Ippool assigns duplicate ip address
hi i'm a newbie with freeradius. I'm managing a FreeRadius 0.9 box and i'm trying to solve a problem. On this box the ippool is configured, but it gives duplicate ips. I'm trying to understand if it's always or just sometimes. Anyway, it seems that rebooting freeradius it goes ok! Anyone can help me? It's some of the configuration files (if you need more, just tell me): usercollide = no .. ippool vaslab_pool { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start = xx.xx.xx.131 range-stop = xx.xx.xx.190 # netmask: The network mask used for the ip's netmask = 255.255.255.128 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/db.ipindex } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: ippool issue
From: Alexander Lunyov Sent: Saturday, 1 November 2003 6:32 AM Thursday, October 30, 2003, 6:52:58 AM, you wrote: rlm_ippool: Searching for an entry for nas/port: mynas.domain.ru/17 rlm_ippool: Allocating ip to nas/port: mynas.domain.ru/17 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.254.213 to client on nas mynas.domain.ru,port 17 modcall[post-auth]: module main_pool returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 251 to x.x.x.2:4921 Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 900 Framed-MTU = 576 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 192.168.254.213 Framed-IP-Netmask = 255.255.255.0 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Accounting-Request packet from host x.x.x.2:4924, id=101, length=11 5 Thread 2 assigned request 1 Waking up in 5 seconds... Thread 2 handling request 1, (1 handled so far) User-Name = lan Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.254.213 Framed-IP-Netmask = 0.0.0.0 NAS-Identifier = mynas.domain.ru NAS-Port-Type = Async NAS-Port = 17 Acct-Status-Type = Start Acct-Session-Id = 11080-lan1067627926 Acct-Multi-Session-Id = Acct-Delay-Time = 0 But why Framed-IP-Netmask changed from 255.255.255.0 to 0.0.0.0? Deranged NAS? What Netmask does the _client_ get? -- Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two questions about ippool
Hello everybody: We have up un running freeradius 0.9.2 with rlm_ippool and rlm_sql (MySQL). We want to use the same server to do the accounting too. We have a Nortel CVX 1800 with a L2TP tunnel against a ASN Bay Networks router. 1.- The ASN doesn't pass the nas port information in the access request, so rlm_ippool returns NOOP. We have bypassed this check and it seems it is working ok with the IP assignaments. It is a critical parameter to manage correctly de IP pools? 2.- There are not Framed-IP-Address in the Start and Stop accounting packets. I have not found a solution to record the IP assigned from the module rlm_ippool in the MySQL database according with the Start and Stop packets. Any ideas? Thank you very much. Regards. -- -- Agustín Orviz Camblorcorreo-e: [EMAIL PROTECTED] Servicios Avanzados - ISPTeleCable de Asturias S.A. Parque Científico y Tecnológico Edificio TeleCable Carretera de Cabueñes s/nTlf: +34 984191000 33203 - Gijón - Asturias Fax: +34 984191001 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool issue
Hello freeradius-users, Is there a possibility to pool range of IP addresses for NAS while NAS is not in that range? For example, if i try to pool 192.168.253.0/24 network for NAS with address 192.168.3.3 - it says that nas/port not found for that NAS address (192.168.3.3). is it possible to assign to NAS client IP address not from NAS network? -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool issue
Sure you can. But if you do that you cant get routed to any place. You need a gateway address within the same logical network. On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote: Hello freeradius-users, Is there a possibility to pool range of IP addresses for NAS while NAS is not in that range? For example, if i try to pool 192.168.253.0/24 network for NAS with address 192.168.3.3 - it says that nas/port not found for that NAS address (192.168.3.3). is it possible to assign to NAS client IP address not from NAS network? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: ippool issue
Hello Gustavo, Wednesday, October 29, 2003, 8:42:51 AM, you wrote: GAL Sure you can. GAL But if you do that you cant get routed to any place. GAL You need a gateway address within the same logical network. What do you mean? NAS in the same logical network or radius server in the same logical network? For example, i want this ippool working with NAS. ippool main_pool { range-start = 192.168.253.1 range-stop = 192.168.253.254 netmask = 255.255.0.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no } NAS is a FreeBSD box with 3 multiport cards and 2 network interfaces. First iface is 192.168.33.127/24, second is x.x.x.2/24 ('white' network). So when authentification of ppp session is done and it's time to receive IP address for this session, radiusd cannot find range for this NAS. It says rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) User-Name = lan Service-Type = Framed-User Framed-Protocol = PPP CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead CHAP-Challenge = 0x38328232349865433746313036313635 NAS-Identifier = zeus.domain.ru NAS-Port-Type = Ethernet NAS-Port = 61 [authentification and other skip] rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61 modcall[post-auth]: module main_pool returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 239 to x.x.x.2:2740 Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 10 Framed-MTU = 576 Framed-IP-Address = 255.255.255.254 Framed-Protocol = PPP Service-Type = Framed-User Finished request 0 What should i do? Is there any 'magic word'? :) GAL On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote: Hello freeradius-users, Is there a possibility to pool range of IP addresses for NAS while NAS is not in that range? For example, if i try to pool 192.168.253.0/24 network for NAS with address 192.168.3.3 - it says that nas/port not found for that NAS address (192.168.3.3). is it possible to assign to NAS client IP address not from NAS network? GAL - GAL List info/subscribe/unsubscribe? See GAL http://www.freeradius.org/list/users.html -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: ippool issue
You need an address in the RAS to act as a gateway... You can configure any pool in whatever RAS but for example if the RAS is a cisco you will need to do something like: interface eth0 ip add xxx.xxx.xxx.1 secondary interface eth0 ip add yyy.yyy.yyy.1 secondary .. ... and now you can assign address within the blocks xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy The thing is you need to RAS as gateway for the dialin users On Wed, 2003-10-29 at 20:14, Alexander Lunyov wrote: Hello Gustavo, Wednesday, October 29, 2003, 8:42:51 AM, you wrote: GAL Sure you can. GAL But if you do that you cant get routed to any place. GAL You need a gateway address within the same logical network. What do you mean? NAS in the same logical network or radius server in the same logical network? For example, i want this ippool working with NAS. ippool main_pool { range-start = 192.168.253.1 range-stop = 192.168.253.254 netmask = 255.255.0.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no } NAS is a FreeBSD box with 3 multiport cards and 2 network interfaces. First iface is 192.168.33.127/24, second is x.x.x.2/24 ('white' network). So when authentification of ppp session is done and it's time to receive IP address for this session, radiusd cannot find range for this NAS. It says rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) User-Name = lan Service-Type = Framed-User Framed-Protocol = PPP CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead CHAP-Challenge = 0x38328232349865433746313036313635 NAS-Identifier = zeus.domain.ru NAS-Port-Type = Ethernet NAS-Port = 61 [authentification and other skip] rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61 modcall[post-auth]: module main_pool returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 239 to x.x.x.2:2740 Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 10 Framed-MTU = 576 Framed-IP-Address = 255.255.255.254 Framed-Protocol = PPP Service-Type = Framed-User Finished request 0 What should i do? Is there any 'magic word'? :) GAL On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote: Hello freeradius-users, Is there a possibility to pool range of IP addresses for NAS while NAS is not in that range? For example, if i try to pool 192.168.253.0/24 network for NAS with address 192.168.3.3 - it says that nas/port not found for that NAS address (192.168.3.3). is it possible to assign to NAS client IP address not from NAS network? GAL - GAL List info/subscribe/unsubscribe? See GAL http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups and IPPOOL allocation based on NAS Request
Hi Currently attempting to set-up multiple ippools, which are correctly assigned due to the NAS making the request. --start huntgroups- llgcis01-hunt NAS-IP-Address == 127.0.0.1 btsurf01-hunt NAS-IP-Address == 10.1.1.100 ---end huntgroups ---start users DEFAULT Huntgroup-Name == llgcis01-hunt, Pool-Name := llgcis01 Fall-Through = Yes DEFAULT Huntgroup-Name == btsurf01-hunt, Pool-Name := btsurf01 Fall-Through = Yes q4xvzfm0 Auth-Type := Local, User-Password ==5e7lvwqh ---end users- When using radtest, no dynamic ip is allocated rad_recv: Access-Request packet from host 127.0.0.1:1968, id=235, length=60 User-Name = q4xvzfm0 User-Password = 5e7lvwqh NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns noop rlm_realm: No '@' in User-Name = q4xvzfm0, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched q4xvzfm0 at 7 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [q4xvzfm0] (from client localhost port 10) modcall: entering group post-auth rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module llgcis01 returns noop rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module btsurf01 returns noop modcall: group post-auth returns noop Sending Access-Accept of id 235 to 127.0.0.1:1968 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 235 with timestamp 3f8bceb2 Nothing to do. Sleeping until we see a request. Although if I change the users file to be ( the difference being huntgoup := ) ---start users DEFAULT Huntgroup-Name := llgcis01-hunt, Pool-Name := llgcis01 Fall-Through = Yes DEFAULT Huntgroup-Name := btsurf01-hunt, Pool-Name := btsurf01 Fall-Through = Yes q4xvzfm0 Auth-Type := Local, User-Password ==5e7lvwqh ---end users--- An Ip Pool Address is returned, although from the incorrect pool. Since the radtest is from 127.0.0.1, I would expect that the correct huntgroup llgcis01-hunt determined and hence an ip address being returned from the correct pool. Any help would be appreciated. --Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool - several subnets
Hello, could someone help me figure out this: I want to create one large IP-pool consisting of several subnets (not neccessary sequenced), and then distribute IP-addresses to all my clients from this pool (i.e. 1.2.3.0/24 + 1.2.10.0/22) What would be the simplest way to accomodate this? -- Med vennlig hilsen/Sincerely Alfred H. Dahl Hostmaster Élla Kommunikasjon Tlf: +47 3860 8575 Fax: +47 3860 8501 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ippool - several subnets
From: Alfred Dahl Sent: Friday, 10 October 2003 9:58 PM I want to create one large IP-pool consisting of several subnets (not neccessary sequenced), and then distribute IP-addresses to all my clients from this pool (i.e. 1.2.3.0/24 + 1.2.10.0/22) What would be the simplest way to accomodate this? The simplest way would be have two pool instances, and set override=no. _I_ would suggest a grouping of two ippool instances where a NOOP result gets failed over, and any other result is returned immediately... And with override=no set. See doc/configurable-failover for instructions. However, these both assume that you don't mind if one pool fills before the other is emptied... If that's a problem, you'd have to create a custom db file that contains all the IPs you want, and none of the ones you don't want. Once the DB exists, rlm_ippool doesn't care if they're contigious or not, it just picks the first free entry from the DB. -- Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ippool not deallocating ip addresses
Hi, I installed freeradius version 9. pre-1 (just before the version 9 was released) on a debian system. Everything is working fine except for the deallocation on rlm-ippool. I have a pool defined in radiusd.conf : ippool private_pool { range-start = 172.16.4.1 range-stop = 172.16.4.254 netmask = 255.255.255.0 cache-size = 5000 session-db = ${raddbdir}/db.privatepool ip-index = ${raddbdir}/db.privateindex override = yes } The problem is after a day or 2, no more IP address are available, at first, freeradius deallocates IP addresses then it stops deallocating for some reason. Any clue ? Regards Mohsen --- Ce mail ne contient pas de virus. This mail is virus free Scanné par Escan Checked by Escan
RE: rlm-ippool not deallocating ip addresses
From: Mohsen Chirara Sent: Thursday, 28 August 2003 7:40 PM Hi, I installed freeradius version 9. pre-1 (just before the version 9 was released) on a debian system. Everything is working fine except for the deallocation on rlm-ippool. The problem is after a day or 2, no more IP address are available, at first, freeradius deallocates IP addresses then it stops deallocating for some reason. Try using ippooltool (available on the 'net, you'll need to stop FreeRADIUS to use it though) to see if your ippool has been shrinking. If so, grab the latest CVS snapshot, and see if that fixed the problem. (If you want to be safer, just grab rlm_ippool.c from the latest CVS snapshot. It can just drop into place) If the ippool's shrunk, rather than just having a whole bunch of addresses that haven't been marked inactive, then the newer rlm_ippool.c _should_ fix it. Basically, this might be a known bug, and we're trying to find people who're sufferring it to test our solution before we release 0.9.1. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ippool not deallocating ip addresses
Use 0.9 then you need to constantly see what IP is being used (using radwho) and rebuilding the dbs. Also you can test the CVS branch, the team is asking for people to test the new module as soon as possible. If you will use the CVS branch ok, if you will use the standard 0.9 post again and I will post the programs and scripts needed to have the database up to date. On Thu, 2003-08-28 at 04:39, Mohsen Chirara wrote: Hi, I installed freeradius version 9. pre-1 (just before the version 9 was released) on a debian system. Everything is working fine except for the deallocation on rlm-ippool. I have a pool defined in radiusd.conf : ippool private_pool { range-start = 172.16.4.1 range-stop = 172.16.4.254 netmask = 255.255.255.0 cache-size = 5000 session-db = ${raddbdir}/db.privatepool ip-index = ${raddbdir}/db.privateindex override = yes } The problem is after a day or 2, no more IP address are available, at first, freeradius deallocates IP addresses then it stops deallocating for some reason. Any clue ? Regards Mohsen --- Ce mail ne contient pas de virus. This mail is virus free Scanné par Escan Checked by Escan -- Gustavo A. Lozano Noldata Corporation [EMAIL PROTECTED] Calle 46 No. 40-19 CTO Bogota D.C. Colombia Noldata Corporation http://noldata.com I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. Albert Einstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch: Caller Id not stored in ippool files
Hello all (TGiF!): Not yet assimilated the rlm_ippool pseudo-code Paul posted (I haven't spent much time with it either), but I solved a little flaw in rlm_ippool. While dumping the contents of the files (so to trace the strange case of disappearing IPs), I noticed that no caller ids were stored. I did a little patch that fixes it. While it's not very useful (except for MPP detection, but the latter is proved not to be working smoothly), at least gives more info about session log. Jonathan. -- Jonathan Ruano kobalt at pobox dot comdiff -urN org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c --- org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2002-10-11 15:26:20.0 +0200 +++ new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2003-06-20 17:37:49.0 +0200 @@ -67,6 +67,7 @@ #define ALL_ONES 4294967295 #define MAX_NAS_NAME_SIZE 64 +#define MAX_CLI_SIZE 32 static const char rcsid[] = $Id: rlm_ippool.c,v 1.12 2002/10/11 13:26:20 kkalev Exp $; @@ -94,7 +95,7 @@ typedef struct ippool_info { uint32_tipaddr; charactive; - charcli[32]; + charcli[MAX_CLI_SIZE]; } ippool_info; typedef struct ippool_key { @@ -571,6 +572,11 @@ */ if (key_datum.dptr){ entry.active = 1; + + memset(entry.cli,0,MAX_CLI_SIZE); + if (cli != NULL) +strncpy( entry.cli, cli, MAX_CLI_SIZE - 1); + data_datum.dptr = (ippool_info *) entry; data_datum.dsize = sizeof(ippool_info);
ippool error next!
We make lot of test i can now explain one thing This is the test killall radiusd rm -f /var/log/radius/radacct/db.ippool /var/log/radius/radacct/db.ipindex radiusd ./test_cree.sh ./test_free.sh /usr/bin/iptool /var/log/radius/radacct/db.ippool /var/log/radius/radacct/db.ipindex -v | wc the final result is 32 = size of my pool ./test_cree.sh - simulate 40 ask for an auth ip ppp ./test_free.sh - and 40 release acct all entry are good like this NAS:192.168.100.22 port:0x20 - ipaddr:195.167.230.59 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x10 - ipaddr:195.167.230.35 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x19 - ipaddr:195.167.230.61 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x9 - ipaddr:195.167.230.55 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x12 - ipaddr:195.167.230.42 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x2 - ipaddr:195.167.230.50 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1b - ipaddr:195.167.230.31 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xb - ipaddr:195.167.230.62 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x14 - ipaddr:195.167.230.33 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x4 - ipaddr:195.167.230.36 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1d - ipaddr:195.167.230.47 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xd - ipaddr:195.167.230.53 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x16 - ipaddr:195.167.230.49 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1 - ipaddr:195.167.230.34 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x6 - ipaddr:195.167.230.32 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1f - ipaddr:195.167.230.38 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xa - ipaddr:195.167.230.46 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xf - ipaddr:195.167.230.60 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x18 - ipaddr:195.167.230.40 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x3 - ipaddr:195.167.230.41 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x8 - ipaddr:195.167.230.39 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xc - ipaddr:195.167.230.37 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x11 - ipaddr:195.167.230.51 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x15 - ipaddr:195.167.230.54 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1a - ipaddr:195.167.230.56 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x5 - ipaddr:195.167.230.57 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1e - ipaddr:195.167.230.43 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xe - ipaddr:195.167.230.44 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x13 - ipaddr:195.167.230.58 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x17 - ipaddr:195.167.230.45 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1c - ipaddr:195.167.230.52 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x7 - ipaddr:195.167.230.48 active:0 cli:0 num:0 if i make another test with only test_cree.sh who create 40 auth asking i will have NAS:192.168.100.22 port:0x10 - ipaddr:195.167.230.54 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x9 - ipaddr:195.167.230.47 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x12 - ipaddr:195.167.230.43 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x2 - ipaddr:195.167.230.35 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xb - ipaddr:195.167.230.49 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x14 - ipaddr:195.167.230.45 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x4 - ipaddr:195.167.230.55 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xd - ipaddr:195.167.230.60 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x1 - ipaddr:195.167.230.59 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x6 - ipaddr:195.167.230.31 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xa - ipaddr:195.167.230.53 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xf - ipaddr:195.167.230.51 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x3 - ipaddr:195.167.230.61 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x8 - ipaddr:195.167.230.33 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xc - ipaddr:195.167.230.38 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x11 - ipaddr:195.167.230.56 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x15 - ipaddr:195.167.230.52 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x5 - ipaddr:195.167.230.42 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xe - ipaddr:195.167.230.40 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x13 - ipaddr:195.167.230.58 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x7 - ipaddr:195.167.230.62 active:1 cli:0 num:1 this mean that something are deleted inside the database and i don't find why Lionel Drevon [EMAIL PROTECTED] Adeli http://www.adeli.fr 618 Av. Gal de Gaulle Tel 04 78 66 11 85 69760 Limonest Fax 04 78 66 04 33 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-tool
On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. To monitor and overcome this problem, I've written a small tool to dump the database and/or remove the active entries. It runs on any system with the GDBM libraries installed and is available from: http://www.mavetju.org/unix/general.php at the bottom, called FreeRadius IP Pool Tool. Suggestions, comments et al are appriciated. If it's ok with you i 'll add it in the cvs. Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ippool-tool
On Mon, 10 Mar 2003, Javier Castillo Alcibar wrote: Hello, What problem did you find in versions older than 1.12?? I cannot access web cvs.. The code did not do a memset(0) on a few values before doing searches. As a result it could not find open sessions. Javier. -Mensaje original- De: Kostas Kalevras [mailto:[EMAIL PROTECTED] Enviado el: lunes, 10 de marzo de 2003 13:20 Para: [EMAIL PROTECTED] Asunto: Re: ippool-tool On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. To monitor and overcome this problem, I've written a small tool to dump the database and/or remove the active entries. It runs on any system with the GDBM libraries installed and is available from: http://www.mavetju.org/unix/general.php at the bottom, called FreeRadius IP Pool Tool. Suggestions, comments et al are appriciated. If it's ok with you i 'll add it in the cvs. Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-tool
On Mon, Mar 10, 2003 at 02:19:48PM +0200, Kostas Kalevras wrote: On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. I'm running 0.8.1, but it's still in there. Maybe it's semothing weird with our setup, we get all accounting packets double: one from the NAS, one from the Accounting server and the stop-packets don't have the right NAS-IPaddress in the packet. What a mess Anyway, I'm using the ippooltool to keep us up and running :-) Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-tool
On Tue, 11 Mar 2003, Edwin Groothuis wrote: On Mon, Mar 10, 2003 at 02:19:48PM +0200, Kostas Kalevras wrote: On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. I'm running 0.8.1, but it's still in there. Maybe it's semothing weird with our setup, we get all accounting packets double: one from the NAS, one from the Accounting server and the stop-packets don't have the right NAS-IPaddress in the packet. What a mess Well the ippool module relies on the NAS-IP-Address and NAS-Port attributes being correct. It seems quite strange though that the NAS-IP-Address is incorrect. Anyway, I'm using the ippooltool to keep us up and running :-) Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool-tool
Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. To monitor and overcome this problem, I've written a small tool to dump the database and/or remove the active entries. It runs on any system with the GDBM libraries installed and is available from: http://www.mavetju.org/unix/general.php at the bottom, called FreeRadius IP Pool Tool. Suggestions, comments et al are appriciated. Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL PROBLEM
Hello All, I have a problem with rlm_ippool module It doesn't give ip addresses... :( This is my radiusd.conf: modules { .. ippool ippool { name = ippool range-start = 194.69.251.128 range-stop = 194.69.251.254 netmask = 255.255.252.0 session-db = /usr/local/etc/raddb/ippool-sess-db ip-index = /usr/local/etc/raddb/ippool-idx-db cache-size = 1000 } } accounting { acct_unique detail unix radutmp ippool } post-auth { ippool } When the radius gets an incoming auth.req : Thread 4 handling request 3, (1 handled so far) User-Name = tec-javiere User-Password = 1 NAS-IP-Address = 194.69.248.50 NAS-Port = 2 Framed-Protocol = PPP Service-Type = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = tec-javiere, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched tec-javiere at 5123 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [tec-javiere] (from client alhproxy port 2) modcall: entering group post-auth rlm_ippool: Searching for an entry for nas/port: 194.69.248.50/2 modcall[post-auth]: module ippool returns noop modcall: group post-auth returns noop Sending Access-Accept of id 36 to 194.69.248.50:2761 Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Address = 255.255.255.255 Framed-Netmask = 255.255.255.255 Ascend-Metric = 2 Framed-Routing = None Framed-Compression = None Ascend-Idle-Limit = 14400 Ascend-Maximum-Time = 36000 Finished request 3 Why ippool modules returns NOOP?? Thx in advance. Javier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL configuration on freeradius-0.7.1
Sir/Madam I have downloaded and installed freeradius-0.7.1 on a linux system It is all working except I am having trouble - allocating IP address dynamically it is my believe this is done using ippool which is where my problem is. I can't seem to set up ippool successfully. Do I need to issue a particular flag on my configure statement ? I used ./configure --with-experimentalmodules --prefix --exec-prefix --program prefix --with-logdir --with-radacctdir --with-raddbdir Any help would be much appreciated I Taylor ForemostIT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPool problem, again.
Do you remember my previuos mails ? Hi all, I' m having problem with the Ippool module ( rlm_ippool ). When authorizing, the module is able to allocate the correct IP address, but on the account Stop does not set the ip free. ... Well, I did some more investigation, but yet doesn't work. I added some comments on the rlm_ippool module to check what kind of data were passing through the module. Here is the output: In authorize side: rlm_ippool: Searching for an entry for nas/port: 10.128.255.3/1054 rlm_ippool: num: 1 rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.3,port 1054 In accounting side, when the request is a stop, at the end of the if (data_datum.dptr != NULL){ I' ve added a cicle on the gdbm file and I see: rlm_ippool: THERE IS A NAS INFORMATION IN PACKET 10.128.255.3 1054. rlm_ippool: Values: active = 1, key.nas = 10.128.255.3, nasport= 1054 rlm_ippool: Dati 0 NOT_EXIST -2 rlm_ippool: Exiting from function accounting no results So it seems that the gdbm_fetch fails when searching in the file. The behaviour is the same on linux and solaris 8 machine. Have you any idea ? In the mean time i will try to modify the source to work with a cicle, but this could be expensive for the time needed by the scan. Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPool problem, again. (Kostas Kalevras)
It was fixed today. Check the CVS. It needed a memset(0) for key.nas before the strcpy(). I can confirm that now it works. Thanx alot Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool problem on 0.7.1.Don't deallocate ip addresses
Ok, I reply to my self. I' ve noticed that the NAS ( a VPN 3000 Concentrator ) sends out two different authorize request, on two different ports ( 1020 and 1038 in my trace ) then when gives out a stop request will use the second request parameters. The rlm_ippoll module, correctly check for the second request and doesn' t gives out the new ip address, and also correctly doesn't free the ipaddress on stop due to the different port in request. This would be a really problem for me, but the module is OK. Sorry again Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ippool problem on 0.7.1.Don't deallocate ip addresses
Hi all, I' m having problem with the Ippool module ( rlm_ippool ). When authorizing, the module is able to allocate the correct IP address, but on the account Stop does not set the ip free. relevant part of radiusd.conf ... ... modules { ... ... ippool Prova0 { range-start = 10.128.1.0 range-stop = 10.128.1.3 netmask = 255.255.255.252 cache-size = 800 session-db = ${raddbdir}/db.ippool.0 ip-index = ${raddbdir}/db.ipindex.0 } ... } authorize { ... Prova0 ... } accounting { ... Prova0 ... } users file: ... steve Auth-Type := Local, User-Password == testing, Pool-Name := Prova1 ... log, from radiusd -X log says: ... Module: Instantiated ippool (Prova0) ippool: session-db = /usr/local/freeradius/etc/raddb/db.ippool.1 ippool: ip-index = /usr/local/freeradius/etc/raddb/db.ipindex.1 ippool: range-start = 10.128.10.0 IP address [10.128.10.0] ippool: range-stop = 10.128.10.3 IP address [10.128.10.3] ippool: netmask = 255.255.255.252 IP address [255.255.255.252] ippool: cache-size = 800 ... ... modcall[authorize]: module files returns ok rad_recv: Access-Request packet from host 10.128.255.4:1024, id=78, length=92 User-Name = steve User-Password = \r\021\353N\315\021 s\023.8]O\002F\010 NAS-Port = 1020 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = 212.239.118.116 NAS-IP-Address = 10.128.255.4 NAS-Port-Type = Virtual modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm NULL for User-Name = steve rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched steve at 99 modcall[authorize]: module files returns ok rlm_ippool: Entering in function authorize rlm_ippool: Searching for an entry for nas/port: 10.128.255.4/1020 rlm_ippool: num: 1 rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.4,port 1020 modcall[authorize]: module Prova0 returns ok ... ... rad_recv: Accounting-Request packet from host 10.128.255.4:1038, id=24, length=155 User-Name = steve NAS-Port = 1020 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.128.10.2 Class = 0x47727570706f526164 Acct-Status-Type = Stop Acct-Input-Octets = 312 Acct-Output-Octets = 0 Acct-Session-Id = 0C400010 Acct-Session-Time = 8 Acct-Input-Packets = 3 Acct-Output-Packets = 0 Acct-Terminate-Cause = User-Request Tunnel-Client-Endpoint:0 = 212.239.118.116 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = 10.128.255.4 NAS-Port-Type = Virtual modcall: entering group preacct modcall[preacct]: module preprocess returns noop rlm_realm: Looking up realm NULL for User-Name = steve rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop modcall[preacct]: module files returns noop modcall: group preacct returns noop modcall: entering group accounting radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/10.128.255.4/detail' rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail expands to /usr/local/freeradius/var/log/radius/radacct/1 0.128.255.4/detail modcall[accounting]: module detail returns ok modcall[accounting]: module counter returns ok radius_xlat: 'steve' modcall[accounting]: module radutmp returns ok modcall[accounting]: module Prova0 returns ok modcall: group accounting returns ok Sending Accounting-Response of id 24 to 10.128.255.4:1038 Finished request 12 Going to the next request This problem is driving me crazy. Have you any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Fri, 20 Sep 2002 11:45:51 +0300 (EEST) Kostas Kalevras [EMAIL PROTECTED] wrote: I am not sure that you can do group membership checks with the pam module. Try using the unix module for that (just put it in the instantiate section to register it's groupcmp function). That was it, thanks! --- Homer Parker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool bug or config problem?
ippool assign the same ip address for two different users. May be my config is broken? When i use large pool (1-254), i have the same bug after restarting radiusd. - radiusd.conf modules { ippool ippool-1-fast { range-start = 192.168.5.1 range-stop = 192.168.5.6 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/pools/db.pool-1-fast ip-index = ${raddbdir}/pools/db.pool-1-fast.idx } } accounting { detail unix radutmp ippool-1-fast } post-auth { ippool-1-fast } - end of radiusd.conf - users DEFAULT NAS-IP-Address == 192.168.0.5, Service-Type == Framed-User, Pool-Name := ippool-1-fast Framed-MTU = 1500, Service-Type = Framed-User, Fall-Through = 1 - end of users Now run radiusd: root@vpn:/etc/raddb# radiusd -xx Starting - reading configuration files ... ... Module: Loaded IPPOOL ippool: session-db = /etc/raddb/pools/db.pool-1-fast ippool: ip-index = /etc/raddb/pools/db.pool-1-fast.idx ippool: range-start = 192.168.5.1 IP address [192.168.5.1] ippool: range-stop = 192.168.5.6 IP address [192.168.5.6] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 rlm_ippool: Initializing database Module: Instantiated ippool (ippool-1-fast) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Ready to process requests. Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.5:1026, id=70, length=133 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. - Now I try send auth packet with radclient (user mmike): Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmike MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_passwd: Added User-Password: mike rlm_passwd: Added Group: fast rlm_passwd: Adding Auth-Type: MS-CHAP modcall[authorize]: module raddb_userlist returns ok modcall[authorize]: module mschap returns ok rlm_realm: No '' in User-Name = mmike, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 201 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group authenticate rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok modcall: group authenticate returns ok Login OK: [mmike] (from client 192.168.0.5 port 0) modcall: entering group post-auth rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.3 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok modcall: group post-auth returns ok Sending Access-Accept of id 70 to 192.168.0.5:1026 Framed-MTU = 1500 Service-Type = Framed-User MS-CHAP2-Success = 0x01533d453742313241354342463337383533443044383236383 73933463331363332363844463839414236 MS-MPPE-Recv-Key = 0xe3464568c260d4f054599eac8c270f89762624d03837024c13e 53c392029a3ca21c2 MS-MPPE-Send-Key = 0xe345be695620746dcc14948143420d08d333dd86889a5a66f9a 1e084b1c5a4b6d723 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Framed-IP-Address = 192.168.5.3 OK ip assigned 192.168.5.3 Now I try to connect with pppd+radiusclient (user mmmike) Nothing to do. Sleeping until we see a request. Thread 1 handling request 5, (2 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmmike MS-CHAP-Challenge = 0x35a4ce64ebf19fc25af6921225399273 MS-CHAP2-Response = 0x010068295ca3c0f2c063e229225a129b53df00 00405f88f247c0d22d083286a7123eb6cc61415f5401ad09fc NAS-IP-Address = 192.168.0.5 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_passwd: Added User-Password: mike rlm_passwd: Added Group: fast rlm_passwd: Adding Auth-Type: MS-CHAP modcall[authorize]: module raddb_userlist returns ok
Re: ippool bug or config problem?
On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: ippool assign the same ip address for two different users. May be my config is broken? When i use large pool (1-254), i have the same bug after restarting radiusd. - Now I try send auth packet with radclient (user mmike): Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmike MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the corresponding ip allocated stale and will free it. As a result it will get reallocated to another user. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: ippool bug or config problem?
Tuesday, September 24, 2002, 7:29:03 PM, [EMAIL PROTECTED] wrote: On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: ippool assign the same ip address for two different users. May be my config is broken? When i use large pool (1-254), i have the same bug after restarting radiusd. - Now I try send auth packet with radclient (user mmike): Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmike MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the corresponding ip allocated stale and will free it. As a result it will get reallocated to another user. Whith large pool (1-254) ippool returns differ ip for the same requests. (old db-files removed) Auth-request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmike MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 # radiusd -xx | grep ippool ippool: session-db = /etc/raddb/pools/db.pool-1-fast ippool: ip-index = /etc/raddb/pools/db.pool-1-fast.idx ippool: range-start = 192.168.5.1 IP address [192.168.5.1] ippool: range-stop = 192.168.5.254 IP address [192.168.5.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 rlm_ippool: Initializing database Module: Instantiated ippool (ippool-1-fast) REQUEST #1 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.55 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok REQUEST #2 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.55/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.217 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok REQUEST #3 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.217/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.92 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok REQUEST #4 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.92/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.233 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Thu, 19 Sep 2002, Homer Parker wrote: Having a bit of a time getting an Orinoco AS-2000 to get an ip address from the ippool module.. I authenticate just fine, it just falls through the users file to the dial-up stuff before it gets a match... Here's some info: users file DEFAULT NAS-IP-Address == 172.16.1.8, Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64 DEFAULT Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64 DEFAULT Group == wireless128, Pool-Name := wireless128 DEFAULT Group == wireless192, Pool-Name := wireless192 DEFAULT Group == wireless256, Pool-Name := wireless256 DEFAULT Auth-Type := Pam, Huntgroup-Name == wireless64, Pool-Name := wireless64 DEFAULT Huntgroup-Name == wireless128, Pool-Name := wireless128 DEFAULT Huntgroup-Name == wireless192, Pool-Name := wireless192 DEFAULT Huntgroup-Name == wireless256, Pool-Name := wireless256 radiusd.conf authorize { preprocess files } authenticate { pam } I am not sure that you can do group membership checks with the pam module. Try using the unix module for that (just put it in the instantiate section to register it's groupcmp function). -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Fri, 20 Sep 2002 11:45:51 +0300 (EEST) Kostas Kalevras [EMAIL PROTECTED] wrote: I am not sure that you can do group membership checks with the pam module. Try using the unix module for that (just put it in the instantiate section to register it's groupcmp function). I'll give that a try, thanks! --- Homer Parker LAN/WAN, Wireless Networking, PC Sales/Service Linux, OS/2, Windows9x, Windows NT/2000 Support PC Services 129 W 8th #101 Russell, KS 67665 785.483.7602 [EMAIL PROTECTED] http://www.pcsrvc.com Either you can say I'm for Open Source, open standards, or I'm against standards. Either you can say I'm for giving customers and communities a choice or I'm against giving customers and communities a choice. - Sam Palmisano, IBM President and COO at LinuxWorld Expo 2001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ippool
Having a bit of a time getting an Orinoco AS-2000 to get an ip address from the ippool module.. I authenticate just fine, it just falls through the users file to the dial-up stuff before it gets a match... Here's some info: users file DEFAULT NAS-IP-Address == 172.16.1.8, Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64 DEFAULT Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64 DEFAULT Group == wireless128, Pool-Name := wireless128 DEFAULT Group == wireless192, Pool-Name := wireless192 DEFAULT Group == wireless256, Pool-Name := wireless256 DEFAULT Auth-Type := Pam, Huntgroup-Name == wireless64, Pool-Name := wireless64 DEFAULT Huntgroup-Name == wireless128, Pool-Name := wireless128 DEFAULT Huntgroup-Name == wireless192, Pool-Name := wireless192 DEFAULT Huntgroup-Name == wireless256, Pool-Name := wireless256 #DEFAULTSimultaneous-Use := 2 # Fall-Through = 1 #DEFAULT Auth-Type := Reject, Huntgroup-Name == mail #DEFAULT Huntgroup-Name := local, Pool-Name := wireless64 #Filter-Id = locallan, #Fall-Through = 1 #DEFAULTAuth-Type := Pam #Service-Type = Framed-User, #Framed-Protocol = PPP, #Framed-IP-Address = 255.255.255.254, #Framed-IP-Netmask = 255.255.255.255, #Framed-Compression = Van-Jacobson-TCP-IP, #Session-Timeout = 36, #Idle-Timeout = 900, #Framed-MTU = 576 With the dialup stuff commented, I do not get authenticated.. As you can see, I'm trying several different ways to get a hit... huntgroups pop1NAS-IP-Address == 172.16.1.8 wireless64 Group = wireless64 wireless128 Group = wireless128 wireless192 Group = wireless192 wireless256 Group = wireless256 The user I'm testing with is in group wireless64 on the radius server. I used something similar with Cistron to put people into groups that were mail only (no Internet access), etc... Can't find any documentation that says it works any differently now... radiusd.conf modules { ippool wireless64 { range-start = 64.123.115.131 range-stop = 64.123.115.143 netmask = 255.255.255.128 cache-size = 800 session-db = ${raddbdir}/db.wireless64 ip-index = ${raddbdir}/db.wireless64 } ippool wireless128 { range-start = 64.123.115.193 range-stop = 64.123.115.254 netmask = 255.255.255.128 cache-size = 800 session-db = ${raddbdir}/db.wireless128 ip-index = ${raddbdir}/db.wireless128 } ippool wireless192 { range-start = 64.123.115.149 range-stop = 64.123.115.160 netmask = 255.255.255.128 cache-size = 800 session-db = ${raddbdir}/db.wireless192 ip-index = ${raddbdir}/db.wireless192 } ippool wireless256 { range-start = 64.123.115.162 range-stop = 64.123.115.187 netmask = 255.255.255.128 cache-size = 800 session-db = ${raddbdir}/db.wireless256 ip-index = ${raddbdir}/db.wireless256 } pam { pam_auth = radiusd } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } authorize { preprocess files } authenticate { pam } accounting { detail radutmp wireless64 wireless128 wireless192 wireless256 } session { radutmp } post-auth { wireless64 wireless128 wireless192 wireless256 } Any help appreciated... --- Homer Parker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Thu, 19 Sep 2002 15:02:45 -0500 Homer Parker [EMAIL PROTECTED] wrote: Having a bit of a time getting an Orinoco AS-2000 to get an ip address from the ippool module.. I authenticate just fine, it just falls through the users file to the dial-up stuff before it gets a match... Here's some info: I forgot the versions... Have tried with .70 and CVS as of 1pm CST 9-19... --- Homer Parker LAN/WAN, Wireless Networking, PC Sales/Service Linux, OS/2, Windows9x, Windows NT/2000 Support PC Services 129 W 8th #101 Russell, KS 67665 785.483.7602 [EMAIL PROTECTED] http://www.pcsrvc.com Either you can say I'm for Open Source, open standards, or I'm against standards. Either you can say I'm for giving customers and communities a choice or I'm against giving customers and communities a choice. - Sam Palmisano, IBM President and COO at LinuxWorld Expo 2001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool : dealocation problem
Hi, I´m using freeradius 0.5+cvs20020408-1 in my debian box. Checking my logs ippool tell me it´s clear the ip address from your db, but I create one pool with 3 ip addresses, when I connect on the 4 time ippol doesn´t return any ip for me. My NAS send Start and Stop acct packets for the radius, in debug radius tell-me : rlm_ippool: Deallocated entry for ip/port: xxx.xxx.28.252/82 rlm_ippool: num: 0 If you need more detailed debug output tell-me, I prefer do not put it here to keep my mail small. my config is something like: modules { ippool classe28 { range-start = xxx.xxx.28.131 range-stop = xxx.xxx.28.246 netmask = 255.255.255.128 cache-size = 115 session-db = ${raddbdir}/db.classe28 ip-index = ${raddbdir}/db.ndx_classe28 } ippool sidenet { range-start = xxx.xxx.28.249 range-stop = xxx.xxx.28.252 netmask = 255.255.255.248 cache-size = 3 session-db = ${raddbdir}/db.sidenet ip-index = ${raddbdir}/db.ndx_sidenet } ... } authorize { ... classe28 sidenet ... } accouting { ... classe28 sidenet ... } and in my db I have the following config: mysql select * from radcheck where UserName = 'cassiano'; ++--+---+--+--+ | id | UserName | Attribute | Value| op | ++--+---+--+--+ | 1 | cassiano | User-Password | | == | ++--+---+--+--+ 1 row in set (0.00 sec) mysql select * from usergroup where UserName = 'cassiano'; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | cassiano | DEFAULT | | 2 | cassiano | 768k | | 39 | cassiano | sidenet | ++--+---+ 3 rows in set (0.00 sec) mysql select * from radgroupcheck; ++---+--+--+--+ | id | GroupName | Attribute| Value| op | ++---+--+--+--+ | 1 | DEFAULT | Simultaneous-Use | 1| := | | 2 | DEFAULT | Auth-Type| PAP | := | | 6 | home | Pool-Name| classe28 | := | | 7 | sidenet | Pool-Name| sidenet | := | ++---+--+--+--+ 4 rows in set (0.00 sec) mysql select * from radgroupreply; ++---+---+-+--+--+ | id | GroupName | Attribute | Value | op | prio | ++---+---+-+--+--+ | 16 | DEFAULT | Idle-Timeout | 0 | =|0 | | 6 | DEFAULT | Fall-Through | Yes | =|0 | | 8 | 256k | X-Ascend-Data-Rate| 256000 | =|0 | | 9 | 128k | X-Ascend-Data-Rate| 10 | =|0 | | 10 | 64k | X-Ascend-Data-Rate| 62000 | =|0 | | 13 | 768k | X-Ascend-Data-Rate| 768000 | =|0 | | 14 | 1024k | X-Ascend-Data-Rate| 100 | =|0 | | 15 | 384k | X-Ascend-Data-Rate| 38 | =|0 | | 17 | DEFAULT | Session-Timeout | 0 | =|0 | | 18 | DEFAULT | Acct-Interim-Interval | 0 | =|0 | ++---+---+-+--+--+ 10 rows in set (0.00 sec) mysql I have missed something? Thank´s for freeradiu´s people (core and modules) for your great software. PS: sorry about my tarzan´s english :P -- Cassiano Aquino [EMAIL PROTECTED] World Wide Security Networks http://www.wwsecurity.net KeyID# C9FD0B69 @ wwwkeys.nl.pgp.net VoIP# 5524311 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL modified to use SQL...
If anyone interested, i modified rlm_ippool.c to work with SQL. This code was made to solve my problem, I needed Ippool to work (it worked, but wasnt releasing ip for some reason) and I needed a database that I could access From the web. This code will NOT work with other method for authorize than SQL. If you use another method with this code The module will NOT release ips from bad username/passwords. Also the sql information is hard coded you will need to edit it. And the last thing, to avoid running the STOP multiple times, I hard coded the code to run the STOP on one instance only. For example, if you have three instances called a, b and c, you can edit the code to do the STOP for a only. Otherwise it will run For the tree of them which is unnecessary. http://core.friendspr.com/~elec/rlm_ipsql.c http://core.friendspr.com/~elec/Makefile.in http://core.friendspr.com/~elec/configure.in Abel Alejandro
IPPOOL is not giving all the ip addresses.
IPPOOL seems that it cannot give all the ip addresses on the range, it starts giving addresses but if there are 50 ip's it only gives 10. FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs). ippool arecibo { session-db = ${dbdir}/arecibo.db ip-index = ${dbdir}/arecibo-ip.db range-start = 196.12.182.65 range-stop = 196.12.182.121 netmask = 255.255.255.192 cache-size = 1024 } That is the configuration for the ippool, it runs fine, it assigns addresses and everything looks okay. However looking it in debug mode, I see a not very normal behaviour. It start giving the address on random sequences for example, instead of first assign 196.12.182.65 it give 196.12.182.73 (first time, with virgin db). I modified rlm_ippool.c to be a little more verbose, and on the creation of the database it does create the ip address list in order. Like this: Adding IP 196.12.182.65 state 0 Adding IP 196.12.182.66 state 0 Adding IP 196.12.182.67 state 0 Adding IP 196.12.182.68 state 0 Until it reaches 196.12.182.121 (which is correct.) In the other hand when looking for ip address (virgin db, all ip are suposed to be state 0) it search them in random order. Like this: rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328 Found IP 196.12.182.114 state 1 Found IP 196.12.182.82 state 0 It started with 114 then jumped back to 82. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: IPPOOL seems that it cannot give all the ip addresses on the range, it starts giving addresses but if there are 50 ip's it only gives 10. Hmm, from what i tested right now it will give out all the ips. FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs). ippool arecibo { session-db = ${dbdir}/arecibo.db ip-index = ${dbdir}/arecibo-ip.db range-start = 196.12.182.65 range-stop = 196.12.182.121 netmask = 255.255.255.192 cache-size = 1024 } That is the configuration for the ippool, it runs fine, it assigns addresses and everything looks okay. However looking it in debug mode, I see a not very normal behaviour. It start giving the address on random sequences for example, instead of first assign 196.12.182.65 it give 196.12.182.73 (first time, with virgin db). That has to do with the gdbm library. The db is not a linked list but a hash and there isn't any way to tell how they will be ordered inside the file. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf I modified rlm_ippool.c to be a little more verbose, and on the creation of the database it does create the ip address list in order. Like this: Adding IP 196.12.182.65 state 0 Adding IP 196.12.182.66 state 0 Adding IP 196.12.182.67 state 0 Adding IP 196.12.182.68 state 0 Until it reaches 196.12.182.121 (which is correct.) In the other hand when looking for ip address (virgin db, all ip are suposed to be state 0) it search them in random order. Like this: rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328 Found IP 196.12.182.114 state 1 Found IP 196.12.182.82 state 0 It started with 114 then jumped back to 82. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:06 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: IPPOOL seems that it cannot give all the ip addresses on the range, it starts giving addresses but if there are 50 ip's it only gives 10. Hmm, from what i tested right now it will give out all the ips. Okay one more thing I got now from the logs. Right now I have rm -rf the db* And restarted radiusd, a (cmd: cat radius.log | grep = Stop | wc -l) reports 66 stop's, but I don't see a rlm_ippool: Deallocated entry for ip/port: not even one in the radius.log It seems radiusd can not deallocate ip's? *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: Okay one more thing I got now from the logs. Right now I have rm -rf the db* And restarted radiusd, a (cmd: cat radius.log | grep = Stop | wc -l) reports 66 stop's, but I don't see a rlm_ippool: Deallocated entry for ip/port: not even one in the radius.log It seems radiusd can not deallocate ip's? That is a debugging message and it will not normally show up in the radius.log -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: RE: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: Okay one more thing I got now from the logs. Right now I have rm -rf the db* And restarted radiusd, a (cmd: cat radius.log | grep = Stop | wc -l) reports 66 stop's, but I don't see a rlm_ippool: Deallocated entry for ip/port: not even one in the radius.log It seems radiusd can not deallocate ip's? That is a debugging message and it will not normally show up in the radius.log Forgot to mention, I am running radiusd -X radius.log *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: Forgot to mention, I am running radiusd -X radius.log Stupid question. Is the ippool module listed in the accounting section in radiusd.conf? The accounting packet should be an accounting stop for a nas/port combination that has an allocated ip assigned to it. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:41 AM To: [EMAIL PROTECTED] Subject: RE: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: Forgot to mention, I am running radiusd -X radius.log Stupid question. Is the ippool module listed in the accounting section in radiusd.conf? The accounting packet should be an accounting stop for a nas/port combination that has an allocated ip assigned to it. Yes its. The ippool module is called 'arecibo' and its in both authorize and accounting. For example, when I started radiusd this morning the first IP to be assigned was 196.12.182.73. Then radiusd got the Acct-Status-Type = Stop for 196.12.182.73 and it said modcall[accounting]: module arecibo returns ok But no deallocationg was done. *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
Echo FreeRadius [EMAIL PROTECTED] wrote: For example we are in the process of putting in 4 Nortel CVX 1800's with 1288 lines each all in one large roll over (5152 lines) in the GTA (Greater Toronto Area) From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10 different ISP's ... Anyway we wouldn't want each ISP to have to assign 1288 IP's to each NAS as this would be a large waste of IP addresses. If we can have radius assign IP's then this greatly reduces the number of IP's allocated. This means that a particular IP address can be assigned on the fly to any one of 4 NAS boxes. In order to route the packet to the correct NAS, you've got to add a new route for that IP. This means (as Miquel said) thousands of routes, and hundreds of route flaps. I'm not sure how else to do it. Bridging and a smart switch may help, but then you've got to forcibly expire arp entries in the switch, and add new ones, when an IP address moves from NAS to NAS. That may be hard. Again for redundancy and performance we will likely have 2-4 radius servers per company depending on the redundancy level they require. The sharing of IP's between radius server IPpools is a great asset. It's also hard. You get into consistency issues, where the sharing may only done every so often, but customers may switch IP's and re-dial more often than that. I would think about the issues VERY carefully before implementing such a large and complicated network. Be very sure that you can do everything needed to make it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
In article 00a101c1fd56$61050be0$b800a8c0@kelvindell, Echo FreeRadius [EMAIL PROTECTED] wrote: For example we are in the process of putting in 4 Nortel CVX 1800's with 1288 lines each all in one large roll over (5152 lines) in the GTA (Greater Toronto Area) From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10 different ISP's Each ISP wants their customers to receive an address form their IP block so it resolves back to their company. This is done for several reasons controlling access to SMTP servers and other resources as well as just for appearance so that their customers can't see that we use the same dial-up ports. So you create 1 pool for each ISP on each CVX. The CVX supports multiple pools, and you can tell it which pool to use using a radius attribute. If you have 4 CVXes, just make each pool 25% of the max. number of dialin lines an ISP may use. Well maybe a bit larger to allow for not-perfect distribution of clients over the 4 CVXes. Mike. -- Insanity -- a perfectly rational adjustment to an insane world. - R.D. Lang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using ippool with two radius servers?
Ah, you only have one terminal server with 30.000 ports on it? In that case, route the /17 to that NAS and be done with it. But you likely have tens or hundreds of NASes. Either you're way ahead of me, or you really need to think this over. I think I'm ahead of you :-) Believe me, routing is not an issue here, I do have a /17 block with summarized pools in a way that I only need one static route per NAS (there are 20 of them). No need to use dinamic routing. Okay, you have a fixed pool assigned to each NAS. I still fail to see why you don't want the NAS to each handle the assignment of their own pools? But then what the heck do I know about building a big network... I have the same requirment (ippool over multiple radius servers). SOmetimes allocating IPs from the NAS will just not work. For example say we have 4000 dialin ports. We allocate the IPs from the NAS for those users. All good. But we have a different bunch of users. Eg Sat routed users. They need a different IP Pool. There are not enough customers to warrent putting another pool on each NAS box. This is where IPpool works nicley. Most bighish ISP's need more than 1 radius server. We have 6 load balanced behind a layer 4 switch. Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using ippool with two radius servers?
Title: Using ippool with two radius servers? Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use? Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. Gelson
Re: Using ippool with two radius servers?
At 03:51 PM 5/15/2002 -0300, Gelson Dias Santos wrote: Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use? Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. Why would you not want the NAS to handle their own ip pools? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
In article [EMAIL PROTECTED], Gelson Dias Santos [EMAIL PROTECTED] wrote: Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use? Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. In that case you are also talking about 30.000 routes in your internal routing protocol - and with that many dialup ports, hundreds of route-flaps per second. It won't work. Your network and routers will fall over and die screaming. Mike. -- Insanity -- a perfectly rational adjustment to an insane world. - R.D. Lang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using ippool with two radius servers?
At 05:28 PM 5/15/2002 -0300, Gelson Dias Santos wrote: -Original Message- From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. In that case you are also talking about 30.000 routes in your internal routing protocol - and with that many dialup ports, hundreds of route-flaps per second. It won't work. Your network and routers will fall over and die screaming. Why should I have 30.000 host routes All I have is one /17 summarized route. All those IP's are on the same CIDR block. Uhm. Unless you have only one NAS, you'll have major issues. Each user will get a /32 ip. If you have many NAS and the /32's are handed out by the radius server, then you need to have all the NAS telling each other about which /32's they have connected. If that is not clear, you need to study routing, route summarization, and ip subnetting some more. Back to the original question; can I have two Radius server managing the same IP address pool? No. ( And you really really really don't want to for 30,000 ips ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
Gelson Dias Santos [EMAIL PROTECTED] wrote: Back to the original question; can I have two Radius server managing the same IP address pool? It's difficult. Both RADIUS servers have to be kep in PERFECT synchronization, otherwise duplicate IP's are assigned. Your best bet may be to come up with some other solution... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Fri, 10 May 2002, Ben Casado wrote: Guys; Every so often I need to reboot the server because the system accepts the requests, authenticates the users, but it doesn't assign anymore addresses. The client dies as ppp cannot complete. Any suggestions Ben From what i 've seen from the logs you 've sent the access server will send a NAS-Identifier attribute and not a NAS-IP-Address attribute in Access and Accounting requests. I 've changed the module to be able to handle this case (the key is now a string instead of an uint32). Do a cvs update and see how it works. Remember though to first delete the ip pool databases you may have since their structure has changed. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Guys; Every so often I need to reboot the server because the system accepts the requests, authenticates the users, but it doesn't assign anymore addresses. The client dies as ppp cannot complete. Any suggestions Ben *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Mon, 6 May 2002, Ben Casado wrote: We fixed an issue that we had with accounting and the daemon ran ok for a bit, but then it crashed with a segmentation fault. The only way that we were able to bring it up was by cleaning all the .db files but we are sure that this is not the right way to get this fixed. Any ideas/suggestions Ben gdb sbin/radiusd core When sending an email dont just write a one line description of what happened. Send back debuging output. Remember that the ip pool module is in experimental state. It is allowed to crash at this stage. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Mon, 6 May 2002, Ben Casado wrote: Acct-Status-Type = Stop NAS-Identifier = Arecibo Attr-172818435 = 01002D41D706939B Service-Type = Framed-User NAS-Port = 16387 NAS-Port-Type = Async Class = 0x653934 Called-Station-Id = 7879594236 Calling-Station-Id = 7878159057 Acct-Delay-Time = 0 Framed-IP-Address = 196.12.182.107 User-Name = go42r10 Framed-Protocol = PPP Acct-Input-Octets = 146103 Acct-Output-Octets = 1032717 Acct-Session-Id = C07FCD70:0A71 Acct-Session-Time = 1223 Acct-Input-Packets = 1332 Acct-Output-Packets = 1246 Acct-Authentic = RADIUS Acct-Link-Count = 1 Login-IP-Host = 0.0.0.0 Login-Service = PortMaster Login-TCP-Port = 0 X-Ascend-Modem-PortNo = 33619970 X-Ascend-Modem-SlotNo = 5 X-Ascend-Disconnect-Cause = 45 X-Ascend-Data-Rate = 28800 X-Ascend-Xmit-Rate = 50667 X-Ascend-PreSession-Time = 25 rlm_ippool: Deallocated entry for ip/port: 196.12.182.92/16387 rlm_ippool: num: 0 Accounting: logout: login entry for NAS UNKNOWN-NAS port 16387 not found Sending Accounting-Response of id 139 to 10.50.2.1:2048 rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=141, length=252 Accounting-Request packet sent to a non-accounting port from client 10.50.2.1:2048 - ID 141 : IGNORED rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=146, length=252 Accounting-Request packet sent to a non-accounting port from client 10.50.2.1:2048 - ID 146 : IGNORED rad_recv: Access-Request packet from host 10.50.2.1:2048, id=195, length=104 User-Password = \200e\3558\212Q\266\345e#\323{\270-'\202 NAS-Identifier = Arecibo User-Name = go42r10 Called-Station-Id = 7879594236 Calling-Station-Id = 7878956159 NAS-Port = 16392 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User rlm_sql: Reserving sql socket id: 4 rlm_sql: Released sql socket id: 4 rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/16392 rlm_ippool: num: 1 rlm_ippool: Allocated ip 196.12.182.92 to client on nas 10.50.2.1,p From the output you sent it seems to be working just great. It deallocates ip 196.12.182.92 and then it reassigns it to another user. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
I have the core.. It is 139mb which is what I had left of memory, what can we do now? - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 07, 2002 6:23 AM Subject: Re: IPPOOL On Mon, 6 May 2002, Ben Casado wrote: We fixed an issue that we had with accounting and the daemon ran ok for a bit, but then it crashed with a segmentation fault. The only way that we were able to bring it up was by cleaning all the .db files but we are sure that this is not the right way to get this fixed. Any ideas/suggestions Ben gdb sbin/radiusd core When sending an email dont just write a one line description of what happened. Send back debuging output. Remember that the ip pool module is in experimental state. It is allowed to crash at this stage. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
here is some of the usual crash output. I would like to help as much as i can to get this resolved. Ben stat system name:SunOS release:5.8 node name: radius version:Generic_108528-13 machine name: sun4u time of crash: Tue May 7 10:38:39 2002 age of system: 23 min. panicstr: panic registers: pc: 0 sp: 0 u PER PROCESS USER AREA FOR PROCESS 0 PROCESS MISC: command: sched, psargs: sched start: Tue May 7 10:15:30 2002 mem: 0, type: exec vnode of current directory: 359fe18 OPEN FILES, FLAGS, AND THREAD REFCNT: cmask: 0022 RESOURCE LIMITS: cpu time: unlimited/unlimited file size: unlimited/unlimited swap size: unlimited/unlimited stack size: 8388608/unlimited coredump size: unlimited/unlimited file descriptors: 256/1024 address space: unlimited/unlimited SIGNAL DISPOSITION: 1: default 2: default 3: default 4: default 5: default 6: default 7: default 8: default 9: default 10: default 11: default 12: default 13: default 14: default 15: default 16: default 17: default 18: default 19: default 20: default 21: default 22: default 23: default 24: default 25: default 26: default 27: default 28: default 29: default 30: default 31: default 32: default 33: default 34: default 35: default 36: default 37: default 38: default 39: default 40: default 41: default 42: default 43: default 44: default 45: default proc list PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS list not found in symbol table proc PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS 0 t 0 0 0 0 0 96 sched load sys lock 1 s 1 0 0 0 0 58 init load 2 s 2 0 0 0 0 98 pageoutload sys lock nowait 3 s 3 0 0 0 0 60 fsflushload sys lock nowait 4 s 261 1 261 261 0 58 sacload jctl 5 s 206 1 206 206 0 58 utmpd load 6 s 153 1 153 153 0 58 automountd load 7 s44 14444 0 52 syseventd load 8 s46 14646 0 51 syseventconfd load 9 s 151 1 151 151 1 40 statd load 10 s 110 1 110 110 0 58 rpcbindload 11 s 198 1 198 198 0 58 powerd load 12 s 168 1 168 168 0 58 syslogdload 13 s 179 1 179 179 0 51 nscd load 14 s 145 1 145 145 0 58 inetd load 15 s 185 1 185 185 0 58 lpschedload nowait 16 s 149 1 149 149 0 50 lockd load 17 s 176 1 176 176 0 53 cron load 18 s 305 145 305 305 0 48 in.telnetd load 19 s 287 244 287 287 0 58 mibiisaload 20 s 215 213 213 0 0 42 smcbootload jctl 21 s 213 1 213 0 0 32 smcbootload jctl 22 s 216 1 216 216 0 48 vold load jctl 23 s 253 1 253 253 0 58 snmpXdmid load nowait 24 s 252 1 252 252 0 54 dmispd load 25 s 258 1 0 0 0 0 safe_mysqldload 26 s 242 1 242 242 0 48 dtloginload jctl 27 s 244 1 244 244 0 58 snmpdx load nowait 28 s 266 242 266 266 0 59 Xsun load 29 s 262 1 262 262 0 54 ttymon load 30 s 267 261 261 261 0 58 ttymon load jctl 31 s 286 258 0 0 101 58 mysqld load 32 s 288 242 288 288 0 10 dtloginload 33 s 312 307 312 307 0 48 kshload 34 s 290 1 288 288 0 59 fbconsole load 35 s 302 288 302 302 0 59 dtgreetload 36 s 307 305 307 307 100 42 sh load 37 s 303 1 303 303 0 58 sendmail load jctl 38 p 349 312 349 307 0 58 crash load kmastat cachebufbufbufmemory alloc alloc namesize in use totalin use succeed fail - -- -- -- - - - kmem_magazine_1 16 58508 819258 0 kmem_magazine_3 32333508 16384 333 0 kmem_magazine_7 64113127 8192 113 0 kmem_magazine_15 128177189 24576 177 0 kmem_magazine_31 256 0 0 0 0 0 kmem_magazine_47 384
Re: IPPOOL
Nope guys the real output from the core could not be read. The earlier results were NOT from the core, we get: # crash core dumpfile = core, namelist = /dev/ksyms, outfile = stdout crash: core is not a kernel core file (bad magic number 7f454c46) crash: cannot open kvm - dump file core # act -d core act 7.17 (Source code Copyright (c) 1997-2000 Sun Microsystems Inc.) kvm_open: core is not a kernel core file (bad magic number 7f454c46) kvm_open failed - Original Message - From: Ben Casado [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 07, 2002 7:36 AM Subject: Re: IPPOOL here is some of the usual crash output. I would like to help as much as i can to get this resolved. Ben stat system name:SunOS release:5.8 node name: radius version:Generic_108528-13 machine name: sun4u time of crash: Tue May 7 10:38:39 2002 age of system: 23 min. panicstr: panic registers: pc: 0 sp: 0 u PER PROCESS USER AREA FOR PROCESS 0 PROCESS MISC: command: sched, psargs: sched start: Tue May 7 10:15:30 2002 mem: 0, type: exec vnode of current directory: 359fe18 OPEN FILES, FLAGS, AND THREAD REFCNT: cmask: 0022 RESOURCE LIMITS: cpu time: unlimited/unlimited file size: unlimited/unlimited swap size: unlimited/unlimited stack size: 8388608/unlimited coredump size: unlimited/unlimited file descriptors: 256/1024 address space: unlimited/unlimited SIGNAL DISPOSITION: 1: default 2: default 3: default 4: default 5: default 6: default 7: default 8: default 9: default 10: default 11: default 12: default 13: default 14: default 15: default 16: default 17: default 18: default 19: default 20: default 21: default 22: default 23: default 24: default 25: default 26: default 27: default 28: default 29: default 30: default 31: default 32: default 33: default 34: default 35: default 36: default 37: default 38: default 39: default 40: default 41: default 42: default 43: default 44: default 45: default proc list PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS list not found in symbol table proc PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS 0 t 0 0 0 0 0 96 sched load sys lock 1 s 1 0 0 0 0 58 init load 2 s 2 0 0 0 0 98 pageoutload sys lock nowait 3 s 3 0 0 0 0 60 fsflushload sys lock nowait 4 s 261 1 261 261 0 58 sacload jctl 5 s 206 1 206 206 0 58 utmpd load 6 s 153 1 153 153 0 58 automountd load 7 s44 14444 0 52 syseventd load 8 s46 14646 0 51 syseventconfd load 9 s 151 1 151 151 1 40 statd load 10 s 110 1 110 110 0 58 rpcbindload 11 s 198 1 198 198 0 58 powerd load 12 s 168 1 168 168 0 58 syslogdload 13 s 179 1 179 179 0 51 nscd load 14 s 145 1 145 145 0 58 inetd load 15 s 185 1 185 185 0 58 lpschedload nowait 16 s 149 1 149 149 0 50 lockd load 17 s 176 1 176 176 0 53 cron load 18 s 305 145 305 305 0 48 in.telnetd load 19 s 287 244 287 287 0 58 mibiisaload 20 s 215 213 213 0 0 42 smcbootload jctl 21 s 213 1 213 0 0 32 smcbootload jctl 22 s 216 1 216 216 0 48 vold load jctl 23 s 253 1 253 253 0 58 snmpXdmid load nowait 24 s 252 1 252 252 0 54 dmispd load 25 s 258 1 0 0 0 0 safe_mysqldload 26 s 242 1 242 242 0 48 dtloginload jctl 27 s 244 1 244 244 0 58 snmpdx load nowait 28 s 266 242 266 266 0 59 Xsun load 29 s 262 1 262 262 0 54 ttymon load 30 s 267 261 261 261 0 58 ttymon load jctl 31 s 286 258 0 0 101 58 mysqld load 32 s 288 242 288 288 0 10 dtloginload 33 s 312 307 312 307 0 48 kshload 34 s 290 1 288 288 0 59 fbconsole load 35 s 302 288 302 302 0 59 dtgreetload 36 s 307 305 307 307 100 42 sh load 37 s 303 1 303 303 0 58 sendmail load
Re: IPPOOL
On Tue, 7 May 2002, Ben Casado wrote: Nope guys the real output from the core could not be read. The earlier results were NOT from the core, we get: # crash core dumpfile = core, namelist = /dev/ksyms, outfile = stdout crash: core is not a kernel core file (bad magic number 7f454c46) crash: cannot open kvm - dump file core # act -d core act 7.17 (Source code Copyright (c) 1997-2000 Sun Microsystems Inc.) kvm_open: core is not a kernel core file (bad magic number 7f454c46) kvm_open failed gdb radiusd core bt -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Tue, 7 May 2002, Ben Casado wrote: #0 0xfef706a0 in exit () from /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1 #1 0x397f4 in ippool_authorize (instance=0x12e748, request=0x821bfb8) at rlm_ippool.c:495 #2 0x1fb54 in call_modsingle (component=4, sp=0x12e4a0, request=0x821bfb8, default_result=6) at modcall.c:205 #3 0x1fcfc in modcall (component=1, c=0x12e4a0, request=0x821bfb8) at modcall.c:288 #4 0x1fba8 in call_modgroup (component=1, g=0x12e4a0, request=0x821bfb8, default_result=3) at modcall.c:227 #5 0x1fcac in modcall (component=1, c=0x129118, request=0x821bfb8) at modcall.c:281 #6 0x1f370 in indexed_modcall (comp=1, idx=0, request=0x821bfb8) at modules.c:456 #7 0x1f6e4 in module_authorize (autz_type=0, request=0x821bfb8) at modules.c:633 #8 0x1c084 in rad_authenticate (request=0x821bfb8) at auth.c:518 #9 0x17340 in rad_respond (request=0x821bfb8, fun=0x1bf24 rad_authenticate) at radiusd.c:1526 #10 0x21af4 in request_handler_thread (arg=0x821bd38) at threads.c:172 Ok, do a cvs update and see what happens now. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Sun, 5 May 2002, Ben Casado wrote: we downloaded what we thought was the latest prior to making it.. we did a) downloaded and installed the cvs application (1.11.2) b) and executed a download with it!! any suggestions which file to check to see if we did NOT get the latest! Ben In the server distribution root: 5:20pm /src/cvs/radiusd grep Pool-Name raddb/dictionary ATTRIBUTE Pool-Name 1073string If your output is different then you need to upgrade. Either do a cvs update or grab the latest CVS snapshot from the ftp site. Your rlm_ippool.c should also be at least revision 1.3. You can find that by doing something like: 5:23pm /src/cvs/radiusd grep rcsid src/modules/rlm_ippool/rlm_ippool.c static const char rcsid[] = $Id: rlm_ippool.c,v 1.4 2002/05/03 22:10:54 kkalev Exp $; -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
psss... i thought it worked but something weird, Seems that people connect, and disconnect, but the ip's from the people that disconnect do not become available for reuse??? Can you guys check that? Ben - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 06, 2002 10:25 AM Subject: Re: IPPOOL On Sun, 5 May 2002, Ben Casado wrote: we downloaded what we thought was the latest prior to making it.. we did a) downloaded and installed the cvs application (1.11.2) b) and executed a download with it!! any suggestions which file to check to see if we did NOT get the latest! Ben In the server distribution root: 5:20pm /src/cvs/radiusd grep Pool-Name raddb/dictionary ATTRIBUTE Pool-Name 1073 string If your output is different then you need to upgrade. Either do a cvs update or grab the latest CVS snapshot from the ftp site. Your rlm_ippool.c should also be at least revision 1.3. You can find that by doing something like: 5:23pm /src/cvs/radiusd grep rcsid src/modules/rlm_ippool/rlm_ippool.c static const char rcsid[] = $Id: rlm_ippool.c,v 1.4 2002/05/03 22:10:54 kkalev Exp $; -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Title: Re: IPPOOL we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? That's not the idea behind the ip_pool module. The idea is to assign ip's from the same pool to all the access servers and not maintain separate pools for each nas. In any case if you want to assign different addresses to each nas you can Hummm... how do I route ip packets to users on different nas servers if they are on the same pool, hence on the same subnet? I mean, if user 1 connects on nas 1 and gets ip 192.168.1.1, then users 2 connects on nas 2 and gets the next ip, 192.168.1.2, how will my routers, servers etc know where to send their reply packets? Wen we have two different pools it's easy, just set a static route pointing the whole pool to the right server. With one big pool, how do I do it? I don't want to use RIP or anything like that to propagate tousands of host routes. Gelson
Re: IPPOOL
At 05:33 PM 5/6/2002 -0300, Gelson Dias Santos wrote: we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? That's not the idea behind the ip_pool module. The idea is to assign ip's from the same pool to all the access servers and not maintain separate pools for each nas. In any case if you want to assign different addresses to each nas you can Hummm... how do I route ip packets to users on different nas servers if they are on the same pool, hence on the same subnet? I mean, if user 1 connects on nas 1 and gets ip 192.168.1.1, then users 2 connects on nas 2 and gets the next ip, 192.168.1.2, how will my routers, servers etc know where to send their reply packets? Generally handled by a dynamic routing protocol between your NAS and/or a common router. Dynamic routing protocols include OSPF, RIPv1, RIPv2, IS-IS, ... The exact choice is up to you ( as is the NAS configuration ). The main concept to remember is that each of your users is *NOT* on the same subnet, though their IP's may come from a sequential block of addresses. Each user is on their own /32 ( 255.255.255.255 ) subnet. Wen we have two different pools it's easy, just set a static route pointing the whole pool to the right server. With one big pool, how do I do it? I don't want to use RIP or anything like that to propagate tousands of host routes. Then let your NAS assign the addresses. You can run NAS assigned dynamic addresses with a dynamic protocol just fine. If you don't want to announce ( and withdraw ) thousands of host routes into your IGP, then don't user server assigned addresses, let the NAS handle it. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Mon, 6 May 2002, Ben Casado wrote: psss... i thought it worked but something weird, Seems that people connect, and disconnect, but the ip's from the people that disconnect do not become available for reuse??? Can you guys check that? Ben Could you please send some debuging output. I would be especially interested in the debug output of the handling of an accounting-stop packet for one of those disconnects. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Acct-Status-Type = Stop NAS-Identifier = Arecibo Attr-172818435 = 01002D41D706939B Service-Type = Framed-User NAS-Port = 16387 NAS-Port-Type = Async Class = 0x653934 Called-Station-Id = 7879594236 Calling-Station-Id = 7878159057 Acct-Delay-Time = 0 Framed-IP-Address = 196.12.182.107 User-Name = go42r10 Framed-Protocol = PPP Acct-Input-Octets = 146103 Acct-Output-Octets = 1032717 Acct-Session-Id = C07FCD70:0A71 Acct-Session-Time = 1223 Acct-Input-Packets = 1332 Acct-Output-Packets = 1246 Acct-Authentic = RADIUS Acct-Link-Count = 1 Login-IP-Host = 0.0.0.0 Login-Service = PortMaster Login-TCP-Port = 0 X-Ascend-Modem-PortNo = 33619970 X-Ascend-Modem-SlotNo = 5 X-Ascend-Disconnect-Cause = 45 X-Ascend-Data-Rate = 28800 X-Ascend-Xmit-Rate = 50667 X-Ascend-PreSession-Time = 25 rlm_ippool: Deallocated entry for ip/port: 196.12.182.92/16387 rlm_ippool: num: 0 Accounting: logout: login entry for NAS UNKNOWN-NAS port 16387 not found Sending Accounting-Response of id 139 to 10.50.2.1:2048 rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=141, length=252 Accounting-Request packet sent to a non-accounting port from client 10.50.2.1:2048 - ID 141 : IGNORED rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=146, length=252 Accounting-Request packet sent to a non-accounting port from client 10.50.2.1:2048 - ID 146 : IGNORED rad_recv: Access-Request packet from host 10.50.2.1:2048, id=195, length=104 User-Password = \200e\3558\212Q\266\345e#\323{\270-'\202 NAS-Identifier = Arecibo User-Name = go42r10 Called-Station-Id = 7879594236 Calling-Station-Id = 7878956159 NAS-Port = 16392 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User rlm_sql: Reserving sql socket id: 4 rlm_sql: Released sql socket id: 4 rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/16392 rlm_ippool: num: 1 rlm_ippool: Allocated ip 196.12.182.92 to client on nas 10.50.2.1,p - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 06, 2002 6:33 PM Subject: Re: IPPOOL On Mon, 6 May 2002, Ben Casado wrote: psss... i thought it worked but something weird, Seems that people connect, and disconnect, but the ip's from the people that disconnect do not become available for reuse??? Can you guys check that? Ben Could you please send some debuging output. I would be especially interested in the debug output of the handling of an accounting-stop packet for one of those disconnects. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL
We fixed an issue that we had with accounting and the daemon ran ok for a bit, but then it crashed with a segmentation fault. The only way that we were able to bring it up was by cleaning all the .db files but we are sure that this is not the right way to get this fixed. Any ideas/suggestions Ben *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Sat, 4 May 2002, Ben Casado wrote: also, I get this error now. Module: Loaded files /usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT: Unknown attribute Pool-Name Errors reading /usr/local/etc/raddb/users Ben You will have to upgrade to the latest cvs if you are using freeradius 0.5. Now what do I mean with an instance for each nas server: ippool nas1 { session-db = manati.db ip-index = nas1.db range-start = 196.12.162.1 range-stop = 196.12.162.127 netmask = 255.255.255.128 cache-size = 150 } ippool nas2 { session-db = manati2.db ip-index = nas2.db range-start = 196.12.162.128 range-stop = 196.12.162.254 netmask = 255.255.255.128 cache-size = 150 } I think you get the picture. You assign a different ip range to each nas server in each module instance. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
we downloaded what we thought was the latest prior to making it.. we did a) downloaded and installed the cvs application (1.11.2) b) and executed a download with it!! any suggestions which file to check to see if we did NOT get the latest! Ben - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 05, 2002 5:52 AM Subject: Re: IPPOOL On Sat, 4 May 2002, Ben Casado wrote: also, I get this error now. Module: Loaded files /usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT: Unknown attribute Pool-Name Errors reading /usr/local/etc/raddb/users Ben You will have to upgrade to the latest cvs if you are using freeradius 0.5. Now what do I mean with an instance for each nas server: ippool nas1 { session-db = manati.db ip-index = nas1.db range-start = 196.12.162.1 range-stop = 196.12.162.127 netmask = 255.255.255.128 cache-size = 150 } ippool nas2 { session-db = manati2.db ip-index = nas2.db range-start = 196.12.162.128 range-stop = 196.12.162.254 netmask = 255.255.255.128 cache-size = 150 } I think you get the picture. You assign a different ip range to each nas server in each module instance. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
This is what we have did to the radiusd.conf file. With this we only get addresses form that range, and that is not what we want. === ippool { session-db = manati.db ip-index = 196.12.162.64 range-start = 196.12.162.65 range-stop = 196.12.162.126 netmask = 255.255.255.224 cache-size = 5000 } === we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? Thanks Ben - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 03, 2002 7:17 AM Subject: Re: IPPOOL On Thu, 2 May 2002, Ben Casado wrote: We are trying to configure our radius to give out the addresses instead of the comm servers. For that we have downloaded the software and compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Thanks in advanced, Ben Read the comments in radiusd.conf for the ippool module? They are quite descriptive of what you need to do. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Ben Casado [EMAIL PROTECTED] wrote: We are trying to configure our radius to give out the addresses instead = of the comm servers. For that we have downloaded the software and = compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Run it in debugging mode, and send it test packets. The FAQ says how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
At 09:20 PM 5/2/2002 -0400, Ben Casado wrote: We are trying to configure our radius to give out the addresses instead of the comm servers. For that we have downloaded the software and compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Configure rlm_ippool according to the examples and documentation provided. You'll probably have to play with it a while. And for the record, I'm against the radius server attempting to assign ip's. It may work in very small environments, but it does not scale. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL
We have a question about the ippools,we have this in the radiusd.conf:ippool { session-db = "${confdir}/ippool.db" ip-index = "manati" range-start = 196.12.162.65 range-stop = 196.12.162.126 netmask = 255.255.255.224 cache-size = 5000 }ippool pool2 { session-db = "${confdir}/ippool.db2" ip-index = "ponce" range-start = 196.12.176.1 range-stop = 196.12.162.126 netmask = 255.255.255.128 cache-size = 5000 }--we get in the radiusd -xxModule: Loaded IPPOOLippool: session-db = "/usr/local/etc/raddb/ippool.db"ippool: ip-index = "manati"ippool: range-start = 196.12.162.65 IP address [196.12.162.65]ippool: range-stop = 196.12.162.126 IP address [196.12.162.126]ippool: netmask = 255.255.255.224 IP address [255.255.255.224]ippool: cache-size = 5000Module: Instantiated ippool (ippool)=Regardless of what nas server we use we always get: rlm_ippool: num: 1 andIPs from top onerad_recv: Access-Request packet from host 66.108.198.79:4035, id=42,length=47 User-Name = "go42r10" User-Password = "cj9k\310\353\332\241\201\304"_7\244\373\274"rlm_ippool: num: 1rlm_ippool: Allocated ip 196.12.162.122 to client on nas 66.108.198.79,port0---Can you help us?we have 7 nas servers are expect different addresses but it is not working.Ben *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** ***
Re: IPPOOL
On Fri, 3 May 2002, Ben Casado wrote: This is what we have did to the radiusd.conf file. With this we only get addresses form that range, and that is not what we want. === ippool { session-db = manati.db ip-index = 196.12.162.64 range-start = 196.12.162.65 range-stop = 196.12.162.126 netmask = 255.255.255.224 cache-size = 5000 } === we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? Thanks Ben That's not the idea behind the ip_pool module. The idea is to assign ip's from the same pool to all the access servers and not maintain separate pools for each nas. In any case if you want to assign different addresses to each nas you can create one instance of the ippool module for each nas. Then in your authorize section make sure you have the files (users file) module before the ip pool modules. In your users file do something like this: DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := pool1 DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := pool2 while your authorize section will look like this: authorize { files pool1 pool2 [...] } -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Ok, but what do you mean by this? create one instance of the ippool module for each nas Ben - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 04, 2002 9:54 AM Subject: Re: IPPOOL On Fri, 3 May 2002, Ben Casado wrote: This is what we have did to the radiusd.conf file. With this we only get addresses form that range, and that is not what we want. === ippool { session-db = manati.db ip-index = 196.12.162.64 range-start = 196.12.162.65 range-stop = 196.12.162.126 netmask = 255.255.255.224 cache-size = 5000 } === we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? Thanks Ben That's not the idea behind the ip_pool module. The idea is to assign ip's from the same pool to all the access servers and not maintain separate pools for each nas. In any case if you want to assign different addresses to each nas you can create one instance of the ippool module for each nas. Then in your authorize section make sure you have the files (users file) module before the ip pool modules. In your users file do something like this: DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := pool1 DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := pool2 while your authorize section will look like this: authorize { files pool1 pool2 [...] } -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
also, I get this error now. Module: Loaded files /usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT: Unknown attribute Pool-Name Errors reading /usr/local/etc/raddb/users Ben - Original Message - From: Ben Casado [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 04, 2002 5:17 PM Subject: Re: IPPOOL Ok, but what do you mean by this? create one instance of the ippool module for each nas Ben - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 04, 2002 9:54 AM Subject: Re: IPPOOL On Fri, 3 May 2002, Ben Casado wrote: This is what we have did to the radiusd.conf file. With this we only get addresses form that range, and that is not what we want. === ippool { session-db = manati.db ip-index = 196.12.162.64 range-start = 196.12.162.65 range-stop = 196.12.162.126 netmask = 255.255.255.224 cache-size = 5000 } === we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? Thanks Ben That's not the idea behind the ip_pool module. The idea is to assign ip's from the same pool to all the access servers and not maintain separate pools for each nas. In any case if you want to assign different addresses to each nas you can create one instance of the ippool module for each nas. Then in your authorize section make sure you have the files (users file) module before the ip pool modules. In your users file do something like this: DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := pool1 DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := pool2 while your authorize section will look like this: authorize { files pool1 pool2 [...] } -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe
IPPOOL
We are trying to configure our radius to give out the addresses instead of the comm servers. For that we have downloaded the software and compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Thanks in advanced, Ben *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** ***
Re: IPPOOL
On Thu, 2 May 2002, Ben Casado wrote: We are trying to configure our radius to give out the addresses instead of the comm servers. For that we have downloaded the software and compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Thanks in advanced, Ben Read the comments in radiusd.conf for the ippool module? They are quite descriptive of what you need to do. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html