees) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend never recieves the Access-Accept packet
On Tue, 29 Jul 2003 04:57 pm, Jeff Palmer wrote: > Hi all, > > > I have been using Cistron radiusd for a while now. I have decided to > migrate to FreeRadius, and have therefore setup a testbed. > > Testbed consists of: > > (1) Ascend MAX 6000 (with VSA's enabled) > (2) FreeBSD 4.8 radius servers. > > > > The configuration of FreeRadius seems rather straightforward, and even > simple. However, after the user dials in, and authenticates, the MAX never > seems to get the Access-Accept packet. FreeRadius shows a successful > login, yet the MAX doesn't show any LAN security errors or anything else > obvious. > > In debugging, I decided to replace freeradius with cistron on one of the > testbed servers. It works fine! I've got to be overlooking something > simple. I don't suppose you are running a firewall by any chance?? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting with freeradius
On Tue, 29 Jul 2003 04:07 pm, GAUDIN Thomas wrote: > Hello, > > I have configured freeradius with openldap and there is no problem with > authentication. Now, I would like to do accounting and I don't understand > how do it. I have configured radiusd.conf and I don't know what I can do > with acct_users file. When a user logged in on Linux, normally, with > accounting, a detail file is created in the log directory but I found > nothing What is the solution??? Enable accounting on your NAS. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in MySQL Radacct table.
On Mon, 28 Jul 2003 11:37 pm, Oliver Graf wrote: > On Mon, Jul 28, 2003 at 11:16:17PM +0300, Peter Nixon wrote: > > On Mon July 28 2003 22:59, Oliver Graf wrote: > > > On Mon, Jul 28, 2003 at 09:30:01PM +0300, Peter Nixon wrote: > > > > On Thu July 24 2003 23:13, Daniel Destro do Carmo wrote: > > > > > How can I select (using SQL) just the unique records to see > > > > > how many calls and to calculate the total time each user has > > > > > used??? > > > > > > > > Postgres has a UNIQUE keyword, not sure about MySQL.. > > > > > > DISTINCT? > > > > > > http://www.mysql.com/doc/en/SELECT.html > > > > Yep. thats it :-) > > BTW: I never log into sql. I use detail logs and sort out duplicates > later with a really smart python script. It also does start/stop > accounting (don't trust Session-Time) cause it's really hard to prove > that the NAS equipment is 10^-6 seconds accurate (there is some > regulation in germany which says that you either have to prove this > accuracy in your NAS equipment, or you do start/stop accounting on the > aaa with half a second accuracy). Yes. I always either verify that the db is correct or import from script using h323detail2db.pl in the src/billing directory which I wrote for this purpose.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging - how to specify what to log?
On Sun, 27 Jul 2003 12:39 am, James Green wrote:
> Hi there,
>
> I've been asked as a matter of urgency to ensure that the logs we get
> from RADIUS include the CLI (Caller-ID), that is, the telephone number
> of the person making the call. This should prove they called us.
>
> I believe I need to log the %{Calling-Station-Id} attribute.
>
> Problem: I have no idea what file to edit.
>
> I can see a slew of attributes being logged to the detail-* files,
> except this attribute.
>
> Maybe FreeRADIUS doesn't get this attribute? It's a Cisco AS5350 talking
> to it, with a couple of E1 ISDN-30s plugged in. I can't find much about
> this on Cisco's website or the freeradius mailing list. Indeed, apart
> from a mention as part of a list of attributes, the Oreilly RADIUS book
> doesn't cover it.
If you have incomming caller ID enabled on you PRIs then your cisco should
send the attribute and freeradius will happily put it in the detail files.
You probably need to talk to your telecom providor..
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in MySQL Radacct table.
On Mon July 28 2003 22:59, Oliver Graf wrote: > On Mon, Jul 28, 2003 at 09:30:01PM +0300, Peter Nixon wrote: > > On Thu July 24 2003 23:13, Daniel Destro do Carmo wrote: > > > How can I select (using SQL) just the unique records to see > > > how many calls and to calculate the total time each user has > > > used??? > > > > Postgres has a UNIQUE keyword, not sure about MySQL.. > > DISTINCT? > > http://www.mysql.com/doc/en/SELECT.html Yep. thats it :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in MySQL Radacct table.
Then the records are not identical. I suggest you figure out WHY you are getting duplicated records in the DB and fix that. I don't use MySQL or the MySQL queries so I can't help you directly with this, other than to say, find the cause of the problem rather than trying to fix the symptom.. Peter On Mon July 28 2003 21:37, you wrote: > I check everything you can imagine... > > used distinct, etc... > nothing works! > > > On Thu July 24 2003 23:13, Daniel Destro do Carmo wrote: > > > Hello All, > > > > > > I a program in Java to read the logs recorded in MySQL DB > > and > > > > then make the billing for each customer's calls. > > > > > > I have faced a big problem that is: When I list the record > > s > > > > from the table radacct or even if I use two table (one for > > > start and another for stop) I find a lot of duplicated > > > registers which makes my Billing incorrectly. > > > > > > How can I select (using SQL) just the unique records to se > > e > > > > how many calls and to calculate the total time each user h > > as > > > > used??? > > > > > > Thanks for your time > > > Daniel > > > > Postgres has a UNIQUE keyword, not sure about MySQL.. > > > > -- > > > > Peter Nixon > > http://www.peternixon.net/ > > PGP Key: http://www.peternixon.net/public.asc > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.o > > rg/list/users.html > > > > --- > Acabe com aquelas janelinhas que pulam na sua tela. > AntiPop-up UOL - É grátis! > http://antipopup.uol.com.br -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in MySQL Radacct table.
On Thu July 24 2003 23:13, Daniel Destro do Carmo wrote: > Hello All, > > I a program in Java to read the logs recorded in MySQL DB and > then make the billing for each customer's calls. > > I have faced a big problem that is: When I list the records > from the table radacct or even if I use two table (one for > start and another for stop) I find a lot of duplicated > registers which makes my Billing incorrectly. > > How can I select (using SQL) just the unique records to see > how many calls and to calculate the total time each user has > used??? > > Thanks for your time > Daniel Postgres has a UNIQUE keyword, not sure about MySQL.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not log in detail archive
On Fri, 25 Jul 2003 11:48 am, diomedes wrote: > Hi, > > I have Freeradius-snapshot-20021028 installed. This is old. Please upgrade to 0.9.0 > The problem is that it > doesn't log in radacct/detail archive, it doesn'y creat it neither. > The loging in radius.log is Ok. > > I execute radiusd as #radiusd -S -A > > The importanr options abaut logging in radiusd.conf are ok, in my opinion. > > Where is the problem? Do you have accouting enabled on your NAS? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: typo in cisco_h323_db_schema-postgres.sql
On Fri, 25 Jul 2003 12:59 am, Umut Destan wrote: > Peter, > I think there's a typo with the DataType for CiscoNASPort in Table > StopVoIP. It should be perhaps varchar(16) instead of BOOLEAN. Erm. Has this caused any errors for you or do you just think its a typo?? It is meant to be there as there should not be any CiscoNASPort attribute is VoIP Stop packets, but I didnt want to have different queries for VoIP and Telephony. Take another look at how the queries work.... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disabling failed logins
On Thu, 24 Jul 2003 10:41 pm, Bill Thompson wrote: > Hello, > > I've been looking through the FAQ and the list archives for some kind of > method to have freeradius disable authentications for users after a number > of failed logins. The only reference I found was a message from 2002 > saying that it couldn't be done. Is that still the case? Does anyone have > an alternate method of blocking accounts automatically? If you are authenticating to PAM on linux this should be easy to do as PAM can do this. It's nothing to do with RADIUS per se, for instance you could have a limit of 3 authentication tries to lock an account and it could work like this. User is already connected to the net and tries the wrong passwd while checking POP mail. - Count 1 User then tries to login with webmail with the wrong passwd. - Count 2 User is disconnected from dialup and tries to redial with wrong passwd (Dialup is obviously Authed using RADIUS). This would be Count 3 and the account would be locked.. PAM is you friend. PAM is powerfull.. Learn PAM... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool & missing gdbm.h header file
On Thu, 24 Jul 2003 01:36 am, SPJ.Schembri wrote: > Hi, > > I am new to FreeRadius and only just downloaded the 0.9.0-pre3 version on > Monday, although I have been an avid list reader for 6 months now. Please re-download the release version og 0.9.0 as it has a couple of bug fixes... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom Dictionnaries and vendor numbers.
On Wed July 23 2003 23:05, Blaise St-Laurent wrote: > I've recently be tasked with getting an older piece of equipment, a > Gandalf XpressWay RLAN, to work with our FreeRADIUS server. The Gandalf > expects a slew of custom attributes. I have a few questions about going > about defining these: > 1) I'm assuming that the Vendor numbers (IDs) are assigned and > recognized, at least by the equipment. The system's documentation was > designed to work with the CryptoCard RADIUS server, and they had a pull > down box where Gandalf was one of the avaiable vendors. Where can i > find this list (and by extension the Gandalf Vendor ID)? > 2) The documentation specifies the list as ID numbers (0 - 33) as well > as names. Now my understanding of the radius protocol is that the names > are never actually transmitted, but rather a combination of venderID > and AttributeID, thus, the names i give the custom attributes don't > matter (I ask because the docs have them with spaces in them, and i'm > tempted to put '-' between the words) > 3) has anyone successfully made this piece of equipment authenticate > against a Radius server (just out of curiousity)? If you can find the dictionary file from the old radius server (or retype it from documentation) we can add it to the next version of FreeRadius. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN 3000 + FreeRADIUS
On Tue, 22 Jul 2003 06:47 pm, idriss.mamodaly wrote: > Hello folks, > > I would like to know what is the authentication protocol used between a > Cisco VPN 3000 concentrator and FreeRADIUS ? RADIUS... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: Freeradius-Users digest, Vol 1 #2101 - 13 msgs
On Tue, 22 Jul 2003 05:19 pm, you wrote: > >Is it possible to make an upgrade of previus version of freeradius.. > > ..unless recompile all? > and in bref, what can i do it? Yes. You will have to recompile unless there is a binary available for your Operating System. I have made rpms available for SuSE. I expect rpms for RedHat and Debs to arrive in the next day or so... If you are going to compile yourself there is a docs directory in the source tarball that explains how to do most things you will need to do. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: creating a new Field
On Tue, 22 Jul 2003 06:16 pm, Wilmer Geovanny Guamán. wrote: > > You want to send this to the home server, when proxying? That can't > > be done in 0.5. > > Then 0.8? how? > > please be patient with me ;-) You should use 0.9 It was relased yesterday and has been through 3 prereleases. It is considered the most stable and most featureful version of FreeRadius. It also has better documentation :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Freeradius-Users digest, Vol 1 #2101 - 13 msgs
On Tue, 22 Jul 2003 04:51 pm, Simone Giovanardi wrote: > Is it possible to make an upgrade of previus version of freeradius ?? yes :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary files
Added to CVS. Thanks Peter On Tue, 22 Jul 2003 03:37 pm, [EMAIL PROTECTED] wrote: > ok thanks > > Im running 0.9.0-pre3 > > The additional attributes are : > > ATTRIBUTE Nomadix-Subnet 6 string Nomadix > ATTRIBUTE Nomadix-MaxBytesUp 7 integer Nomadix > ATTRIBUTE Nomadix-MaxBytesDown8 integer Nomadix > ATTRIBUTE Nomadix-EndofSession9 integer Nomadix > ATTRIBUTE Nomadix-Logoff-URL 10 string Nomadix > > regards, > Barry > > - Original Message - > From: "Alan Litster" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 22, 2003 2:07 PM > Subject: RE: dictionary files > > > Barry, > > > > Which version of FreeRADIUS are you running? > > > > If you're running an older version, they may already be present in the > > latest release. Which attributes do you suspect to be missing? Or have > > they > > > added more attributes to the latest release of the Nomadix software? If > > that's the case contribute them to the list and I suspect that they will > > be > > > added for the release of 0.9.0 > > > > Rgrds, > > > > Alan > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > Sent: 22 July 2003 12:54 > > To: [EMAIL PROTECTED] > > Subject: dictionary files > > > > > > Hi there > > > > In the main /etc/dictionary file it states that the pre-defined > > dictionaries > > > should not be edited. > > The dictionary.nomadix file is outdated. > > Where should I add these attributes ? Why should I not edit the > > pre-defined > > > dictionaries ? > > > > Thanks > > Barry > > > > > > - > >- > > - > > > This email, and any files transmitted with it, is copyright and may > > contain confidential information. > > > The contents are intended for the use of the addressee(s) only. > > Unauthorized use may be unlawful. > > If you receive this email by mistake, please advise sender immediately. > > The views of the author may not necessarily constitute the views of Telco > > Electronics Limited. > > > Nothing in this mail shall bind Telco Electronics Limited in any contract > > or obligation. > > > Telco Electronics Limited > > 6-8 Oxford Court > > Brackley > > Northants > > NN13 7XY > > > > Tel 07000 701999 > > Fax 07000 701777 > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary files
No. Its too late for 0.9.0 as it has already been released, but they will be in time for 0.9.1 or whatever the next version is :-) Peter On Tue, 22 Jul 2003 03:07 pm, Alan Litster wrote: > Barry, > > Which version of FreeRADIUS are you running? > > If you're running an older version, they may already be present in the > latest release. Which attributes do you suspect to be missing? Or have they > added more attributes to the latest release of the Nomadix software? If > that's the case contribute them to the list and I suspect that they will be > added for the release of 0.9.0 > > Rgrds, > > Alan > > > -Original Message- > From: [EMAIL PROTECTED] > Sent: 22 July 2003 12:54 > To: [EMAIL PROTECTED] > Subject: dictionary files > > > Hi there > > In the main /etc/dictionary file it states that the pre-defined > dictionaries should not be edited. > The dictionary.nomadix file is outdated. > Where should I add these attributes ? Why should I not edit the pre-defined > dictionaries ? > > Thanks > Barry > > > --- > This email, and any files transmitted with it, > is copyright and may contain confidential information. The contents are > intended for the use of the addressee(s) only. > Unauthorized use may be unlawful. > If you receive this email by mistake, please advise sender immediately. > The views of the author may not necessarily constitute the views of Telco > Electronics Limited. Nothing in this mail shall bind Telco Electronics > Limited in any contract or obligation. > > Telco Electronics Limited > 6-8 Oxford Court > Brackley > Northants > NN13 7XY > > Tel 07000 701999 > Fax 07000 701777 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 0.9.0 rpms for SuSE 8.2
Hi List As usual, anyone who uses SuSE is welcome to try my rpms on for size: http://www.peternixon.net/files/freeradius/ -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary files
On Tue, 22 Jul 2003 02:53 pm, [EMAIL PROTECTED] wrote: > Hi there > > In the main /etc/dictionary file it states that the pre-defined > dictionaries should not be edited. The dictionary.nomadix file is outdated. > Where should I add these attributes ? Send the updates to the list.. AND # cat /etc/raddb/dictionary # # This is the master dictionary file, which references the # pre-defined dictionary files included with the server. # # Any new/changed attributes MUST be placed in this file, as # the pre-defined dictionaries SHOULD NOT be edited. # # $Id: dictionary.in,v 1.3 2003/07/07 19:28:31 aland Exp $ # # # The filename given here should be an absolute path. # $INCLUDE/usr/share/freeradius/dictionary # # Place additional attributes or $INCLUDEs here. They will # over-ride the definitions in the pre-defined dictionaries. # # See the 'man' page for 'dictionary' for information on # the format of the dictionary files. > Why should I not edit the pre-defined dictionaries ? Because they will be overwritten by each new version of FreeRadius. I think you mis-read /etc/dictionary It says PUT the changes in there, but NOT in the other dictionaries... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Hi Chris I am sorry I don't have more information, maybe someone else does though. I don't currently use Radius for PPP Authentication and it has been 3 years since I used Windows on my desktop :-) Maybe you can find something from google. Cheers Peter On Tue, 22 Jul 2003 09:48 am, Chris Miller wrote: > Peter, thanks for the reply. I did some testing with PowerDUN and did not > receive any specific error message. This doesn't surprise me with out > Livingston pm3s, but our wholesale partner has more modern equipment I > would expect to support this feature (i.e Cisco, TNT, Lucent). > > I've also been able to find little information on how this works or what > vendors support this. From what I gather the NAS passes the reply on to > the client via PPP. I would think this would be the default but perhaps > it's something that specifically needs to be enabled. Do you have any > further information you can point me to? > > Regards, > Chris > > Chris Miller > NetGate Internet > > On Sun, 20 Jul 2003, Peter Nixon wrote: > > On Sun July 20 2003 01:26, Chris Miller wrote: > > > I've noticed that the Reply-Message returned from the radius server is > > > not shown in the Windows DUN error message when access is rejected. > > > Where does the failure occur? Is this a matter of the NAS not returning > > > this message to the DUN client, or is this just typical of Windows? Any > > > way to override this behavior? It would be nice that a user knows their > > > account has been disabled instead of the generic "username or password > > > incorrect". > > > > This is windows behaviour. Unless you use PowerDUN or one of the > > replacement dialers you will not see any returned messages. > > > > -- > > > > Peter Nixon > > http://www.peternixon.net/ > > PGP Key: http://www.peternixon.net/public.asc > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco-nas-port
On Sun July 20 2003 18:00, Kursad Kayaturk wrote: > Hi Everybody, > I am new to freeradius server system. I got it > running up only for five or six days and everthing > seems fine except cisco-nas-port. I got weird values > in the database for cisco nas port it is Serial3/0=2A > but I expect it in Serial3/0:## format. If I use > no aaa nas port extended then I get CAS 3/0/#=2A. What > can be wrong any ideas guys. Please help me. I use R2 > digital signalling with Cisco As5350 and E1 GSM > gateway from orion telecom. Hi Kursad After your email to me off list on Friday we have been discussing this issue. (You can see the thread in the archives for freeradius-devel list) It is caused by some old code that is designed to protect the database backends from weird characters. This code will be updated soon I expect but not untill after the 0.9.0 release on Monday. (It will probably take a few weeks after that I expect) As this is now a known problem, there is not much for you to do except wait until we have fixed the server code in CVS (Unless you wish to code a fix yourself). For our information, could you please verify that the information you expect is actually present in the detail files in the format you expect. It would also help if you could mail the list with that particular line form your detail file so we have an example to work with. (My ciscos are configured a little differently to yours so I would like to see the exact output you see) Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
On Sun July 20 2003 01:26, Chris Miller wrote: > I've noticed that the Reply-Message returned from the radius server is not > shown in the Windows DUN error message when access is rejected. Where does > the failure occur? Is this a matter of the NAS not returning this > message to the DUN client, or is this just typical of Windows? Any way to > override this behavior? It would be nice that a user knows their account > has been disabled instead of the generic "username or password incorrect". This is windows behaviour. Unless you use PowerDUN or one of the replacement dialers you will not see any returned messages. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco AS 5350 for accounting
On Sat July 19 2003 18:23, you wrote: > Peter > Came across your email on Freeradius mailing list and in postgres > schema in src dir. I have an urgent need to setup radius for billing on > Cisco AS5350 for VOIP our current billing system stopped working. I am new > to radius and was hoping you could help with the following : > 1) What are the things i need to setup on cisco gateway? Do you have a > sample cisco radius config for freeradius? I have the folowing set on my gateways. You may not need all of these options.. aaa new-model aaa accounting update newinfo aaa accounting connection h323 start-stop group radius ip radius source-interface FastEthernet0/0 radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 radius-server host 1.1.1.2 auth-port 1812 acct-port 1813 radius-server retransmit 10 radius-server key myradiuserverkeyhere radius-server vsa send accounting > 2) How do i setup Freeradius to log billing data from cisco. Sample config Its in the src/billing directory. Use the CVS version or version 0.9 when it is released on Monday. > 3) What is the recommended latency (ping times) required between the AS5350 and the server running Freeradius, i my case my cisco gateway is the UK and the radius is the US- ping times is about 103ms - is it ok? Should not be a huge problem, although you really do want your gateways near by to your radius server, otherwise it is possible for a network outage to allow you to continue getting calls but not billing records.. this is bad.. > Will there be lots of packet lose? Ask your ISP. I have no idea. > 4) Can I use the same schema on Mysql - Is there any reason you did not chose mysql? Yes. It doesn't work. http://www.mail-archive.com/[EMAIL PROTECTED]/msg17232.html > 5) What is the recommended hardware configuration? For one GW, any machine will do. > Plan to run Freeradius on Redhat 9.0 It should be fine. I do not use RedHat though. > I'll appreciate any input you can provide Have fun. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: typo in pgsql-voip.conf from Peter
On Fri, 18 Jul 2003 02:27 am, Miranda Gomez Miguel Angel wrote:
> Hi Peter/All
> I just check the last updates of your voip config,
> and have noticed a little typo: in the insert stop query of pgsql-voip.conf
>
> accounting_stop_query = "INSERT into ${acct_table2}%{h323-call-type} \
> (RadiusServerName, UserName, NASIPAddress, AcctTime, \
> AcctSessionTime, AcctInputOctets, AcctOutputOctets,
> CalledStationId, CallingStationId, \
> AcctDelayTime, H323RemoteAddress, CiscoNASPort,
> h323callorigin, h323confid, \
> h323connecttime, h323disconnectcause, h323disconnecttime,
> h323gwid, h323setuptime) \
> values('${radius_server_name}', '%{SQL-User-Name}',
> '%{NAS-IP-Address}', now(), '%{Acct-Session-Time:-0}', \
> '%{Acct-Input-Octets:-0}', '%{Acct-Output-Octets:-0}',
> '%{Called-Station-Id}', '%{Calling-Station-Id}', \
> '%{Acct-Delay-Time:-0}', NULLIF('%{h323-remote-address}',
> '')::inet', '%{Cisco-NAS-Port}', \
> '%{h323-call-origin}', '%{h323-conf-id}',
> strip_dot('%{h323-connect-time}'), '%{h323-disconnect-cause}', \
> strip_dot('%{h323-disconnect-time}'), '%{h323-gw-id}',
> strip_dot('%{h323-setup-time}'))"
>
>
> in the '%{h323-remote-address}', '')::inet' part, you have to drop the last
> ' after the ::inet, otherwise the
> record will not be inserted, giving POSTGRES FATAL ERROR,
Thanks. Fixed.
Wow. There seems to be alot more people using my VoIP accounting code that I
thought.
I guess I am going to have to start doing more testing before doing a CVS
commit :-)
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: H323 Accounting Information error
You need to enable: with_cisco_vsa_hack = yes That will fix your problem. I also highly recommend you look at the src/billing directory as it has a sample config for doing VoIP accounting from Cisco. You will have to use Postgresql instead of MySQL though if you want to use the config there as it relies on some features of Postgresql that MySQL cannot do. You should get the latest version from CVS as I updated it about 3 hours ago... Regards Peter On Thu, 17 Jul 2003 10:24 pm, Oleg Ustinov wrote: > Hi there, > is it an error? > > h323-call-type = "h323-call-type=VoIP" > h323-setup-time = "h323-setup-time=06:48:02.621 CEST Mon Jul 14 > 2003" > h323-connect-time = "h323-connect-time=06:48:02.765 CEST Mon Jul 14 > 2003" > h323-disconnect-time = "h323-disconnect-time=06:48:02.765 CEST Mon > Jul 14 2003" > h323-disconnect-cause = "h323-disconnect-cause=1C" > h323-remote-address = "h323-remote-address=212.119.32.112" > h323-voice-quality = "h323-voice-quality=0" > h323-conf-id = "h323-conf-id=2F655453 B4ED11D7 80F8FCBE 79B038C9" > > Why it is not like that: > > h323-call-type = "VoIP" > h323-setup-time = "06:48:02.621 CEST Mon Jul 14 2003" > h323-connect-time = "06:48:02.765 CEST Mon Jul 14 2003" > h323-disconnect-time = "06:48:02.765 CEST Mon Jul 14 2003" > h323-disconnect-cause = "1C" > h323-remote-address = "212.119.32.112" > h323-voice-quality = "0" > h323-conf-id = "2F655453 B4ED11D7 80F8FCBE 79B038C9" > > Has anybody solve it? > > > Oleg > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Difference between pgsql_schema and start/stop queries
On Thu, 17 Jul 2003 01:31 pm, destan wrote: > I forgot to say, I'm talking about the files that I just checked out from > CVS a bit ago. > > destan writes: > > Hi list/Peter, > > > > In the billing/pgsql-voip.conf, the INSERT queries have column names such > > as, RadiusServerName, AcctSessionId, AcctUniqueId. But in the schema file > > this columns are not created in the startvoip,starttelephony,... tables. > > Do you suggest I create these fields in the tables or remove them from > > the INSERT queries. Or am I missing something? Hi Umut As I said to you off list last night, the files got a little out of sync, and I will fix them today. Actually I updated the -rbranch_0_9 in CVS late last night but have not yet double checked it or copied that code over into normal CVS. I will have it done in an hour or so. I have been rather busy this morning... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql schema conversion
cc'd to the list as others will hit this problem also... On Thu, 17 Jul 2003 10:54 am, you wrote: > Hello! > > I'm using postgresql, and stuck with the numeric->interval conversion. > (I'm not an SQL expert, as you can see...) > > The new radacct table uses intervals for acctstartdelay and > acctstopdelay, while the former used numeric types, so I have to: > > 1. change the schema and the queries > or > 2. convert the fields > > I prefer the conversion, but I can't do it... Alternatively if you are happy with the way it is working currently you can upgrade FreeRadius but stick with the configuration you have currently... Let me look at Postgres and see if I can figure out a 123 guide to conversion. I don't know if I will have time today, so I suggest you stick with you current config for now. The other option is a pg_dump and restore of course... Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.8.1 , src/modules/rlm_sql/drivers/rlm_sql_postgresql/sql_postgresql.c
Eeeek. I have no idea what you have done here :-) try using the latest Prerelease version from: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.0-pre3.tar.gz Let us know how you go.. Peter On Wed, 16 Jul 2003 04:53 pm, Ali Gunduz wrote: > Sorry if this is reported before... > > I'm having these errors while compiling 0.8.1 with postgresql support. > > # > sql_postgresql.c:115:31: missing terminating " character > sql_postgresql.c: In function `sql_check_error': > sql_postgresql.c:116: error: parse error before "s" > sql_postgresql.c:116:22: missing terminating " character > sql_postgresql.c:129:31: missing terminating " character > sql_postgresql.c:130: error: parse error before "s" > sql_postgresql.c:130:11: missing terminating " character > sql_postgresql.c: In function `sql_query': > sql_postgresql.c:227: warning: implicit declaration of function > `sql_store_result' > sql_postgresql.c:228: warning: implicit declaration of function > `sql_num_fields' > sql_postgresql.c: At top level: > sql_postgresql.c:257: warning: `sql_store_result' was declared > implicitly `extern' and later `static' > sql_postgresql.c:227: warning: previous declaration of > `sql_store_result' > sql_postgresql.c:274: warning: `sql_num_fields' was declared implicitly > `extern' and later `static' > sql_postgresql.c:228: warning: previous declaration of `sql_num_fields' > make[10]: *** [sql_postgresql.o] Error 1 > #--- > > > Mentioned file is: > src/modules/rlm_sql/drivers/rlm_sql_postgresql/sql_postgresql.c > > Line 115 of this file is: > radlog(L_DBG, "rlm_sql_postgresql: Postgresql > check_error: > s, returning SQL_DOWN", PQresStatus(error)); > > (there's a newline at the end of first line.. Above code segment is > actually two lines in sql_postgresql.c) > > Guess it'd be: > radlog(L_DBG, "rlm_sql_postgresql: Postgresql > check_error: %s, returning SQL_DOWN", PQresStatus(error)); > > > > The same mistake exists on line 128 too... > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migration from Steel Belted Radius to FreeRadius
On Wed, 16 Jul 2003 04:46 pm, Jim Watts wrote: > Currently, my company is migrating all core services from NT4.0 to > Linux/FreeBSD ;) Nice :-) > The next component on my hit list is to replace Steel Belted Radius with > freeRadius. Welcome to the club :-) > Question, has anyone attempted this before and got any suggestions ? Of > particular interest is reading the steel belted radius export file *.rif, > and being able to convert it to appropriate freeRadius conf, db files. I haven't I am sorry, although maybe someone else on the list has. We will certainly try to help you with any problems you come against though. Maybe you can write a migration howto... :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replicator - PostgreSQL for DB backend
On Wed, 16 Jul 2003 03:54 pm, Bernie, CTA wrote: > Hi Peter, > > We use a modified (well hacked) version of PostgreSQL Replicator > and have experienced no significant problem. > > These were our primary DBMS replication requirements: > > 1. We needed a solution to operate securely within our > distributed data environment > 100 physical locations, and > 10,000 virtual datamarts. > > 2. We needed a replication topology that was scalable and > reliable with no single-point-of-failure, as present in most > DBMS Replication topologies. (Another reason why MySQL was not > attractive, as at the time only master-slave replication was > supported) > > 3. We required the ability to do asynchronous queries. > > 4. We required the metadata catalog and file replica catalog to > be distributed yet appear virtually centralized. > > 5. Since we were creating a virtual metadata catalog and a > unique autonomous security monitoring and incident handling > system, access to all of the source code was required. > > After looking at a few others DBBALANCER > http://dbbalancer.sourceforge.net/ we picked PostgreSQL > Replicator http://pgreplicator.sourceforge.net/ and made a few > customized changes to the source to accommodate our unique > security monitoring and incident handling system. > > I am now in the early stages of planning a complete design of > our own PostgreSQL BDMS replicating technology featuring our > autonomous security monitoring and incident handling method. I > am not sure if the project will be a public or private. I for one would love it to be public :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 0.9.0pre3 SuSE 8.2 rpms
I have built 0.9.0pre3 SuSE 8.2 rpms. they are available from: http://www.peternixon.net/files/freeradius/ If anyone feels like testing these, that would be great. Anyone with versions of SuSE older than 8.2 (or versions of 8.2 that are not as updated as my workstation) can download freeradius-0.9.0pre3-0.src.rpm and rebuild it if the binary rpms fail due to dependencies on your system. Anyone not running SuSE, if you have some time we would appreciate your help in downloading and compiling ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.0-pre3.tar.gz We should have the final 0.9.0 release out sometime next week, so please get any bug reports into us asap. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary and NAS tables
On Mon July 14 2003 23:30, Alex Chen wrote: > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > Peter Nixon > > Sent: Saturday, July 12, 2003 6:19 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: Re: Dictionary and NAS tables > > > > > > > > This sounds like a resonable solution to me. I already have a > > table listing my > > NASes anyway for reporting and query purposes, it would > > certainly make things > > neater if radius could use the same table. Especially for > > cases where you > > have more than radius server accessing a single DB backend. > > > > Having radius query the DB everytime it gets an unknown > > client query it could > > result in a trivial DoS though :-( > > There would need to be some though go into this.. > > > > > This can eliminate the need to send SIGHUP to the server to > > > > re-read the > > > > > clients.conf, > > > unless we change something in that file, and avoid possible > > > > file corruption > > > > > due to > > > human error when we update the file with large number of NAS. > > > > Yes, although because of DoS issues we maye still wish to > > -HUP the server > > anyway... I agree about management issues though. > > If Denial Of Service attack is a concern, then we can let the server > to read the DB for NAS table during initialization and do not refresh > its cache unless it receives a SIGHUP signal. Yes. That is the current plan. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary and NAS tables
On Mon July 14 2003 23:33, Alex Chen wrote: > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > Peter Nixon > > Sent: Saturday, July 12, 2003 6:34 AM > > To: [EMAIL PROTECTED] > > Subject: Re: Dictionary and NAS tables > > > > > This sounds like a resonable solution to me. I already have > > > > a table listing > > > > > my NASes anyway for reporting and query purposes, it would > > > > certainly make > > > > > things neater if radius could use the same table. > > > > Especially for cases > > > > > where you have more than radius server accessing a single > > > > DB backend. > > > > I have modified the postgres schema in CVS to have the following: > > > > CREATE TABLE nas ( > > id SERIAL PRIMARY KEY, > > nasname VARCHAR(128), > > shortname VARCHAR(32) NOT NULL, > > ipaddr inet NOT NULL, > > type VARCHAR(30), > > ports int4, > > secret VARCHAR(60) NOT NULL, > > community VARCHAR(50), > > snmp VARCHAR(10), > > naslocation VARCHAR(32) > > ); > > > > This now has the capability of being a useful table for > > reporting (I use a > > similar table to run reports per city by listing City in > > naslocation and then > > doing a JOIN against the accounts table on ipaddr then a GROUP BY > > naslocation. > > Who is inserting/updating data in this table? Unless you change > the SQL statment in sql.conf file, I do not see anywhere the radius > server is touching this table. Is there other process/daemon monitoring > the protocol stream and update the table in the background? If you read the comment in the file in CVS you will see that it is not _currently_ used.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Survey - Which DB backend do you use?
On Mon July 14 2003 19:36, Miranda Gomez Miguel Angel wrote: > Postgres, using a modified version of Perter Nixon schema, i found that > some items in the insert querys doesnt have the corresponding column in the > schema, these mostly was complementary changes , i do agree with Peter, i > began using mysql, but switched to postgres after a couple of months, the > main reason was the lack of store procedures and triggers in mysql, the > Peter's voip schema is very simple and easy to understand. > Thanks to Peter for a great work, You are welcome. Glad to know someone else is using my stuff :-) If you have made any changes that you think would benefit others please send them to me... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updated User Survey - Which DB backend do you use?
On Mon, 14 Jul 2003 06:07 pm, Keith Yoder wrote:
> I am going to add a table to blacklist CallingStationIDs that aren't
>
> >>allowed to connect no matter what password they use to keep out old
> >>users who cancelled to use their neighbor's / cousin's / mother-in-law's
> >>account.
> >
> >Good idea. Send it to me when you have done it :-)
>
> Peter,
> The fact that someone else might be interested in this feature was
> enough for me to go ahead and do it. I created a table:
>
> CREATE TABLE `bad_callingstationids` (
> `CALLINGSTATIONID` varchar(18) NOT NULL default '',
> `OBSERVATION` varchar(100) NOT NULL default '',
> PRIMARY KEY (`CALLINGSTATIONID`)
> );
>
> and then altered our authorize_check_query to the following
>
> SELECT logins.USUARIO,logins.LOGIN,Attribute,logins.SENHA,op,
> bad_callingstationids.CALLINGSTATIONID
> FROM usuarios.logins, usuarios.usuarios LEFT JOIN
> radius.bad_callingstationids ON '%{Calling-Station-Id}' =
> bad_callingstationids.CALLINGSTATIONID WHERE usuarios.CADASTRO =
> logins.USUARIO
> AND usuarios.ATIVO = 1
> AND logins.LOGIN = '%{SQL-User-Name}'
> AND bad_callingstationids.CALLINGSTATIONID IS NULL
> ORDER BY USUARIO
>
> Like I said before we use an existing database schema to store user and
> password info. The important part is the LEFT JOIN in the FROM clause.
> I was going to use a sub-query but MySQL 4.1.0 doesn't fully support
> them yet. (I guess that would be another good reason to use Postgres :) )
>
> I'm interested in any feedback. I don't know if this was the best way
> to do this but it works for me.
OK. I will check this out later. I think I will stick something like this into
CVS for the next version of FreeRadius (not 0.9.0 but the one after)
I may try to make it a little more generic, I will se when I play with it some
more.
> Peter, I get the impression you are one of the developers for the
> rlm_sql module.
Erm, I am sort of a random hacker who Alan was stupid enough to give CVS
access to and I have been busy causing trouble ever since :-)
For the most part I look after the SuSE build scripts, and Postgres related
stuff that no-one else has gotten around to fixing. :-)
> I'm interested in putting the radius log into a
> database. This would help me give our support staff information to
> diagnose people who don't know who to type their password correctly and
> other such things.
I it also obviously a security risk to have your passwds in plain text...
Hence the reason why passwd logging is disabled by default on FR.
>Do you know if anyone else has worked on this at
> all? Is anyone else interested?
This would require an extra module I think. It's not likely to happen
immediately unless you write it :-)
You could also do this by modifying some of the addon scripts available for
syslog-ng. Note: FreeRadius doe not use syslog but you should be able to
follow the links that mention logging to DB from:
http://www.campin.net/syslog-ng/faq.html
It will give you an idea of where to start..
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter compile/configure problem / Solaris8
On Mon, 14 Jul 2003 05:17 pm, Christian Esken wrote: > Alan DeKok wrote: > >Christian Esken <[EMAIL PROTECTED]> wrote: > >> PS: The reason why configure finds the lib, but not the include is > >> strange. It looks like gcc looks at /usr/local/gnu/lib by default , > >> but the preprocessor (gpp) does not look at /usr/local/gnu/include > > > > So your compiler & associated tools can't find some gdbm > >information, and you're blaming FreeRADIUS, why, exactly? > > I am fully aware I can set appropriate environment variables before > compiling (to set extra inlcude/lib paths). This is not the point here. > > The point is that gdbm.h is not there and the configure.in of the > rlm_counter module does not care. So the FreeRADIUS build system tries to > compile the module, which fails due to the missing gdbm.h include. I think > this is bad behaviour. Nice behaviour would be to say: "Not compiling > rlm_counter (gdbm.h missing)". > > So the configure.in should be fixed. I am currently testing the follwing > fix, but expecting it to fail (I am in no ways an autoconf expert.). > > [EMAIL PROTECTED] ->diff -u configure.in~ configure.in > --- configure.in~ Mon Feb 25 19:44:37 2002 > +++ configure.inMon Jul 14 15:32:58 2003 > @@ -8,6 +8,9 @@ > AC_PROG_CPP > > AC_SMART_CHECK_INCLUDE(gdbm.h) > + if test "x$ac_cv_header_gdbm_h" != "xyes"; then > + fail="$fail gdbmh.h" > + fi > AC_SMART_CHECK_LIB(gdbm, gdbm_open) > if test "x$ac_cv_lib_gdbm_gdbm_open" != "xyes"; then > fail="$fail libgdbm" > > > I am fully aware that it is only a flaw of the rlm_counter module. But > including a module for compiling with knowing compiling WILL fail is not > good. So I thought you might be interested A similar problem exists in the kerberos module. I expect we will have these issues sorted out for version 1.0 (or ever version 0.9.1) Send me a patch that works and I will test it :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updated User Survey - Which DB backend do you use?
> I use custom queries because we wanted to use an existing database to > authenticate. I also added an "ACTIVE" field to our user table so that > we could easily desactivate a user that doesn't pay. (added WHERE ACTIVE > = 1 to the query). Fair enough. > I am going to add a table to blacklist CallingStationIDs that aren't > allowed to connect no matter what password they use to keep out old > users who cancelled to use their neighbor's / cousin's / mother-in-law's > account. Good idea. Send it to me when you have done it :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Survey - Which DB backend do you use?
On Mon, 14 Jul 2003 04:24 pm, Bernie, CTA wrote: > On 14 Jul 2003 at 10:30, Peter Nixon wrote: > > Hi List > > > > I would like to take a quick straw poll. > > > > a) If you use a Database backend for FreeRadius which one do you > > use? > > We are an BSDi / Open BSD environment>>> > > Accounting - Redundant Postgres DB > == to other DBMS such as MySQL, Oracle its: > 1. No license fee > 2. Less Security Vulnerabilities > 3. Easier to replacate > 4. Lends to a Decentralized / Virtually Centralized DBMS > topology, which is better for security applications > 5. Better Transaction Processing Performance > 6. Less overhead > 7. Control of source > 8. Scales well > 9. Faster Yep. No arguements from me on these :-) For general purpose DB work Postgres pretty much walks all over the competition when you take all these factors into account. I can only imagine needing to pay for a commercial DB if I was handling Terabytes of data. (Postgres happily handles many gigabytes of data per table for me currently) Do you mind telling me what replication system you use (Postgres has several) and how you find it? Are there any gotchas/problems? (I currently run my DBs standalone as I simply don't have the reliability issues with postgres that used to force me to replicate/cluster my MySQL boxes..) TIA -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Output-Gigawords, Acct-Input-Gigawords
On Mon, 14 Jul 2003 12:02 pm, Paul Hampson wrote:
> > From: Alexander M. Pravking
> > Sent: Sunday, 13 July 2003 11:32 PM
> >
> > On Sun, Jul 13, 2003 at 03:46:08AM +1000, Paul Hampson wrote:
> > > Just looking at some of my records, would I be right in
> > > observing that the default *sql.conf files don't account
> > > for Acct-Output-Gigawords and Acct-Input-Gigawords?
> > >
> > > If I'm right and it's not being accounted for, is there any
> > > reason I wouldn't want to modify the query to be
> > > SET AcctInputOctets = %{Acct-Input-Octets} +
> > > (%{Acct-Input-Gigawords} * 4294967296)
> >
> > Or SET AcctInputOctets
> > = (cast(%{Acct-Input-Gigawords:-0} as <64-bit-integer>) << 32)
> > + %{Acct-Input-Octets:-0}
> > if binary shift is supported by DBMS.
>
> I don't see casting in mySQL, but apparently all arithmatic _is_ done
> as bigint (64 bit) although there's a warning in the 3.23 manual (dunno
> about 4):
>
> BIGINT[(M)] [UNSIGNED] [ZEROFILL]
> A large integer. The signed range is -9223372036854775808 to
> 9223372036854775807. The unsigned range is 0 to 18446744073709551615. Some
> things you should be aware about BIGINT columns:
> + As all arithmetic is done using signed BIGINT or DOUBLE values, so
> you shouldn't use unsigned big integers larger than 9223372036854775807 (63
> bits) except with bit functions! If you do that, some of the last digits in
> the result may be wrong because of rounding errors when converting the
> BIGINT to a DOUBLE.
> + You can always store an exact integer value in a BIGINT column by
> storing it as a string, as there is in this case there will be no
> intermediate double representation. + `-', `+', and `*' will use BIGINT
> arithmetic when both arguments are INTEGER values! This means that if you
> multiply two big integers (or results from functions that return integers)
> you may get unexpected results when the result is larger than
> 9223372036854775807.
>
> The bit about the string makes me wish rlm_expr worked with 64-bit values
> 'cause then I could put ''s around the %{} and it would be a safe insert.
> But that's crazy talk all 'round.
>
> > However, default *sql schemas use numeric(N) fields for *Octets,
> > which 1) are slow; 2) sometimes require explicit value casting;
> > 3) need to be expanded to numeric(20) to avoid overflows...
> > So I'll vote for second solution:
>
> Using a numeric(N) column seems deranged as far as mySQL's
> concerned, 'cause that's a floating-point value! I mean, we're
> dealing with
>
> I noticed that something in the mySQL schema became bigint
> recently... I forget what it was, but I _also_ had to bigint my
> NAS-Port-ID value, since I noticed that was being cropped.
>
> Would biginting this column be evil, given that it really is one
> piece of information, and is only seperated into two attributes
> because Radius deals in four-byte unsigned integers?
> (As far as I understand)
>
> (Now that I look at the current mysql db schema, the Octects
> columns _are_ bigint'd. So I guess this was always on the cards.)
>
> Now that I look at it, the recent change shouldn't be bigint but
> "unsigned int", since that's the same range the value in the
> radius packet has... Have to go fix that, I guess... Looks like
> all the int and bigint values in the mySQL db example schema
> are in need of the 'unsigned' keyword. (Well, maybe not AcctStartDelay,
> AcctStopDelay? Have to check the RFC for what they _are_ first)
>
> On the other hand, the Input-Octets value _would_ be an
> unsigned bigint (64 bits) since it's two 32-bit values concatenated
> together.
>
> I guess the mySQL schema and such need as much attention
> as the postgresQL schema's been getting recently.
We can work together on this on the -devel list.
Changing NUMERIC to INT is one of the things I have been doing for Postgres.
I still have a few more changes to make to the postgres files but they are
mostly complete now I think. Would you mind comparing what I have done for
Postgres and seeing how much of it will work/port to MySQL??
MySQL doesnt have INET field types for instance but alot of the rest should
work.. (Dunno about the datetime calc though..)
> In fact, signedness in FreeRADIUS generally is on my hit-list. :-)
>
> > > Otherwise I'll add the Gigaword columns as extra columns.
> >
> > You could put both of them into *sql.conf as an example,
> > and let admins to decide themselves which one to use :)
>
> Well, I _could_ have faith in the admins
> Is there any reason to leave the Gigaword columns _out_
> of the default schema/queries, apart from breaking people who
> don't update their schema and don't notice the query change...
> (Which is my other vote in favour of the above, no more breakage
> than already exists)
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Survey - Which DB backend do you use?
The DB backend (ie rlm_sql). Accounting in particular, but any use of the DB backend interests me.. On Mon, 14 Jul 2003 10:57 am, Gene Parks wrote: > Clarification please. For what function of Freeradius do you want to > know about? > > > -Original Message- > From: Peter Nixon [mailto:[EMAIL PROTECTED] > Sent: Monday, July 14, 2003 3:31 AM > To: [EMAIL PROTECTED] > Subject: User Survey - Which DB backend do you use? > > > Hi List > > I would like to take a quick straw poll. > > a) If you use a Database backend for FreeRadius which one do you use? > > b) If you do not use a DB backend for FreeRadius, but do have a DB on > your > server or in your rack, what DB is it? > > c) If you do not use a DB backend for FreeRadius, but do have a DB on > your > server or in your rack, why don't you use it as a backend to FreeRadius? > > Please reply to this thread on the mailing list or to me directly (I am > one of > the developers) if you wish to keep the info private. > I will post a summary in a few days. > > Thanks in Advance -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Updated User Survey - Which DB backend do you use?
On Mon, 14 Jul 2003 10:30 am, Peter Nixon wrote: > Hi List > > I would like to take a quick straw poll. > > a) If you use a Database backend for FreeRadius which one do you use? > > b) If you do not use a DB backend for FreeRadius, but do have a DB on your > server or in your rack, what DB is it? > > c) If you do not use a DB backend for FreeRadius, but do have a DB on your > server or in your rack, why don't you use it as a backend to FreeRadius? d) If you do use a DB backend for FR do you use the default SQL queries that come with FR or have you written your own? If you wrote your own, would you mind sharing them with us (with a description please)? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User Survey - Which DB backend do you use?
Hi List I would like to take a quick straw poll. a) If you use a Database backend for FreeRadius which one do you use? b) If you do not use a DB backend for FreeRadius, but do have a DB on your server or in your rack, what DB is it? c) If you do not use a DB backend for FreeRadius, but do have a DB on your server or in your rack, why don't you use it as a backend to FreeRadius? Please reply to this thread on the mailing list or to me directly (I am one of the developers) if you wish to keep the info private. I will post a summary in a few days. Thanks in Advance -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: createlang plperl
On Sun July 13 2003 12:08, Umut Destan wrote: > Hi all, > Following the instructions Peter Nixon gives in VoIP billing; > "createlang plperl radius" doesn't seem to succeed. (How important is > plperl anyway?) I got the postgresql-plperl.rpm package with the same > version as my postgresql packages (7.1.3-2) Bu when i try to createlang, if > fails: > ERROR: Load of file /usr/lib/pgsql/plperl.so failed: > /usr/lib/perl5/5.00503/i386-linux/auto/Opcode/Opcode.so cannot open shared > object file: No such file or directory. Well ofcourse Opcode.so is not > there because I have Perl 5.6.0 and its in /usr/lib/perl5/5.6.0/ Is > something wrong with plperl.so here? My instructions are tested on SuSE Linux 8.1 and 8.2 with updated Postgres, perl and postgres module rpms (Some problems I found with the rpms caused new ones to be released) You only need plperl if you are planning on writing stored procedures in perl. I use the following stored procedure: CREATE OR REPLACE FUNCTION strip_dot (text) returns timestamp AS ' my $datetime = $_[0]; $datetime =~ s/^\\.*//; return $datetime; ' language 'plperl'; to strip the leading . from the timestamps of Cisco NASes that have temporarily lost NTP timesync. I probably should rewrite this in Postgres native language, but I did not know it and did know perl at the time I wrote this. If I get a chance tomorrow I will rewrite it before the next FR release. (My wife tells me as its sunday we are going shopping now :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VoIP accounting MySQL vs. Postrgres
On Sat July 12 2003 23:32, Umut Destan wrote: > Hello list, > I think I got the sql accounting working, thanx for the answers for that Q. > Now I read the document Peter Nixon wrote about VoIP Accounting,.. Isn't > MySQL just as par with PostgreSQL in terms of speed? If I had 1 AS5350 > sending only little amount of accounting data to freeradius, wouldn't MySQL > be able to keep about with it also? Does MySQL really mess up with dates? > I'm asking this because it's weird how popular MySQL is it has a flaw like > that.. Hi Umut Disclaimer: I have not used MySQl version 4 so my info may be a little out of date. Now first of all speed is a subjective thing. It depends very much WHAT you are doing. MySQL has a reputation of being blazingly fast at being a website backend. That is, it is very fast at doing simple SELECTS and pumping data out for display. HOWEVER MySQL does not have the full ANSI spec worth of queries, for instance it cannot do SUB SELECTS. It also does not have VIEWS, STORED PROCEDURES and many many other nice things you need to do advanced DB work. The biggest problem with it though is its very poor locking system when doing INSERTS and especially UPDATES. It is also not ACID compliant so there is a posibility that if your system crashes at the right (wrong) time you can lose data even though the database says it has commited it. The locking is the biggest problem on a RADIUS server though, as it can be many many times slower (10-100 times) than postgres when under high load and doing many UPDATES, while the latest version of Postgres is very similar speed at doing SELECTS now. (It _used_ to be much slower but those speed problems have been fixed) These are all very good reasons to use Postgres (which is a full featured, powerfull, mostly Oracle compatible database) instead of MySQL (which should more appropriately be called SQLite :-) and you will find many more if you start to play with Postgres. Put simply though, the big reason why you cannot use MySQL to do accounting for Cisco VoIP VSA accounting is that the DATE support in MySQL sucks. Not just a little bit. It sucks like your grandmother sucks on her false teeth! Its Date/Time support is _even worse_ than MS SQL and _that_ is saying something!!! If you use a Postgres (And have your NASes NTP time synced. You DO have your NAS NTP times synced don't you??) you can simply take the h323starttime, h323setuptime and h323stoptime directly from a RADIUS Stop packet and INSERT it directly into a "timestamp with time zone" field and everyone is happy. You can have NASes in direrent timezones and query from your DB as if they are all in the same timezone, or customers who want their billing records relative to a different timezone etc etc.. EVERYONE IS HAPPY. With MySQL you are screwed. You can't INSERT a cisco timestamp into MySQL as it doesn't recognise it, this forces you to do the generic RADIUS style DB accounting as per the default config which basically sucks for VoIP compared to my schema/queries as you have to generate the timestamp on the radius server not the NAS. This is BAD BAD BAD for several reasons: a) There can be a delay which means you have to do post processing of your data to make it valid b) You MUST do an INSERT of Start RADIUS records to get the Start time of a call, then an UPDATE (Remember that MySQL is about as fast as my mother with a deck of punch cards at doing DB UPDATES) when a Stop records arrives. If you missed the Start packet you then again have to do post processing of your data to generate the Start time from the Stop time minus the Call Duration. When you have two cases that mean you have to post process your data before it is usefull to you, then there is actually no point at all in having a live Database. You will find it is quicker to simply use an import on you detail files script once per hour than fix the dataset in your DB. (this actually applies to anyone using the default FreeRADIUS sql queries regardless of DB backend, but most ISPs don't care about correct CDR's, they just want a sum of how many minute each user has been online, hence the Start and Stop time is of secondary importance.) MySQL also has the very nasty habit of shooting itself in the head when it gets under high load (Too many UPDATES on the DB at once) You _will_ hit this problem! Using one Cisco 5350 I found I could generally crash the DB and therefore FreeRADIUS also at about 60 or so concurrent calls (Each 5350 can handle 120 calls or 4 PRIs). It does vary depending on how many short (or zero) length calls you have. With Postgres I can run around 500 INSERTS per second with a 3 field UNIQUE index: "create UNIQUE index stopvoipcombo on stopvoip (h323SetupTime, nasipaddress, h323ConfID);" If you don't make it UNIQUE you can get more as its Postgres doesn't have to d
Re: Preproxy help?
t = 3
> net_timeout = 1
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> }
> realm realmslash {
> format = prefix
> delimiter = "/"
> }
> realm realmpercent {
> format = suffix
> delimiter = "%"
> }
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> compat = no
> }
>
> detail {
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
>
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
> NAS-Port-Id"
> }
> $INCLUDE ${confdir}/sql.conf
> radutmp {
> filename = ${logdir}/radutmp
> perm = 0600
> callerid = "yes"
> }
>
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
>
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter {
> filename = ${raddbdir}/db.counter
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
>
> expr {
> }
> }
>
> instantiate {
> expr
> }
>
> authorize {
> preprocess
> mschap
> suffix
> files
> }
>
> authenticate {
> authtype PAP {
> pap
> }
> authtype MS-CHAP {
> mschap
> }
> unix
> }
> preacct {
> preprocess
> suffix
> files
> }
>
> accounting {
> acct_unique
> detail
> unix # wtmp file
> radutmp
> }
>
> session {
> radutmp
> }
>
> post-auth {
> # Get an address from the IP Pool.
> #main_pool
> }
>
> -Original Message-
> From: Gene Parks [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 10, 2003 7:25 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Preproxy help?
>
>
> Can you tell us exactly what it is you are looking to do? It would help
> us in pointing you in the right direction.
>
> Gene
>
> -Original Message-
> From: Kent Holloway [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 10, 2003 6:02 PM
> To: [EMAIL PROTECTED]
> Subject: Preproxy help?
>
>
> I have searched the archives and there is very little info on the
> preproxy stuff in Radius.
>
> Does anyone have some working example configs or maybe a little more in
> depth info about it?
>
> Thanks in advance.
>
> P.S. We are using freeradius 0.8.1
>
> -Kent
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary and NAS tables
On Sat July 12 2003 16:19, Peter Nixon wrote: > On Sat July 12 2003 01:16, Alex Chen wrote: > > I agree about the dictionary part since it will be a 'read-only' table > > and practically > > will not change at all. > > > > But I think it will be more scalable and manageable if the clients.conf > > part can be configured to stored in DB's nas table, i.e. radiusd.conf > > includes clients.conf, > > which can have some kind of syntax to indicate that the information is to > > be read from a 'nas' > > tables in DB through 'sql' module. > > Of course this will be configurable, so is the table name, like other > > parts of radiusd.conf. > > > > If a new NAS needs to be added to the server, we only need to add a row > > into the DB. The server can cache the NAS information retrieved from DB > > during startup, like it > > does with the clients.conf file currently. When it gets a request packet > > from a unknown NAS > > client, i.e. which does not exist in its cache, it can do another query > > from the 'nas' > > table to refresh the cache and proceed with the > > authorization/authentication/accounting. > > If the NAS still does not exist in the latest DB query, the server does > > whatever it does > > to unknown NAS now. > > This sounds like a resonable solution to me. I already have a table listing > my NASes anyway for reporting and query purposes, it would certainly make > things neater if radius could use the same table. Especially for cases > where you have more than radius server accessing a single DB backend. I have modified the postgres schema in CVS to have the following: CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128), shortname VARCHAR(32) NOT NULL, ipaddr inet NOT NULL, type VARCHAR(30), ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), snmp VARCHAR(10), naslocation VARCHAR(32) ); This now has the capability of being a useful table for reporting (I use a similar table to run reports per city by listing City in naslocation and then doing a JOIN against the accounts table on ipaddr then a GROUP BY naslocation. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
