Re: Questions
At 09:31 AM 10/18/2001 -0600, you wrote: I do have webmin installed - so you are saying that it can be used to manage the users? Then do I need to have any type of DB installed to store the user/pass or can it take them from the normal passwd file? I don't know, I've not used webmin. Try asking on the webmin mailing list? Freeradius can authenticate from any of the methods listed at: http://www.freeradius.org/features.html -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd Make fatal error..
At 02:10 PM 10/4/2001 -0400, you wrote: Solaris 8... ld: fatal: library -llber: not found ld: fatal: library -lldap_r: not found ld: fatal: File processing errors. No output written to .libs/rlm_ldap.so.0.0.0 make[6]: *** [rlm_ldap.la] Error 1 Why is it not able to find those libraries? It says in the configure that it sees them fine, right? run these commands: $ echo $LD_LIBRARY_PATH $ find /usr -name *lber* -print $ find /usr -name *ldap* -print Most likely LD_LIBRARY_PATH isn't set correctly. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco config
At 03:53 PM 10/1/2001 -0800, you wrote: Can someone tell me which config file I need to edit to add the cisco configuration options listed in the docs/cisco file? I read though the file, and it lists which configuration directives to use, but it doesn't say one word about which config file they go into. What configuration options are you referring to? The commands listed in the 'docs/cisco' file refer to the recommended commands you will need to enter into your cisco NAS. They are configured the same way you would normally configure a cisco product ( IOS based, anyway ). There are no commands configured there that can be entered into the FreeRADIUS config files. Hope this helps, -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius compile problem with ldap
At 04:28 PM 10/2/2001 +0700, you wrote: i wanna used freeradius with ldap. I start compile with these command : #./configure --prefix=/usr/local/freeradius --with-gnu-ld --enable-static-modul es --with-ldap --enable-ltdl-install out and output is configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. That's not an issue unless you really want to use kerberos authentication. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: libldap_r. That is a bit of an issue, as you want to use ldap ( at least it looks that way ). what should i do for this problem? or What option i should have in my configure command ? Some more info is needed: o What OS? ( uname -a ) o Why are you disabling shared modules ( enable-static-module )? o What does config.log show? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use: bug in documentation?
At 03:52 PM 10/2/2001 +0200, you wrote: Hello, I can't get Simultaneous-Use working. I use portslave as NAS. I have ctlportslave running as fingerd. checkrad perl script works fine when I run it manually. But it is never run by freeradius. I think this is because I don't understand the meaning of :=, == and = statements. First, in /doc/Simultaneous-Use file I can see the following: For example: # # Simultaneous use restrictions. # DEFAULT Group = staff, Simultaneous-Use = 4 Fall-Through = 1 DEFAULT Group = business, Simultaneous-Use = 2 Fall-Through = 1 DEFAULT Simultaneous-Use = 1 Fall-Through = 1 That is wrong, or rather, deprecated syntax. It will be updated. Second, in man 5 users I see: Attribute = Value Not allowed as a check item. This is correct. A = V is deprecated. Third, somewhere in the list I saw: If you use the users file, you would use ':=' for Simultaneous-Use and Login-Time The 'users' file is the most up to date. Use that syntax. So, something in the documentation is incorrect. Can somebody tell me what should I change in my users file to make simultaneous logins limit working? Use the sample syntax as seen in the 'users' file. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use = 1
At 08:29 PM 10/2/2001 +0600, you wrote: On Tue, Oct 02, 2001 at 01:46:38PM +0100, Sergey V. Sichevsky wrote: MHAH Simultanous-Use and Login-Time does not work with rlm_sql modules MHAH without a minor change in source code. Can I define this parameter w/o changes in code? In ./etc/raddb/users for example? But I need auth* in sql. That's what I said! Simultaneous-Use works fine in /etc/raddb/users. But it will not work in sql. To make it work in sql, you have to make the changes I suggested. No, don't. Your changes fix the specific symptom you are experiencing, but do not properly resolve the root cause. There are patches pending that will add the functionality of allowing you to specify the comparison operator in SQL tables. This is the correct way to fix the problem. I believe this is slated for inclusion in the 0.3 release, and may even exist in the latest CVS, which if you are not running, I'd suggest upgrading to anyway. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools
At 10:34 AM 10/1/2001 +0100, you wrote: Is there anyone out there working on a dynamic IP pool management function for FreeRadius? Can you explain what you are looking for? Currently you can assign an IP based on the NAS-Port for most general types of NAS. I'm of the school that thinks dynamic IP pool management should be and is best done on the NAS. Trying to manage IP pools in RADIUS is very iffy IMHO and prone to many more failure modes than I'm comfortable with. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setting idle-time based on port
At 01:46 AM 9/28/2001 -0400, you wrote: Hello, I'm trying to configure freeradius to send a rule to allow a max idle time in an session to be 20 min for a certain port. So, if a user comes in to port 0, his/her idle times is 20 min If a user comes in anohter port. his/her idle time is unlimmited. is this dooable? You could put something along the lines of this in the 'users' file, with a Fall-Through. Any attribute that is sent in an Access-Request may be used as a Check-Item. If NAS-Port is sent by your NAS in the Access-Request you could try something like: DEFAULT NAS-Port == 0 Idle-Timeout = 20, Fall-Through = 1 DEFAULT Auth-Type := System ... standard attriubtes here ... -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Archive? / MAX6000 interop.
At 05:52 PM 9/14/2001 -0400, [EMAIL PROTECTED] wrote: There's probably a config flag in the Ascend NAS to allow it to listen to VSA's. See the archive from earlier this month for more information. There is indeed. It is under Ethernet-Mod Config-Auth At the bottom of the menu, change Auth-Compat from OLD to VSA -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: works in debug mode, but not in regular mode
At 11:06 PM 9/12/2001 -0600, Tim Monaghan wrote: Thats right, my freeradius works perfect in debug mode but not at all in regular mode. radiusd -x works, radiusd doesnt. Im authenticating (im an isp) via unix password. Any thoughts? First, don't send pretty messages. Green looks like baby puke to me. Second, yes, if it works in debug and it doesn't in non-debug, you need to check the user/group that you have the server running under. This is configured near the top of the radiusd.conf file. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Questions
At 09:27 AM 9/10/2001 -0600, Scott Miller wrote: Hello all, I have recently subscribed to this group, and have been reading and following the threads that have come in the past few days or so. We are thinking about bringing our radius servers in-house (currrently outsourced) and have a couple questions, if someone doesn't mind answering them. 1. Will FreeRadius log accumulated minutes of use per user, and stick them in a file somewhere for monthly downloading? No, you'll need to use a log-parser, or better yet, store in an SQL table and then you can generate all kinds of reports/outputs to analyze your data. 2. I have not looked at the front end or the GUI of FreeRadius yet, but is it fairly simple to add/remove customers/users at will? There is no GUI to FreeRADIUS. It is configured via simple plain text files. Depending on your method for authenticating users ( from system passwords, SQL, LDAP, others ) there are numerous ways to manage users, but that is outside the scope of the Radius server. 3. Do I need anything like MySQL installed on the server I plan on using, or is FreeRadius basically self-contained? For plain-text files, it is self contained. If you want to use SQL or LDAP or something else, you'll need to have that installed, but none of those are *required* to make FreeRADIUS run. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 128bit Proxy-State Attribute
At 11:20 AM 9/5/2001 -0700, [EMAIL PROTECTED] wrote: Hello all, I am curious if anyone has tested freeradius with a 128bit proxy attribute. Our upstream proxy requires us to be able to take and respond to the radius requests with a 128bit proxy-state attribute. Currently we are using Cistron 1.6.4 and this hasn't had any problems but I thier techs have told me that any earlier versions of Cistron code was not able to handle thier proxy-state attribute. I know that some older radius servers mangle the Proxy-State attribute in violation of the RFC ( *cough*MERIT*cough* ), but you should find that FreeRADIUS conforms to the RFC explicitly in returning the Proxy-State attribute unmolested. If Cistron 1.6.4 is safe, I very strongly suspect that FreeRADIUS will be safe as well. Of course, the only way to be 100% sure is to test it. Your upstream should be able to direct a test to a test installation on your network. -Chris Joe Modjeski Systems Administrator CommSpeed [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Solaris 8 and Cisco IOS 12.x
At 12:07 PM 9/5/2001 -0600, you wrote: Hi all I'm having a weird problem, I just compiled version 0.2 of freeradius. fill the users , radiusd.conf and other files. On our NAS we setuped the radius server until that all is fine. But when we dialed-in neither unix users or file users can log on to NAS. The term mon on the cisco revealed a failed decrypt message. Whe switched from CHAP to PAP without success. Can anybody give me some ligth.? What shows in the NAS error logs *exactly*. Also, what does the radius server show in the debug output? Please quote error message *exactly* as they are displayed, as otherwise it is not possible to provide much assistance. Off the top of my head, based on your vague description, I'd suggest checking the shared secret and reading the 'doc/cisco' file. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to understand module counter?
At 01:18 PM 9/5/2001 +0200, you wrote:
Hi all
We can do this in radiusd.conf
DEFAULT Daily-Session-Time 3600, Auth-Type = Reject
Actually, you put the DEFAULT into the 'users' file, but I think you
knew that.
What are the keywords that are supported?
What do you mean by this? Can you expand your question? There are
examples and an explanation in the comments for this module in the
'radiusd.conf' file.
Can we do DEFAULT Total-Session-Time 3600, Auth-Type = Reject?
Yes, please read the docs, it tells you what you can change in the
'radiusd.conf' file.
You would want something similar to:
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = monthly
counter-name = Daily-Session-Time
check-name = Total-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
Give it a try, and test it, don't be afraid to change values.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: garbage dirs in radacct
At 12:33 AM 9/6/2001 +0430, you wrote:
My radius uses the default configuration for the location
of detail logs:
radacctdir = ${logdir}/radacct
detailfile = ${radacctdir}/%{Client-IP-Address}/detail
when i saw my radacctdir, surprisingly i found out that there
are many directories there that are not my clients:
[root@arian radacct]# ls
0.176.45.64 160.100.183.11 240.81.183.11 64.175.45.64 8.175.45.64
120.68.183.11 xxx.225.40.14 48.114.183.11 72.101.183.11
128.113.183.11 200.104.183.11 56.63.183.11 72.175.45.64
none of the above except the one starting with xxx, isn't my client.
it seems something like a memory leak or bug. there is a details file
in any of the above dirs that contains 1 or more radius log entiries for
our users. the interesting point is that the entries
in these detail files, all contain correct information about the
nas ip address. that's becuase clients and nases are diffrent things.
i'm using freeradius 0.2 on RH 7.1 but i had the same
problem with 0.1 on RH 6.1.
i know that a quick and dirty solution is to hard code my client's ip
address in radius.conf. that may work for me 'cause i have just one
client. but i dont know what to do if i decided to add more clients.
is there any other variable that i can use instead of %{Client-IP-Address}
in my radius.conf
Client is the server that sent you the request. You probably want
to use NAS-IP-Address if you want the records stored based on the
originating NAS.
Surprisingly enough, this exact fact is mentioned in the config file
right where you are talking about hardcoding:
detail {
# Note that we do NOT use NAS-IP-Address here, as that
# attribute MAY BE from the originating NAS, and NOT
# from the proxy which actually sent us the request.
# The Client-IP-Address attribute is ALWAYS the address
# of the client which sent us the request.
#
detailfile = /usr/local/var/%{Client-IP-Address}/detail
detailperm = 0600
}
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 10:19 AM 8/23/2001 -0700, you wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Qinxue Chen [EMAIL PROTECTED] wrote: The problem seems to be that the new request has the same request ID, request code, source IP, source port, but different vectors (what's this?) It means that the request is a new one, and different from the first on. The RFC's specifically allow for this. as one of the old requests. From the problem I saw, it is not caused by the NAS end. The freeradius didn't clear some old requests properly in the buffer for whatever reasons. Some request IDs stayed for about several hours. I am not quiet sure about the whole process in the software. If Alan or Chris could explain a little bit, it will be greatly appreciated. There's not much to say. It looks like the server has a bug. But in the software, the new requests are dropped. Yesterday I modified the code (radiusd.c) a little. The whole else block for the error part was got rid of. That means the new request would be added and processed. I run it the whole night without problems. I only worried about possible memory leak. I believed that some old requests were still in the request data. From my tests with the change, memory usage was fine on the box. The way to solve the problem cleanly is to identify two cases: 1) old requests stayed for a long time in the request data. 2) server is not fast enough to handle a request and a new request with the same id/code/ip/port comes in. Case 1) can be caused by whatever reasons like threads die. For case 1), a new request can replace the old one in the request data. For my tests, all problems fall in case 1). For case 2), the possible solutions: a. drop the new request b. use new request to replace the old request. From the performance view, there is no difference between the two solutions. Then for both case 1) and 2), we can do the same thing: replace the old request with the new one. What do you think? No. Read the RFC. Understand how Authentication-Vector is used. Your case1 is correct, your case2 is handled. The reason there is a problem is old requests are for some reason not being cleared. That's all there is, don't try and make it more complex, it's a bug in the code, not a design flaw. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
At 09:49 PM 8/21/2001 -0500, you wrote: Can free radius authenticate on a MAC address? if so will all of the auditing information be available? It depends on what NAS you are using, and what you mean by 'authenticate on a MAC address'. I'm going to hazard a guess you are doing some type of wireless/dsl/broadband type service. I know of a few people who are using a radius backend to authenticate users on that type of network, so I would say that in the general case it is possible. Not knowing you specific case, it's hard to state with any certainty whether it will work. Give it a try, you've got nothing to loose at this point. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions
At 12:15 AM 8/22/2001 -0700, you wrote:
Greetings list members.
I am testing free radius currently and have a couple questions.
I use the LDAP module for authentication. I have two realms, each on
separate DN's. How can I have two separate ldap configurations?
You can declare them as two separate instances in the config file:
modules {
...
ldap LDAPONE{
server = server1.foobar.biz
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = o=My Org,c=UA
filter = (uid=%u)
...
}
ldap LDAPTWO{
server = server2.foobar.biz
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = o=My Org,c=UA
filter = (uid=%u)
...
}
...
}
Then call the modules as LDAPONE and LDAPTWO in the auth sections. See
the SQL module examples on how to do multiple instances.
It would be neat to be able to specify ldap_realma { binddn= etc..} and
then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
the authenticate block. Is there current structure for this,
or do I need a second radius server/implementation to do this properly?
Read the docs, and look at the examples. This is explained in intricate
detail in 'doc/configurable_failover'.
Secondly, do we have the ability to send attributes back to specific
radius clients? I like to apply SMTP filters to NAS devices via
attributes such as 242, but this becomes difficult when you have some
ascend, cisco, portmaster, and cvx boxes on your network.
I need to be able to do attributes X for client A (or maybe client group
A?) and attributes N for client B.
I have a similar need, as cisco's and pm's require slightly different
syntax for 'Filter-ID' ( appending a .in to cisco's ). For things other
than that, you can send attributes from other vendors, and they should
be ignored by other vendors. However, not all vendors read the same
RFC apparently, so this may not be the case, but that's another rant. :)
For now, there isn't a way to do what you want, but there is a need for
something similar, so have patience and it'll be there.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update and proxy
At 03:45 AM 8/22/2001 -0400, you wrote: Hellow i am new to this newgroup and hope i dont ask any question that allready has been asked i have searched the archive but did not find the answer neither on the help files the description of the product says when proxying it can add attributes to request how is that done ? what do i need to configure , what can be added ? Any attribute you want. See the standard users file, as well as the 'rlm_attr_filter' and 'rlm_attr_rewrite' modules, with selectively modify radius packets. The best way to find out is to download the server and run it. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 12:40 PM 8/22/2001 -0700, Qinxue Chen wrote: I used two kinds of RADIUS servers. With Merit 3.6B, the server accept a lot more traffic from the NAS servers. There is no single complain. With freeradius (snapshot 08/20/01), we got a lot Dropping conflicting authentication packets messages but for only very limited test traffic. I set hostname_lookup no. You mean the NAS servers keep using the same sequence numbers or IDs for authentication packets, even though the requests may come from different users? Then the way to get around it is not to check the ID? What did the debug show? o Was the server replying to the request? o Was the NAS resending duplicate requests before the server could reply? o You aren't by chance, running on a secondary interface ip, are you? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 01:58 PM 8/22/2001 -0700, Qinxue Chen wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Qinxue Chen [EMAIL PROTECTED] wrote: What did the debug show? With debug on, I couldn't see errors at all. And how long did the server take to reply? within miniseconds normally. Could the server cached the IDs somehow? o Was the server replying to the request? Definitely the newest request is dropped. That is NOT an answer to the question. Yes. In debug mode, the server will response to each single request ( I already run it for about a hour). In normal mode, I would saw the messages almost every 5 minutes. I might use tcpdump to catch in normal mode to see what's going on. truss/strace ( depding on your flavor of *nix ), will probably work too, I'd suggest strong use of grep as you'll get a *lot* of data. If it works in debug, has issues in regular, check the permissions needed to read the auth files. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping conflicting authentication packet
At 03:49 PM 8/22/2001 -0600, you wrote: If it works in debug, has issues in regular, check the permissions needed to read the auth files. I'm seeing basically the same thing, but I don't believe it's a permision problem. The server does work in regular mode, it's only after about 20 minutes it starts reporting Dropping conflicting authentication packet. When it does this it seems to be for every possible ID 1 to 256, suggesting to me requests arn't getting freed for some reason. Yet, I've run in debug mode for up to an hour and things are fine. That sounds like a problem then. Is this version 0.1, 0.2, or latest CVS? -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dropping conflicting authentication packet
At 05:40 PM 8/22/2001 -0700, you wrote: The problem seems to be that the new request has the same request ID, request code, source IP, source port, but different vectors (what's this?) as one of the old requests. From the problem I saw, it is not caused by the NAS end. The freeradius didn't clear some old requests properly in the buffer for whatever reasons. Some request IDs stayed for about several hours. I am not quiet sure about the whole process in the software. If Alan or Chris could explain a little bit, it will be greatly appreciated. It does sound that way. I'm currently testing a version locally to see if I can duplicate the error. It sounds like a different executation path is being taken in debug mode vs. normal mode for the request-list cleanup process. I'll post my findings, but Alan may find something sooner. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advice on a RAS
At 11:15 AM 8/17/2001 +1000, you wrote: Hello, I've been happily using FreeRadius for a little over a month now and it's been working great. Great job to you developers, and thank you. We're a small operation way out here, and currenly we only have 3 dial in lines. These have just been served from standard serial port connections to standard modems on a machine running RH 7.0 w/ Portslave. But now we're looking at the possibilities of expanding to 8 or 16+ dial in lines. So I'm looking for advice on a RAS/NAS for purchase to handle these dialup lines. I've briefly investigated, and found that Cisco has their 2500 line of Access Server Routers, which looks like a standalone device for 4/8/16 serial lines. I've also looked at Digi's Acceleport RAS line, which looks would basically be 4/8 modems per card. These would get plugged into a PC, and I'd run Portslave on them, of course. Any advice on which way to go with this stuff, or better options. I've always been partial to the Lucent/Livingston Portmaster line for a small NAS setup. It is now discontinued by Lucent, but it is/was a solid product, IMHO. The PM2/PM25 takes external modems ( IE, it has no internal modems ). The PM3 has internal modems ( V.90 ) and terminates 2 T1/E1 PRI/CT1's. You can find these used for very cheap on various ISP Equipment lists. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius only working in debug mode
At 01:54 AM 8/17/2001 +, you wrote: Hello, I have just install free radius on Solaris 8. The problem I am haveing is that free radius will only authenticate in debug mode. If I start it like this radiusd -xxyz -l stdout works great. But when I start it like this radiusd It starts OK but rejects all users. Has anyone seen this problem before? I can post config's and debug outputs or logfiles etc. if needed. Check the section of the 'radiusd.conf' file where you set the user and group to run as. You'll probably need to change that to 'root:root' if it's not set that way already. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MAX3030 talking to Freeradius
At 11:39 AM 8/17/2001 +0200, you wrote: Hi, Ignorning request from unknown client 203.x.x.x:1025 This client is not listed in /etc/raddb/clients. Actually that would be 'clients.conf', rather than just 'clients'. 'clients' is the old-style config file, which is supported, but is not the preferred style. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Exec-Program[-Wait] for Accounting-Request
At 01:02 AM 8/17/2001 +0600, you wrote: How I can to execute some external program on Accounting-Request? adding lines like ... to raddb/acct_users does not work. There is no radius_exec_program() call after PW_ACCOUNTING_REQUEST received in sources. Only after PW_AUTHENTICATION_REQUEST. That's definitely a bug. Just a second, and I'll go poke at the code. Thank you! When I can download patched sources? Run CVS and 'cvs update -A -d', or wait for the nightly tarball to be created and download it tomorrow. I recommend the CVS option, and there are easy to follow instructions at: http://www.freeradius.org/development.html -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization
At 01:14 PM 8/9/2001 +0200, you wrote: I want to enable the authorization. I have done so on the NAS (still cisco), but cannot get authorized: If i type an inexistant login i get this: Username: inexistant Password: % Access denied If I type an existing one (with its right password ) I get : Username: userrad Password: % Authorization failed. (only if I type the right password else I get the Access denied message) My users file contain just 1 entry: userrad Auth-Type == Local, Password == testing Login-Service = Telnet, Login-TCP-Port = 23 Is this right ? why it doesn't work ? I have set up my NAS with this option: aaa authorization exec radius YOu have not configured you cisco and radius server properly. Please search Google ( http://cisco.google.com/cisco ) for configuaration examples. Cisco has lots of docs with sample configs on their website. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNIS authentication
At 09:03 PM 8/9/2001 +0200, Thomas Jalsovsky wrote: Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the access request RADIUS packet, therefore you can't use it for auth. Uhm, you certainly can. If your telco sends you DNIS info the NAS will send it to you. I'd confirm with you telco that they are sending DNIS info to you. I have 200 cisco's all happily sending Called-Station-ID, so it is definitely supported. :) -Chris I think it depends on the environment. I use AS5300 for VoIP and our TCL script is in Cisco clid_col_npw_3. It doesn't sends in auth request CLID. If I rewrite the script I CAN do auth with CLID in the way of: User-Name = CLID, Password = (or something what I want). Well, see, it *is* sent. It's just not a regular radius packet, as it's VOIP auth. p.s.: I sent a couble weeks ago a cisco_vsa_hack patch. THis patch went to /dev/null or there is in a processing queue. Thanks. It may have been lost in the shuffle. Please repost it here and it'll be reviewed. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed setting up Ascend with Freeradius
At 01:53 PM 8/6/2001 +0900, Watson wrote: Hey everybody; I am trying to migrate from ascend radius to Freeradius. But, I'm having alot of problems getting my present users file to work. I run a MAX 6000 and MAX 4000. In the present users file their is a User-Service Attribute. When I try to run radius with my present users file, it tells me that User-Service is an invalid attribute. So I edited dictionary.ascend and replaced Attribute 6 whitch read Service-Type and changed it to User-Service. I'm not sure if that was the right move at all... No. Change your users file, not the dictionary. It is very possible to screw up the server if you make the wrong changes to the dictionary file. It will also make it harder to perform future upgrades ( as you'll need to make the same changes to the dictionary every time vs. changing your users file once. ) Anyways now freeradius dies with Unknown Attribute Service-Type. My question is.. Is there a simple way to migrate from Ascend Radius with the User-Service Attribute to Freeradius. I would appreciate any information greatly. Change your users file to match the attributes used by Freeradius ( which are the standard names in the RFC's vs. Ascends crufty names ). -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.2 Remaining Bug
At 12:24 PM 8/1/2001 -0400, [EMAIL PROTECTED] wrote:
VISP Systems Administration [EMAIL PROTECTED] wrote:
Excellent release. I do notice one item we discussed earlier when I was
running 0.1 regarding the tons of duplicate Accounting requests while
proxying.
sample line:
DATE: Info: Accounting: login: entry for NAS nasname.foo.bar port 51
duplicate
The patch Chris Parker posted does a good job eliminating most of the
duplicate Info logs requests in radius.log, but it is not implemented
in 0.2.
OK...
--- BEGIN PATCH -
the 'acct.c' file:
Change:
if(pairfind(request-config_items, PW_PROXY_TO_REALM)) {
To:
if((!request-proxy) pairfind(request-config_items,
PW_PROXY_TO_REALM)) {
--- END PATCH -
I'm not sure I agree with that. The patch posted earlier this week
appeared to be a bit better.
I hadn't committed anything as I wasn't satisfied with the fix. I posted
it so that people could try it, but I'm still looking to find a cleaner
way to fix the problem.
That is, the preacct AND the accounting sections should be
executed for all modules, even if the packet is about to be proxied.
This allows the server to log the accounting information, EVEN IF it
never sees a proxied reply.
If the accounting packet is NOT proxied, OR we've seen an accounting
reply from the end server, THEN and ONLY THEN should the server
respond with an accounting response packet to the NAS.
One issue I have with this, is that this can put a load on the NAS if
for some reason the end-radius is not responding. Given my situation,
where we proxy accounting for 2200 realms to 1000 ISP's, not sending
a reply to accounting ( full disk, misconfigured server, etc. ).
My opinion is that the NAS should be replied to once the record has
been stored locally. Then the server should retry to send the accounting
packet to the remote server a configurable number of times before
dropping the packet.
Otherwise, if a large customer is having problems with their accounting
server and not replying we've just increased the load on our proxies
*and* on our NAS as both will retry. I think it's cleaner to reply
to the NAS once the record is stored locally, so that if the end-radius
fails to respond the accounting server only has to retry.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
