Re:rlm_ippool: No available ip addresses in pool (Thomas Krause (Webmatic))
> modules {
>
> ippool wpool {
> session-db = ${raddbdir}/wpool-sess-db
> ip-index = ${raddbdir}/wpool-idx-db
> range-start = 192.168.127.1
> range-stop = 192.168.127.127
> netmask = 255.255.255.255
> #netmask = 255.255.255.128
> cache-size = 5000
> }
>
>
> ippool dpool {
> session-db = ${raddbdir}/dpool-sess-db
> ip-index = ${raddbdir}/dpool-idx-db
> range-start = 192.168.126.160
> range-stop = 192.168.126.255
> netmask = 255.255.255.255
> cache-size = 800
> }
>
> So, what's wrong?
> Thanks for any hints!
If I don't get wrong, the netmask in the config is for determine the
address pool. So if you use the 255.255.255.255 netmask, you say to
rlm_ippool that you have no network. You should use a higher netmask to
provide some address. EG:
range-start = 192.168.126.160
range-stop = 192.168.126.255
netmask = 255.255.255.128
This will inform the module that you want to use the address in the
network 192.168.126.128/25, starting from the .160
I think that the 255.255.255.255 mask will lead the module to a confusion.
Hope I've been clear, and that this help.
Pigi
>
> Regards,
> Thomas.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question ( i think ) on freeradius, LDAP and VPN3000 Cisco
>> Here the question: is there a way to receive some parameter from the >> LDAP server to pass back to radius ( not to Cisco 3015 ) to activate >> the rlm_ippool module ? > > radiusCheckItem: Pool-Name := pool1 While waiting on thi info I' ve also found that you can modify the ldap.attrmap adding ( for example ) a line that says: checkItem Pool-Name radiusPool and adding to your ldap schema the "radiusPool" ( or whatever you want ) attribute. In this way you can configure the pool from the LDAP server, and leave your radius server to choose from various pool you may have configured on it. When the radius server ask the LDAP server for authorizing, and if the LDAP is configured for this value, it will receive this attribute and use it for the requested purpose. Hope this will help someone other. Thanks. Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie question ( i think ) on freeradius, LDAP and VPN3000 Cisco
Hi all, I' m trying to configure a radius server that will get requests from a VPN3015 and forward ( in part ) these requests to an LDAP server. I'm quite at a good point right now, but I need some advice. Here some detail: groups on radius server, users on LDAP server, RADIUS that authenticate the users, and ( as for CISCO docs ) the groups. The way Cisco 3015 operates is a little bit strange, and the auth/acct sequence from it is: 1) Request authorize for group ( two times,maybe a cisco bug ) 2) Request authorize for user 3) Request authorize for group the user belongs ( thanks to Matt Stockdale that lead me in the right direction) 4) Rerequest authorize for group ( the one in step 1 ) 4) Request Account for user. This side is quite stable now. What I will get is the ip from the radius, to give back to Cisco3015 for user. I need to lock different users in different ip pools to determine later with a firewall where the users can go inside my network. It will be a trivial joke if the users where in radius "users" file, by giving the PoolName attribute, but it is impossible for me as they are quite alot and is the reason we decided to use an LDAP server for them. Here the question: is there a way to receive some parameter from the LDAP server to pass back to radius ( not to Cisco 3015 ) to activate the rlm_ippool module ? The docs about ldap module aren't very easy to understand for me. Hope it is clear enoug, as my english is very poor. Pierluigi Frullani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPool problem, again. (Kostas Kalevras)
> It was fixed today. Check the CVS. It needed a memset(0) for key.nas > before the strcpy(). > I can confirm that now it works. Thanx alot Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPool problem, again.
Do you remember my previuos mails ?
> Hi all,
> I' m having problem with the Ippool module ( rlm_ippool ).
> When authorizing, the module is able to allocate the correct IP
> address, but on the account "Stop" does not set the ip free.
...
Well, I did some more investigation, but yet doesn't work.
I added some comments on the rlm_ippool module to check what kind of data
were passing through the module.
Here is the output:
In authorize "side":
rlm_ippool: Searching for an entry for nas/port: 10.128.255.3/1054
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.3,port 1054
In accounting side, when the request is a stop, at the end of the
"if (data_datum.dptr != NULL){"
I' ve added a cicle on the gdbm file and I see:
rlm_ippool: THERE IS A NAS INFORMATION IN PACKET 10.128.255.3 1054.
rlm_ippool: Values: active = 1, key.nas = 10.128.255.3, nasport= 1054
rlm_ippool: Dati 0 NOT_EXIST -2
rlm_ippool: Exiting from function accounting no results
So it seems that the gdbm_fetch fails when searching in the file.
The behaviour is the same on linux and solaris 8 machine.
Have you any idea ?
In the mean time i will try to modify the source to work with a cicle, but
this could be expensive for the time needed by the scan.
Pigi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool problem on 0.7.1.Don't deallocate ip addresses
Ok, I reply to my self. I' ve noticed that the NAS ( a VPN 3000 Concentrator ) sends out two different authorize request, on two different ports ( 1020 and 1038 in my trace ) then when gives out a stop request will use the second request parameters. The rlm_ippoll module, correctly check for the second request and doesn' t gives out the new ip address, and also correctly doesn't free the ipaddress on stop due to the different port in request. This would be a really problem for me, but the module is OK. Sorry again Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ippool problem on 0.7.1.Don't deallocate ip addresses
Hi all,
I' m having problem with the Ippool module ( rlm_ippool ).
When authorizing, the module is able to allocate the correct IP address, but
on the account "Stop" does not set the ip free.
relevant part of radiusd.conf
...
...
modules {
...
...
ippool Prova0 {
range-start = 10.128.1.0
range-stop = 10.128.1.3
netmask = 255.255.255.252
cache-size = 800
session-db = ${raddbdir}/db.ippool.0
ip-index = ${raddbdir}/db.ipindex.0
}
...
}
authorize {
...
Prova0
...
}
accounting {
...
Prova0
...
}
users file:
...
steve Auth-Type := Local, User-Password == "testing", Pool-Name :=
"Prova1"
...
log, from radiusd -X > log says:
...
Module: Instantiated ippool (Prova0)
ippool: session-db = "/usr/local/freeradius/etc/raddb/db.ippool.1"
ippool: ip-index = "/usr/local/freeradius/etc/raddb/db.ipindex.1"
ippool: range-start = 10.128.10.0 IP address [10.128.10.0]
ippool: range-stop = 10.128.10.3 IP address [10.128.10.3]
ippool: netmask = 255.255.255.252 IP address [255.255.255.252]
ippool: cache-size = 800
...
...
modcall[authorize]: module "files" returns ok
rad_recv: Access-Request packet from host 10.128.255.4:1024, id=78,
length=92
User-Name = "steve"
User-Password = "\r\021\353N\315\021 s\023.8]O\002F\010"
NAS-Port = 1020
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = "212.239.118.116"
NAS-IP-Address = 10.128.255.4
NAS-Port-Type = Virtual
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "steve"
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched steve at 99
modcall[authorize]: module "files" returns ok
rlm_ippool: Entering in function authorize
rlm_ippool: Searching for an entry for nas/port: 10.128.255.4/1020
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.4,port 1020
modcall[authorize]: module "Prova0" returns ok
...
...
rad_recv: Accounting-Request packet from host 10.128.255.4:1038, id=24,
length=155
User-Name = "steve"
NAS-Port = 1020
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.128.10.2
Class = 0x47727570706f526164
Acct-Status-Type = Stop
Acct-Input-Octets = 312
Acct-Output-Octets = 0
Acct-Session-Id = "0C400010"
Acct-Session-Time = 8
Acct-Input-Packets = 3
Acct-Output-Packets = 0
Acct-Terminate-Cause = User-Request
Tunnel-Client-Endpoint:0 = "212.239.118.116"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = 10.128.255.4
NAS-Port-Type = Virtual
modcall: entering group preacct
modcall[preacct]: module "preprocess" returns noop
rlm_realm: Looking up realm NULL for User-Name = "steve"
rlm_realm: No such realm NULL
modcall[preacct]: module "suffix" returns noop
modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
radius_xlat:
'/usr/local/freeradius/var/log/radius/radacct/10.128.255.4/detail'
rlm_detail:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail
expands to /usr/local/freeradius/var/log/radius/radacct/1
0.128.255.4/detail
modcall[accounting]: module "detail" returns ok
modcall[accounting]: module "counter" returns ok
radius_xlat: 'steve'
modcall[accounting]: module "radutmp" returns ok
modcall[accounting]: module "Prova0" returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 24 to 10.128.255.4:1038
Finished request 12
Going to the next request
This problem is driving me crazy.
Have you any idea ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool
> Hi, > > I want to use ippool module (freeradius version 0.7 stable). I have > tried the following configure commands but unfortunately didn't work: > ./configure . --with-rlm_ippool > ./configure . --enable-rlm_ippool > I looked in configure, make messages but I didn't see anything wrong. > Are there any dependencies for this module??? What I did wrong?? > Please help. The is not configuration flags for this module. As soon as you have finished the compilation and installation of the freeradius, you have to go in the src/modules/rlm_ippol and issue a make command then a make install. HTH Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool_problem.May_this_be_a_good_fix
ippool_problem.May_this_be_a_good_fix >> "Pierluigi Frullani" <[EMAIL PROTECTED]> wrote: >> > Looking in the code I think I' ve found a "bug" that I fixed this >> > way: >> ... >> > Brief, when entering in this lines, if the user was missing the >> > Pool-Name attribute, there were no return and some unpredictable >> > Pool address was returned. >> >> Ah, that's a problem. > > Well actually that was a design decision. If the Pool-Name attribute > does not exist then the first module instance in the authorize section > will give out an IP address. That way we have a default behaviour when > the Pool-Name is missing. But this should be specified or in the docs, or somewhere else, because if you have multiple pools, and an user or a group don't fall in a group the module would return every time an address from the first pool. It is hard to immagine that the problem is a user misconfiguration when you get an ip address from a pool you don't immagine. Maybe is better to have a "default" pool that should be "needed" in config and checked at startup. If it is not there is should not start or at least should give a warning. Or at least, in debug mode you should give a warning that the user don't fall in "the first" pool. Keep in mind that if the user don't have a group, the IP returned is always from the first pool. Hope my english is enough clear. Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help for a configuration.
Hi all, I need some hints for a configuration. I've read trough the docs but maybe for my "stupidity" I' m unable to realize a particular configuration. What I need to realize is an authentication scheme based on username for access and particular value pair attribute,and on a group for other attribute.I've realized this using the "username@group" syntax and it works, but i wouldprefer the syntax "username" only. I' ve only a NAS that is connected by multiple kind of users, and they have different attribute, that could be grouped. So i need to use some "mangle" that could be in the user section and route theprocess to get the return VP in another section of the config files. How can I do this ? P.S. Hope you can understand what I wrote, because is unclear also to me :) Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool problem.May this be a good fix ?
Hi all,
I'm trying to configure a radius server ( freeradius 0.6 ) where I would
liketo receive the IP-Address from a pool.
To achieve this I would like to "join" some of the users in groups, by using
the following authentication "user":
steve@Gruppo
where the user steve has some return pair, but not Pool-Name attribute,
and the "group" Gruppo has the PoolName attribute ( and more return pair ).
Looking in the code I think I' ve found a "bug" that I fixed this way:
-
--- rlm_ippool.c.orig Tue Jul 16 15:29:01 2002
+++ rlm_ippool.cTue Jul 16 15:29:40 2002
@@ -405,7 +405,9 @@
if ((vp = pairfind(request->config_items, PW_POOL_NAME)) != NULL){
if (data->name == NULL || strcmp(data->name,vp->strvalue))
return RLM_MODULE_NOOP;
- }
+ } else {
+ return RLM_MODULE_NOOP;
+}
/*
* Get the nas ip address
-
Brief, when entering in this lines, if the user was missing the Pool-Name
attribute, there were no return and some unpredictable Pool address was
returned.
Is this correct.
T.I.A.
Pigi
P.s. Sorry for my not good english
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
