accounting acknowledgement radius proxy

[arise]

hi guys,

i have the following setup:

cistron radius - forwarding server (proxy)
freeradius - remote server for certain realms + mysql accounting

i have thousands of users on the freeradius server which is proxied by
cistron radius. prior to upgrading to the current 0.8 release from the aug.
29 snapshot, accounting packets sent by the NASes where being acknowledged
by the remote server thru the proxy server (which i think, is the correct
behavior).

but right after the upgrade, it seems that all accounting
acknowledgments sent by the remote server where being delivered directly to
the NASes instead of the proxy. this results in voluminous complaints by
rlm_sql about 'duplicate entry' such as this one:

Error: rlm_sql: Couldn't insert SQL accounting STOP record - Duplicate
entry '7f93e019ee9b1b76' for key 1

i've already verified on the sql database that the accounting details have
been logged. i suspect that the NAS didn't get the acknowledgment from the
remote server, thus, it continue to resend the accounting packets.

any ideas? help is already appreciated.

regards,
ronald

--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS resending access-request packets

[arise]

On Thu, 28 Nov 2002, Allister Maguire wrote:

 Hello,

 I was wondering if someone could help me with this question.

 If a NAS sends a access-request packet and it does not get a response from the 
radius server within the timelimit (3 sec), it then sends another access-request 
(with different packet id) packet.

IMHO, if any of the attributes on the request packet is NOT changed (i.e.
User-Password), it MUST use the same ID, as in the case of retransmissions.
otherwise, it will use a new one.


 The radius server gets the first ( network lag) packet, assigns a ip address from a 
pool, and sends it back, it then receives the second packet (it has different id, 
local cache response is not used), checks ip pools db, a record exists (NAS IP/Port) 
assigns a new ip address and sends it back.

 Does the NAS discard the access-accept of the first packet, and only accept the 
second? or does it accept the first it receives? Therefore the ip address the db 
thinks is assigned, might not be the same as the ip address the NAS assigns to the 
client.

the NAS should accept the first packet and it would consider the second
packet as a possible double-login attempt. so it would perform some checks
on the session database and send the appropriate access code i.e. reject if
the user is restricted to single login only.

if the ID, source IP and source UDP port on the client's ACCESS-REQUEST
packet is the same, the server detects it as a duplicate request and would
be discarded.

hope this helps,

ronald

 thanks

 Allister Maguire
 .+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ïÿÃ­ç«iØ®²ŠàþX¬·û¬z»!¶i


--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius 0.8 checkrad

[arise]

hello guys,

i've recently upgraded to freeradius 0.8. everything went well except
checkrad. it was not being invoked by the server to verify simultaneous
logins on the NAS.

do i miss something trivial in the current release?

regards,

ronald

--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSSQL and Freeradius

[arise]

hi,

i've just upgraded to the latest CVS snapshot under FreeBSD 4.5 and so far,
it was running perfectly. i'm doing ldap authentication + mysql accounting.
i tried looking for the file rlm_sql_freetds.so and it was not existent on
my system as well.

for the sake of reproducing the problem, i tried installing it under
slackware 8.0 and it went through without complaining.

have you tried adding the path (/usr/local/lib) where it looks for shared
libraries in your ld.so.conf file? don't forget to run 'ldconfig' after
adding the path.

hope this helps,

ronald


On Wed, 18 Sep 2002, Andrew G. Buenaventura wrote:

 I would like to run freeradius-0.7.1 and let it authenticate and record
 accounting details in MS SQL 2000.  I have already installed freeradius
 and created the SQL schema using the script provided.  When I run
 radiusd -xx , I got the following error:

 rlm_sql: Could not link driver rlm_sql_freetds: file not found
 rlm_sql: Make sure it (and all its dependent libraries!) are in the
 search path of your system's ld.
 radiusd.conf[8]: sql: Module instantiation failed

 I noticed that rlm_sql_freetds.so does not exist in my system.  All
 other rlm_sql_*.so files are inside the /usr/local/lib.  Anybody knows
 why rlm_sql_freetds.so is not being created by the install script?  I
 tried this on both freebsd 4.X and Redhat Linux 7.X as well as the
 stable and CVS copies of freeradius and I got the same result.



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MSSQL and Freeradius

[arise]

hi,

you need to install the freetds set of libraries. this allows your *nix box
to talk to ms sql server or sybase databases. for more info, visit:

http://www.freetds.org

hope this helps,

ronald


On Wed, 18 Sep 2002, Andrew G. Buenaventura wrote:

 I forgot to mention that I am using mssql.conf and that my driver is
 rlm_sql_freetds.

 I am using Microsoft's SQL 2k and not mysql.


--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Stale Sessions

[arise]

hello,

 First of all, you should use checkrad when enforcing one simultaneous connection
 per user. That way the sql module can delete the stale session.


yeah, 'twas one config that i've overlooked ;)

 Normally they should be 'deleted' when an accounting stop arrives from the nas.
 Please check that everything is working ok with your accounting (for instance
 check that the nas does not timeout when sending the accounting packets).

in the case of stale sessions, it was automatically handled by the sql
module as verified by checkrad. all was logically working as it should be.

thanks for the reply.

regards,

Ronald


 --
 Kostas Kalevras   Network Operations Center
 [EMAIL PROTECTED]National Technical University of Athens, Greece
 Work Phone:   +30 10 7721861
 'Go back to the shadow'   Gandalf



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Stale Sessions

[arise]

hi,

On Thu, 12 Sep 2002, Ador Dauz wrote:

 need help please, my RAS is USR/3Com Total Control, how do I check if
 my checkrad is properly work? I have a firewall also, what port should I
 open?

edit checkrad and set the $debug variable according to your preference.
don't forget to populate the nasclient/naspasswd file appropriately. this
will give checkrad a hint on what type your NAS is and how to log on these
NASes.

pls. see doc/Simultaneous-Use for more info.

if your radius server is behind a firewall, you should open SNMP and/or telnet
ports to allow checkrad 'see' who is currently logged-in on the NASes.

hope this helps,

Ronald


 Thank's in advance
 --ador


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help!!!

[arise]

hi,

On Thu, 12 Sep 2002, huangjian wrote:

 Sorry!My english is very poor.
 Question:
 Radius-server often crashed when it received numerous authentication-requests within 
short time..
 Errors as follow:

 Error: rlm)sql: All sockets are being used! Please increase maximum number of 
sockets!

as the message suggests, increase the maximum number of sockets in the
sql.conf file.

refer also to doc/tuning_guide for more tips.

hope this helps,

ronald

--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap-group

[arise]

hi,

On Thu, 12 Sep 2002, Brian Leung wrote:

 how about the user object, do i need to add anyting attribute to there


if you have already added the user DN under the group DN, then there's no
need to add any attribute on the user object. it will be looked-up on the
group DN for the user's membership.

another way of checking group membership via LDAP is utilizing the
groupmembership_attribute on radiusd.conf. you just need to add another
attribute which the ldap module checks if it exists on the user object.

IMHO, this is more elegant if you have thousands of users belonging to
different groups.

so for this DN,

 # ronaldo, testing
 dn: uid=ronaldo,o=testing
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 objectClass: inetLocalMailRecipient
 objectClass: radiusprofile
 objectClass: posixAccount
 objectClass: PureFTPdUser
 cn: ronaldo
 sn: ronaldo
 mail: ronaldo@testing
 uid: ronaldo
 uidNumber: 1001
 gidNumber: 1001
 homeDirectory: /home/ronaldo
 userPassword::
 FTPuid: 1001
 FTPQuotaMBytes: 1
 radiusProfileDn: cn=radiusprofile2,o=testing

add this attribute:

 radiusGroupName: testgroup

and create this:

[Group DN]

 # mygroup, testing
 dn: cn=testgroup,ou=testing
 cn: testgroup
 objectClass: posixGroup
 gidNumber: 1101

and on radiusd.conf, set

 groupmembership_attribute = radiusGroupName


restart, radiusd and see the results.

regards,

ronald


--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Stale Sessions

[arise]

hi guys,

i'm using the aug29 snapshot of freeradius + ldap authentication + mysql
accounting. i'm enforcing one (1) simultaneous connection per user login
via simul_count_query of the sql module. deletestalesessions was already
set to 'yes' on the config file.

however, most of my users end up having stale connection which denies them
access on their next login. manually deleting it on the sql server is fine
but it becomes a nightmare if it occupies most of your time.

is there any other way of deleting these stale sessions? what might be the
cause of the stale connections?

can someone point me to the right direction pls?

regards,

ronald



--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RH 6.2 Freeradius-0.7

[arise]

hi,

On Fri, 6 Sep 2002, Joeffrey Betita wrote:


  i did turn on logging for authentication request on radiusd.conf and
 restarted the radius server. but it did not register my username when i type
 tail -f /var/log/radius/radius.log i try to dialup using Win98. pls. help
 me. thanks for your help.

try running radiusd in debug mode: radiusd -x -A

the output should give you an idea if your radius client authenticates with
freeradius and will show you what's happening under the hood.

take note of the error messages that you'll see on startup and while the
authentication process goes on.

hth,

ronald



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RH 6.2 Freeradius-0.7

[arise]

hello,


Freeradius is now running on my RH6.2 but when i try to dialup my login
 name did not appear on the radius.log

you need to turn on logging for authentication requests on radiusd.conf

don't forget to restart radiusd after editing the conf file.

regards,

Ron

 ---
 Outgoing mail is certified Virus Free.
 Checked by AVG anti-virus system (http://www.grisoft.com).
 Version: 6.0.384 / Virus Database: 216 - Release Date: 8/21/2002


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Duplicate Accounting Packets

[arise]

hello gurus,

i would like to know how does freeradius+mysql accounting deal with duplicate
packets sent by the nas?

with cistron, i constantly encounter duplicate stop records with the same
session id. and since we calculate timeusage based on the stop records, it
will produce undesirable results.

is there any mechanism that freeradius use to eliminate this when used in
conjunction with mysql?

any help is already appreciated.

regards,

Ron Rivera



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Duplicate Accounting Packets

[arise]

hello all,

sorry for crying it out too quick. the answer can be found in the docs
itself.

its nice to know that the developers have dealt with it perfectly.

regards,

Ron



On Tue, 3 Sep 2002, [EMAIL PROTECTED] wrote:


 hello gurus,

 i would like to know how does freeradius+mysql accounting deal with duplicate
 packets sent by the nas?

 with cistron, i constantly encounter duplicate stop records with the same
 session id. and since we calculate timeusage based on the stop records, it
 will produce undesirable results.

 is there any mechanism that freeradius use to eliminate this when used in
 conjunction with mysql?

 any help is already appreciated.

 regards,

 Ron Rivera



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP MySQL

[arise]

hello,

i've already configured freeradius + ldap for authentication. and i've
successfully utilized the Ldap-Group attribute for enforcing session
timeouts.

i was looking for the possibility of using MySQL for accounting instead of
the traditional detail file. i could write a perl script that parses the
detail file and dump it to an sql server but it would be nice if the server
log its accounting details directly to sql.

is this possible? my goal is to use LDAP for authentication and MySQL for
accounting.

thanks in advance.

regards,

Ron Rivera



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP MySQL

[arise]

hello all,

i've successfully configured freeradius with LDAP authentication and SQL
accounting.

thanks to all who responded on the list.

best regards,

Ron Rivera


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Huntgroups + LDAP

[arise]

Hi,

On Wed, 28 Aug 2002, Kostas Kalevras wrote:

 A huntgroup (if we are talking about the same thing) is defined in the
 huntgroups file in freeradius. Defining it in ldap is of no use. You can do much
 more cleaver things with the huntgroups file. You could use though the
 Huntgroup-Name and User-Profile attributes and define separate user profiles for
 each hungroup. In more detail:

Yes, we're talking about the same thing :)

FYI, my users are stored in LDAP and gets authenticated via

Auth-Type := LDAP

I already tried using the Huntgroup-Name attribute but it was never
matched. IIRC, the group name was being checked against the system group
file. How could I tell freeradius to check the group membership on an LDAP
server? And check it for any match on the users file?

What I'm trying to accomplish is to check every user who log in for their
group membership then compare if it has a DEFAULT entry match on the users
file, then run an external program which calculates its remaining time and
return the Session-Timeout attribute.

Here's an entry from my users file:

DEFAULT Huntgroup-Name == testing
Exec-Program-Wait = /usr/local/sbin/testing %u %n %p,
Fall-Through = Yes

I've read some docs re: Ldap-Group attribute but it requires that every
user dn must be entered on its group dn.

For example,

dn: cn=users,ou=groups,dc=foo,dc=com
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: users
gidNumber: 1101
memberUid: arise
uniqueMember: uid=arise,ou=People,dc=foo,dc=com

This works well if you have few users but what if you have 10,000+
users in different hungtgroups? You need to add all of them on its
own group dn.

Is there any other way of doing this? Like checking the radiusHuntgroupName
attribute then compare if it matches on the huntgroups file.

Is there anything I miss here?

Thanks for the time.

regards,

Ron


 users file:

 DEFAULT   Hungroup-Name == foo, User-Profile :=
 uid=foo-profile,dc=company,dc=com

 Hope it helps

 --
 Kostas Kalevras   Network Operations Center
 [EMAIL PROTECTED]National Technical University of Athens, Greece
 Work Phone:   +30 10 7721861
 'Go back to the shadow'   Gandalf


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Huntgroups + LDAP

[arise]

hi all,

i'm currently migrating from cistron radius to freeradius + ldap backend.

on cistron radius, we're using huntgroups and run an external program to
return the Session-Timeout for a particular system group.

was it still the same for freeradius? does it check for the huntgroup name
via LDAP?

can someone shed some light pls?

thanks in advance.

regards,

ron



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html