Ippool assigns duplicate ip address
hi
i'm a newbie with freeradius. I'm managing a FreeRadius 0.9 box and i'm
trying to solve a problem.
On this box the ippool is configured, but it gives duplicate ips. I'm trying
to understand if it's always or just sometimes. Anyway, it seems that
rebooting freeradius it goes ok!
Anyone can help me?
It's some of the configuration files (if you need more, just tell me):
usercollide = no
..
ippool vaslab_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = xx.xx.xx.131
range-stop = xx.xx.xx.190
# netmask: The network mask used for the ip's
netmask = 255.255.255.128
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/db.ipindex
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: ippool issue
From: Alexander Lunyov Sent: Saturday, 1 November 2003 6:32 AM Thursday, October 30, 2003, 6:52:58 AM, you wrote: rlm_ippool: Searching for an entry for nas/port: mynas.domain.ru/17 rlm_ippool: Allocating ip to nas/port: mynas.domain.ru/17 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.254.213 to client on nas mynas.domain.ru,port 17 modcall[post-auth]: module main_pool returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 251 to x.x.x.2:4921 Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 900 Framed-MTU = 576 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 192.168.254.213 Framed-IP-Netmask = 255.255.255.0 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Accounting-Request packet from host x.x.x.2:4924, id=101, length=11 5 Thread 2 assigned request 1 Waking up in 5 seconds... Thread 2 handling request 1, (1 handled so far) User-Name = lan Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.254.213 Framed-IP-Netmask = 0.0.0.0 NAS-Identifier = mynas.domain.ru NAS-Port-Type = Async NAS-Port = 17 Acct-Status-Type = Start Acct-Session-Id = 11080-lan1067627926 Acct-Multi-Session-Id = Acct-Delay-Time = 0 But why Framed-IP-Netmask changed from 255.255.255.0 to 0.0.0.0? Deranged NAS? What Netmask does the _client_ get? -- Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two questions about ippool
Hello everybody: We have up un running freeradius 0.9.2 with rlm_ippool and rlm_sql (MySQL). We want to use the same server to do the accounting too. We have a Nortel CVX 1800 with a L2TP tunnel against a ASN Bay Networks router. 1.- The ASN doesn't pass the nas port information in the access request, so rlm_ippool returns NOOP. We have bypassed this check and it seems it is working ok with the IP assignaments. It is a critical parameter to manage correctly de IP pools? 2.- There are not Framed-IP-Address in the Start and Stop accounting packets. I have not found a solution to record the IP assigned from the module rlm_ippool in the MySQL database according with the Start and Stop packets. Any ideas? Thank you very much. Regards. -- -- Agustín Orviz Camblorcorreo-e: [EMAIL PROTECTED] Servicios Avanzados - ISPTeleCable de Asturias S.A. Parque Científico y Tecnológico Edificio TeleCable Carretera de Cabueñes s/nTlf: +34 984191000 33203 - Gijón - Asturias Fax: +34 984191001 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool issue
Hello freeradius-users, Is there a possibility to pool range of IP addresses for NAS while NAS is not in that range? For example, if i try to pool 192.168.253.0/24 network for NAS with address 192.168.3.3 - it says that nas/port not found for that NAS address (192.168.3.3). is it possible to assign to NAS client IP address not from NAS network? -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool issue
Sure you can. But if you do that you cant get routed to any place. You need a gateway address within the same logical network. On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote: Hello freeradius-users, Is there a possibility to pool range of IP addresses for NAS while NAS is not in that range? For example, if i try to pool 192.168.253.0/24 network for NAS with address 192.168.3.3 - it says that nas/port not found for that NAS address (192.168.3.3). is it possible to assign to NAS client IP address not from NAS network? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: ippool issue
Hello Gustavo,
Wednesday, October 29, 2003, 8:42:51 AM, you wrote:
GAL Sure you can.
GAL But if you do that you cant get routed to any place.
GAL You need a gateway address within the same logical network.
What do you mean? NAS in the same logical network or radius server in the
same logical network?
For example, i want this ippool working with NAS.
ippool main_pool {
range-start = 192.168.253.1
range-stop = 192.168.253.254
netmask = 255.255.0.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
NAS is a FreeBSD box with 3 multiport cards and 2 network
interfaces. First iface is 192.168.33.127/24, second is
x.x.x.2/24 ('white' network). So when authentification of ppp session is done and
it's time to receive IP address for this session, radiusd cannot
find range for this NAS. It says
rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = lan
Service-Type = Framed-User
Framed-Protocol = PPP
CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
CHAP-Challenge = 0x38328232349865433746313036313635
NAS-Identifier = zeus.domain.ru
NAS-Port-Type = Ethernet
NAS-Port = 61
[authentification and other skip]
rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
modcall[post-auth]: module main_pool returns noop for request 0
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 239 to x.x.x.2:2740
Framed-Compression = Van-Jacobson-TCP-IP
Idle-Timeout = 10
Framed-MTU = 576
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 0
What should i do? Is there any 'magic word'? :)
GAL On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
Hello freeradius-users,
Is there a possibility to pool range of IP addresses for NAS
while NAS is not in that range? For example, if i try to pool
192.168.253.0/24 network for NAS with address 192.168.3.3 - it
says that nas/port not found for that NAS address (192.168.3.3).
is it possible to assign to NAS client IP address not from NAS
network?
GAL -
GAL List info/subscribe/unsubscribe? See
GAL http://www.freeradius.org/list/users.html
--
Best regards,
Alexandermailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: ippool issue
You need an address in the RAS to act as a gateway...
You can configure any pool in whatever RAS but for example if the RAS is
a cisco you will need to do something like:
interface eth0 ip add xxx.xxx.xxx.1 secondary
interface eth0 ip add yyy.yyy.yyy.1 secondary
..
...
and now you can assign address within the blocks xxx.xxx.xxx.xxx and
yyy.yyy.yyy.yyy
The thing is you need to RAS as gateway for the dialin users
On Wed, 2003-10-29 at 20:14, Alexander Lunyov wrote:
Hello Gustavo,
Wednesday, October 29, 2003, 8:42:51 AM, you wrote:
GAL Sure you can.
GAL But if you do that you cant get routed to any place.
GAL You need a gateway address within the same logical network.
What do you mean? NAS in the same logical network or radius server in the
same logical network?
For example, i want this ippool working with NAS.
ippool main_pool {
range-start = 192.168.253.1
range-stop = 192.168.253.254
netmask = 255.255.0.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
NAS is a FreeBSD box with 3 multiport cards and 2 network
interfaces. First iface is 192.168.33.127/24, second is
x.x.x.2/24 ('white' network). So when authentification of ppp session is done
and
it's time to receive IP address for this session, radiusd cannot
find range for this NAS. It says
rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = lan
Service-Type = Framed-User
Framed-Protocol = PPP
CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
CHAP-Challenge = 0x38328232349865433746313036313635
NAS-Identifier = zeus.domain.ru
NAS-Port-Type = Ethernet
NAS-Port = 61
[authentification and other skip]
rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
modcall[post-auth]: module main_pool returns noop for request 0
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 239 to x.x.x.2:2740
Framed-Compression = Van-Jacobson-TCP-IP
Idle-Timeout = 10
Framed-MTU = 576
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 0
What should i do? Is there any 'magic word'? :)
GAL On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
Hello freeradius-users,
Is there a possibility to pool range of IP addresses for NAS
while NAS is not in that range? For example, if i try to pool
192.168.253.0/24 network for NAS with address 192.168.3.3 - it
says that nas/port not found for that NAS address (192.168.3.3).
is it possible to assign to NAS client IP address not from NAS
network?
GAL -
GAL List info/subscribe/unsubscribe? See
GAL http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups and IPPOOL allocation based on NAS Request
Hi Currently attempting to set-up multiple ippools, which are correctly assigned due to the NAS making the request. --start huntgroups- llgcis01-hunt NAS-IP-Address == 127.0.0.1 btsurf01-hunt NAS-IP-Address == 10.1.1.100 ---end huntgroups ---start users DEFAULT Huntgroup-Name == llgcis01-hunt, Pool-Name := llgcis01 Fall-Through = Yes DEFAULT Huntgroup-Name == btsurf01-hunt, Pool-Name := btsurf01 Fall-Through = Yes q4xvzfm0 Auth-Type := Local, User-Password ==5e7lvwqh ---end users- When using radtest, no dynamic ip is allocated rad_recv: Access-Request packet from host 127.0.0.1:1968, id=235, length=60 User-Name = q4xvzfm0 User-Password = 5e7lvwqh NAS-IP-Address = 255.255.255.255 NAS-Port = 10 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns noop rlm_realm: No '@' in User-Name = q4xvzfm0, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched q4xvzfm0 at 7 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [q4xvzfm0] (from client localhost port 10) modcall: entering group post-auth rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module llgcis01 returns noop rlm_ippool: Could not find Pool-Name attribute. modcall[post-auth]: module btsurf01 returns noop modcall: group post-auth returns noop Sending Access-Accept of id 235 to 127.0.0.1:1968 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 235 with timestamp 3f8bceb2 Nothing to do. Sleeping until we see a request. Although if I change the users file to be ( the difference being huntgoup := ) ---start users DEFAULT Huntgroup-Name := llgcis01-hunt, Pool-Name := llgcis01 Fall-Through = Yes DEFAULT Huntgroup-Name := btsurf01-hunt, Pool-Name := btsurf01 Fall-Through = Yes q4xvzfm0 Auth-Type := Local, User-Password ==5e7lvwqh ---end users--- An Ip Pool Address is returned, although from the incorrect pool. Since the radtest is from 127.0.0.1, I would expect that the correct huntgroup llgcis01-hunt determined and hence an ip address being returned from the correct pool. Any help would be appreciated. --Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool - several subnets
Hello, could someone help me figure out this: I want to create one large IP-pool consisting of several subnets (not neccessary sequenced), and then distribute IP-addresses to all my clients from this pool (i.e. 1.2.3.0/24 + 1.2.10.0/22) What would be the simplest way to accomodate this? -- Med vennlig hilsen/Sincerely Alfred H. Dahl Hostmaster Élla Kommunikasjon Tlf: +47 3860 8575 Fax: +47 3860 8501 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ippool - several subnets
From: Alfred Dahl Sent: Friday, 10 October 2003 9:58 PM I want to create one large IP-pool consisting of several subnets (not neccessary sequenced), and then distribute IP-addresses to all my clients from this pool (i.e. 1.2.3.0/24 + 1.2.10.0/22) What would be the simplest way to accomodate this? The simplest way would be have two pool instances, and set override=no. _I_ would suggest a grouping of two ippool instances where a NOOP result gets failed over, and any other result is returned immediately... And with override=no set. See doc/configurable-failover for instructions. However, these both assume that you don't mind if one pool fills before the other is emptied... If that's a problem, you'd have to create a custom db file that contains all the IPs you want, and none of the ones you don't want. Once the DB exists, rlm_ippool doesn't care if they're contigious or not, it just picks the first free entry from the DB. -- Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ippool not deallocating ip addresses
Hi, I installed freeradius version 9. pre-1 (just
before the version 9 was released) on a debian system.
Everything is working fine except for the
deallocation on rlm-ippool.
I have a pool defined in radiusd.conf
:
ippool private_pool {
range-start =
172.16.4.1
range-stop =
172.16.4.254
netmask =
255.255.255.0
cache-size =
5000
session-db =
${raddbdir}/db.privatepool
ip-index =
${raddbdir}/db.privateindex
override = yes }
The problem is after a day or 2, no more IP address
are available, at first, freeradius deallocates IP addresses
then it stops deallocating for some
reason.
Any clue ?
Regards
Mohsen
---
Ce mail ne contient pas de virus. This mail is virus free
Scanné par Escan Checked by Escan
RE: rlm-ippool not deallocating ip addresses
From: Mohsen Chirara Sent: Thursday, 28 August 2003 7:40 PM Hi, I installed freeradius version 9. pre-1 (just before the version 9 was released) on a debian system. Everything is working fine except for the deallocation on rlm-ippool. The problem is after a day or 2, no more IP address are available, at first, freeradius deallocates IP addresses then it stops deallocating for some reason. Try using ippooltool (available on the 'net, you'll need to stop FreeRADIUS to use it though) to see if your ippool has been shrinking. If so, grab the latest CVS snapshot, and see if that fixed the problem. (If you want to be safer, just grab rlm_ippool.c from the latest CVS snapshot. It can just drop into place) If the ippool's shrunk, rather than just having a whole bunch of addresses that haven't been marked inactive, then the newer rlm_ippool.c _should_ fix it. Basically, this might be a known bug, and we're trying to find people who're sufferring it to test our solution before we release 0.9.1. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ippool not deallocating ip addresses
Use 0.9
then you need to constantly see what IP is being used (using radwho) and
rebuilding the dbs.
Also you can test the CVS branch, the team is asking for people to test
the new module as soon as possible.
If you will use the CVS branch ok, if you will use the standard 0.9 post
again and I will post the programs and scripts needed to have the
database up to date.
On Thu, 2003-08-28 at 04:39, Mohsen Chirara wrote:
Hi, I installed freeradius version 9. pre-1 (just before the version 9
was released) on a debian system.
Everything is working fine except for the deallocation on rlm-ippool.
I have a pool defined in radiusd.conf :
ippool private_pool {
range-start = 172.16.4.1
range-stop = 172.16.4.254
netmask = 255.255.255.0
cache-size = 5000
session-db = ${raddbdir}/db.privatepool
ip-index = ${raddbdir}/db.privateindex
override = yes
}
The problem is after a day or 2, no more IP address are available, at
first, freeradius deallocates IP addresses
then it stops deallocating for some reason.
Any clue ?
Regards
Mohsen
---
Ce mail ne contient pas de virus. This mail is virus free
Scanné par Escan Checked by Escan
--
Gustavo A. Lozano Noldata Corporation
[EMAIL PROTECTED] Calle 46 No. 40-19
CTO Bogota D.C. Colombia
Noldata Corporation http://noldata.com
I know not with what weapons World War III will be fought,
but World War IV will be fought with sticks and stones.
Albert Einstein
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch: Caller Id not stored in ippool files
Hello all (TGiF!):
Not yet assimilated the rlm_ippool pseudo-code Paul posted (I haven't
spent much time with it either), but I solved a little flaw in rlm_ippool.
While dumping the contents of the files (so to trace the strange case
of disappearing IPs), I noticed that no caller ids were stored.
I did a little patch that fixes it. While it's not very useful
(except for MPP detection, but the latter is proved not to be
working smoothly), at least gives more info about session log.
Jonathan.
--
Jonathan Ruano kobalt at pobox dot comdiff -urN org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c
new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c
--- org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2002-10-11
15:26:20.0 +0200
+++ new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2003-06-20
17:37:49.0 +0200
@@ -67,6 +67,7 @@
#define ALL_ONES 4294967295
#define MAX_NAS_NAME_SIZE 64
+#define MAX_CLI_SIZE 32
static const char rcsid[] = $Id: rlm_ippool.c,v 1.12 2002/10/11 13:26:20 kkalev Exp
$;
@@ -94,7 +95,7 @@
typedef struct ippool_info {
uint32_tipaddr;
charactive;
- charcli[32];
+ charcli[MAX_CLI_SIZE];
} ippool_info;
typedef struct ippool_key {
@@ -571,6 +572,11 @@
*/
if (key_datum.dptr){
entry.active = 1;
+
+ memset(entry.cli,0,MAX_CLI_SIZE);
+ if (cli != NULL)
+strncpy( entry.cli, cli, MAX_CLI_SIZE - 1);
+
data_datum.dptr = (ippool_info *) entry;
data_datum.dsize = sizeof(ippool_info);
ippool error next!
We make lot of test i can now explain one thing This is the test killall radiusd rm -f /var/log/radius/radacct/db.ippool /var/log/radius/radacct/db.ipindex radiusd ./test_cree.sh ./test_free.sh /usr/bin/iptool /var/log/radius/radacct/db.ippool /var/log/radius/radacct/db.ipindex -v | wc the final result is 32 = size of my pool ./test_cree.sh - simulate 40 ask for an auth ip ppp ./test_free.sh - and 40 release acct all entry are good like this NAS:192.168.100.22 port:0x20 - ipaddr:195.167.230.59 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x10 - ipaddr:195.167.230.35 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x19 - ipaddr:195.167.230.61 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x9 - ipaddr:195.167.230.55 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x12 - ipaddr:195.167.230.42 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x2 - ipaddr:195.167.230.50 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1b - ipaddr:195.167.230.31 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xb - ipaddr:195.167.230.62 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x14 - ipaddr:195.167.230.33 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x4 - ipaddr:195.167.230.36 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1d - ipaddr:195.167.230.47 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xd - ipaddr:195.167.230.53 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x16 - ipaddr:195.167.230.49 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1 - ipaddr:195.167.230.34 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x6 - ipaddr:195.167.230.32 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1f - ipaddr:195.167.230.38 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xa - ipaddr:195.167.230.46 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xf - ipaddr:195.167.230.60 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x18 - ipaddr:195.167.230.40 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x3 - ipaddr:195.167.230.41 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x8 - ipaddr:195.167.230.39 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xc - ipaddr:195.167.230.37 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x11 - ipaddr:195.167.230.51 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x15 - ipaddr:195.167.230.54 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1a - ipaddr:195.167.230.56 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x5 - ipaddr:195.167.230.57 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1e - ipaddr:195.167.230.43 active:0 cli:0 num:0 NAS:192.168.100.22 port:0xe - ipaddr:195.167.230.44 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x13 - ipaddr:195.167.230.58 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x17 - ipaddr:195.167.230.45 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x1c - ipaddr:195.167.230.52 active:0 cli:0 num:0 NAS:192.168.100.22 port:0x7 - ipaddr:195.167.230.48 active:0 cli:0 num:0 if i make another test with only test_cree.sh who create 40 auth asking i will have NAS:192.168.100.22 port:0x10 - ipaddr:195.167.230.54 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x9 - ipaddr:195.167.230.47 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x12 - ipaddr:195.167.230.43 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x2 - ipaddr:195.167.230.35 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xb - ipaddr:195.167.230.49 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x14 - ipaddr:195.167.230.45 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x4 - ipaddr:195.167.230.55 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xd - ipaddr:195.167.230.60 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x1 - ipaddr:195.167.230.59 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x6 - ipaddr:195.167.230.31 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xa - ipaddr:195.167.230.53 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xf - ipaddr:195.167.230.51 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x3 - ipaddr:195.167.230.61 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x8 - ipaddr:195.167.230.33 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xc - ipaddr:195.167.230.38 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x11 - ipaddr:195.167.230.56 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x15 - ipaddr:195.167.230.52 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x5 - ipaddr:195.167.230.42 active:1 cli:0 num:1 NAS:192.168.100.22 port:0xe - ipaddr:195.167.230.40 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x13 - ipaddr:195.167.230.58 active:1 cli:0 num:1 NAS:192.168.100.22 port:0x7 - ipaddr:195.167.230.62 active:1 cli:0 num:1 this mean that something are deleted inside the database and i don't find why Lionel Drevon [EMAIL PROTECTED] Adeli http://www.adeli.fr 618 Av. Gal de Gaulle Tel 04 78 66 11 85 69760 Limonest Fax 04 78 66 04 33 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-tool
On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. To monitor and overcome this problem, I've written a small tool to dump the database and/or remove the active entries. It runs on any system with the GDBM libraries installed and is available from: http://www.mavetju.org/unix/general.php at the bottom, called FreeRadius IP Pool Tool. Suggestions, comments et al are appriciated. If it's ok with you i 'll add it in the cvs. Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ippool-tool
On Mon, 10 Mar 2003, Javier Castillo Alcibar wrote: Hello, What problem did you find in versions older than 1.12?? I cannot access web cvs.. The code did not do a memset(0) on a few values before doing searches. As a result it could not find open sessions. Javier. -Mensaje original- De: Kostas Kalevras [mailto:[EMAIL PROTECTED] Enviado el: lunes, 10 de marzo de 2003 13:20 Para: [EMAIL PROTECTED] Asunto: Re: ippool-tool On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. To monitor and overcome this problem, I've written a small tool to dump the database and/or remove the active entries. It runs on any system with the GDBM libraries installed and is available from: http://www.mavetju.org/unix/general.php at the bottom, called FreeRadius IP Pool Tool. Suggestions, comments et al are appriciated. If it's ok with you i 'll add it in the cvs. Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-tool
On Mon, Mar 10, 2003 at 02:19:48PM +0200, Kostas Kalevras wrote: On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. I'm running 0.8.1, but it's still in there. Maybe it's semothing weird with our setup, we get all accounting packets double: one from the NAS, one from the Accounting server and the stop-packets don't have the right NAS-IPaddress in the packet. What a mess Anyway, I'm using the ippooltool to keep us up and running :-) Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-tool
On Tue, 11 Mar 2003, Edwin Groothuis wrote: On Mon, Mar 10, 2003 at 02:19:48PM +0200, Kostas Kalevras wrote: On Sun, 9 Mar 2003, Edwin Groothuis wrote: Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. There was a problem in versions older than 1.12 (cvs revision) of the ippool module. The module will free an ip address when it receives an accounting-stop for an active nas/port combination or an access-request for the same combination. So normally it should not run out of ip addresses. I'm running 0.8.1, but it's still in there. Maybe it's semothing weird with our setup, we get all accounting packets double: one from the NAS, one from the Accounting server and the stop-packets don't have the right NAS-IPaddress in the packet. What a mess Well the ippool module relies on the NAS-IP-Address and NAS-Port attributes being correct. It seems quite strange though that the NAS-IP-Address is incorrect. Anyway, I'm using the ippooltool to keep us up and running :-) Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool-tool
Greetings, In the past three months or so since we've used FreeRadius we found out that our IP-Pool is running out of free addresses. Most likely because of the way we get packets in combination with the way our dialin-service is handled. To monitor and overcome this problem, I've written a small tool to dump the database and/or remove the active entries. It runs on any system with the GDBM libraries installed and is available from: http://www.mavetju.org/unix/general.php at the bottom, called FreeRadius IP Pool Tool. Suggestions, comments et al are appriciated. Edwin -- Edwin Groothuis |Personal website: http://www.mavetju.org [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL PROBLEM
Hello All,
I have a problem with rlm_ippool module It doesn't give
ip addresses... :(
This is my radiusd.conf:
modules {
..
ippool ippool {
name = ippool
range-start = 194.69.251.128
range-stop = 194.69.251.254
netmask = 255.255.252.0
session-db = /usr/local/etc/raddb/ippool-sess-db
ip-index = /usr/local/etc/raddb/ippool-idx-db
cache-size = 1000
}
}
accounting {
acct_unique
detail
unix
radutmp
ippool
}
post-auth {
ippool
}
When the radius gets an incoming auth.req :
Thread 4 handling request 3, (1 handled so far)
User-Name = tec-javiere
User-Password = 1
NAS-IP-Address = 194.69.248.50
NAS-Port = 2
Framed-Protocol = PPP
Service-Type = 0
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module chap returns noop
modcall[authorize]: module mschap returns notfound
rlm_realm: No '@' in User-Name = tec-javiere, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched tec-javiere at 5123
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password Login OK:
[tec-javiere] (from client alhproxy port 2)
modcall: entering group post-auth
rlm_ippool: Searching for an entry for nas/port: 194.69.248.50/2
modcall[post-auth]: module ippool returns noop
modcall: group post-auth returns noop
Sending Access-Accept of id 36 to 194.69.248.50:2761
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Address = 255.255.255.255
Framed-Netmask = 255.255.255.255
Ascend-Metric = 2
Framed-Routing = None
Framed-Compression = None
Ascend-Idle-Limit = 14400
Ascend-Maximum-Time = 36000
Finished request 3
Why ippool modules returns NOOP??
Thx in advance.
Javier.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL configuration on freeradius-0.7.1
Sir/Madam I have downloaded and installed freeradius-0.7.1 on a linux system It is all working except I am having trouble - allocating IP address dynamically it is my believe this is done using ippool which is where my problem is. I can't seem to set up ippool successfully. Do I need to issue a particular flag on my configure statement ? I used ./configure --with-experimentalmodules --prefix --exec-prefix --program prefix --with-logdir --with-radacctdir --with-raddbdir Any help would be much appreciated I Taylor ForemostIT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPool problem, again.
Do you remember my previuos mails ?
Hi all,
I' m having problem with the Ippool module ( rlm_ippool ).
When authorizing, the module is able to allocate the correct IP
address, but on the account Stop does not set the ip free.
...
Well, I did some more investigation, but yet doesn't work.
I added some comments on the rlm_ippool module to check what kind of data
were passing through the module.
Here is the output:
In authorize side:
rlm_ippool: Searching for an entry for nas/port: 10.128.255.3/1054
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.3,port 1054
In accounting side, when the request is a stop, at the end of the
if (data_datum.dptr != NULL){
I' ve added a cicle on the gdbm file and I see:
rlm_ippool: THERE IS A NAS INFORMATION IN PACKET 10.128.255.3 1054.
rlm_ippool: Values: active = 1, key.nas = 10.128.255.3, nasport= 1054
rlm_ippool: Dati 0 NOT_EXIST -2
rlm_ippool: Exiting from function accounting no results
So it seems that the gdbm_fetch fails when searching in the file.
The behaviour is the same on linux and solaris 8 machine.
Have you any idea ?
In the mean time i will try to modify the source to work with a cicle, but
this could be expensive for the time needed by the scan.
Pigi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPool problem, again. (Kostas Kalevras)
It was fixed today. Check the CVS. It needed a memset(0) for key.nas before the strcpy(). I can confirm that now it works. Thanx alot Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool problem on 0.7.1.Don't deallocate ip addresses
Ok, I reply to my self. I' ve noticed that the NAS ( a VPN 3000 Concentrator ) sends out two different authorize request, on two different ports ( 1020 and 1038 in my trace ) then when gives out a stop request will use the second request parameters. The rlm_ippoll module, correctly check for the second request and doesn' t gives out the new ip address, and also correctly doesn't free the ipaddress on stop due to the different port in request. This would be a really problem for me, but the module is OK. Sorry again Pigi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ippool problem on 0.7.1.Don't deallocate ip addresses
Hi all,
I' m having problem with the Ippool module ( rlm_ippool ).
When authorizing, the module is able to allocate the correct IP address, but
on the account Stop does not set the ip free.
relevant part of radiusd.conf
...
...
modules {
...
...
ippool Prova0 {
range-start = 10.128.1.0
range-stop = 10.128.1.3
netmask = 255.255.255.252
cache-size = 800
session-db = ${raddbdir}/db.ippool.0
ip-index = ${raddbdir}/db.ipindex.0
}
...
}
authorize {
...
Prova0
...
}
accounting {
...
Prova0
...
}
users file:
...
steve Auth-Type := Local, User-Password == testing, Pool-Name :=
Prova1
...
log, from radiusd -X log says:
...
Module: Instantiated ippool (Prova0)
ippool: session-db = /usr/local/freeradius/etc/raddb/db.ippool.1
ippool: ip-index = /usr/local/freeradius/etc/raddb/db.ipindex.1
ippool: range-start = 10.128.10.0 IP address [10.128.10.0]
ippool: range-stop = 10.128.10.3 IP address [10.128.10.3]
ippool: netmask = 255.255.255.252 IP address [255.255.255.252]
ippool: cache-size = 800
...
...
modcall[authorize]: module files returns ok
rad_recv: Access-Request packet from host 10.128.255.4:1024, id=78,
length=92
User-Name = steve
User-Password = \r\021\353N\315\021 s\023.8]O\002F\010
NAS-Port = 1020
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = 212.239.118.116
NAS-IP-Address = 10.128.255.4
NAS-Port-Type = Virtual
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Looking up realm NULL for User-Name = steve
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched steve at 99
modcall[authorize]: module files returns ok
rlm_ippool: Entering in function authorize
rlm_ippool: Searching for an entry for nas/port: 10.128.255.4/1020
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.4,port 1020
modcall[authorize]: module Prova0 returns ok
...
...
rad_recv: Accounting-Request packet from host 10.128.255.4:1038, id=24,
length=155
User-Name = steve
NAS-Port = 1020
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.128.10.2
Class = 0x47727570706f526164
Acct-Status-Type = Stop
Acct-Input-Octets = 312
Acct-Output-Octets = 0
Acct-Session-Id = 0C400010
Acct-Session-Time = 8
Acct-Input-Packets = 3
Acct-Output-Packets = 0
Acct-Terminate-Cause = User-Request
Tunnel-Client-Endpoint:0 = 212.239.118.116
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = 10.128.255.4
NAS-Port-Type = Virtual
modcall: entering group preacct
modcall[preacct]: module preprocess returns noop
rlm_realm: Looking up realm NULL for User-Name = steve
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop
modcall[preacct]: module files returns noop
modcall: group preacct returns noop
modcall: entering group accounting
radius_xlat:
'/usr/local/freeradius/var/log/radius/radacct/10.128.255.4/detail'
rlm_detail:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail
expands to /usr/local/freeradius/var/log/radius/radacct/1
0.128.255.4/detail
modcall[accounting]: module detail returns ok
modcall[accounting]: module counter returns ok
radius_xlat: 'steve'
modcall[accounting]: module radutmp returns ok
modcall[accounting]: module Prova0 returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 24 to 10.128.255.4:1038
Finished request 12
Going to the next request
This problem is driving me crazy.
Have you any idea ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Fri, 20 Sep 2002 11:45:51 +0300 (EEST) Kostas Kalevras [EMAIL PROTECTED] wrote: I am not sure that you can do group membership checks with the pam module. Try using the unix module for that (just put it in the instantiate section to register it's groupcmp function). That was it, thanks! --- Homer Parker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool bug or config problem?
ippool assign the same ip address for two different users.
May be my config is broken?
When i use large pool (1-254), i have the same bug after restarting
radiusd.
- radiusd.conf
modules {
ippool ippool-1-fast {
range-start = 192.168.5.1
range-stop = 192.168.5.6
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/pools/db.pool-1-fast
ip-index = ${raddbdir}/pools/db.pool-1-fast.idx
}
}
accounting {
detail
unix
radutmp
ippool-1-fast
}
post-auth {
ippool-1-fast
}
- end of radiusd.conf
- users
DEFAULT NAS-IP-Address == 192.168.0.5, Service-Type == Framed-User, Pool-Name :=
ippool-1-fast
Framed-MTU = 1500,
Service-Type = Framed-User,
Fall-Through = 1
- end of users
Now run radiusd:
root@vpn:/etc/raddb# radiusd -xx
Starting - reading configuration files ...
...
Module: Loaded IPPOOL
ippool: session-db = /etc/raddb/pools/db.pool-1-fast
ippool: ip-index = /etc/raddb/pools/db.pool-1-fast.idx
ippool: range-start = 192.168.5.1 IP address [192.168.5.1]
ippool: range-stop = 192.168.5.6 IP address [192.168.5.6]
ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
ippool: cache-size = 800
rlm_ippool: Initializing database
Module: Instantiated ippool (ippool-1-fast)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Ready to process requests.
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.0.5:1026, id=70, length=133
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do. Sleeping until we see a request.
- Now I try send auth packet with radclient (user
mmike):
Thread 1 handling request 0, (1 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = mmike
MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565
MS-CHAP2-Response =
0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336
NAS-IP-Address = 192.168.0.5
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_passwd: Added User-Password: mike
rlm_passwd: Added Group: fast
rlm_passwd: Adding Auth-Type: MS-CHAP
modcall[authorize]: module raddb_userlist returns ok
modcall[authorize]: module mschap returns ok
rlm_realm: No '' in User-Name = mmike, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 201
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type MS-CHAP
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module mschap returns ok
modcall: group authenticate returns ok
Login OK: [mmike] (from client 192.168.0.5 port 0)
modcall: entering group post-auth
rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.5.3 to client on nas 192.168.0.5,port 0
modcall[post-auth]: module ippool-1-fast returns ok
modcall: group post-auth returns ok
Sending Access-Accept of id 70 to 192.168.0.5:1026
Framed-MTU = 1500
Service-Type = Framed-User
MS-CHAP2-Success = 0x01533d453742313241354342463337383533443044383236383
73933463331363332363844463839414236
MS-MPPE-Recv-Key = 0xe3464568c260d4f054599eac8c270f89762624d03837024c13e
53c392029a3ca21c2
MS-MPPE-Send-Key = 0xe345be695620746dcc14948143420d08d333dd86889a5a66f9a
1e084b1c5a4b6d723
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
Framed-IP-Address = 192.168.5.3
OK ip assigned 192.168.5.3
Now I try to connect with pppd+radiusclient (user mmmike)
Nothing to do. Sleeping until we see a request.
Thread 1 handling request 5, (2 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = mmmike
MS-CHAP-Challenge = 0x35a4ce64ebf19fc25af6921225399273
MS-CHAP2-Response = 0x010068295ca3c0f2c063e229225a129b53df00
00405f88f247c0d22d083286a7123eb6cc61415f5401ad09fc
NAS-IP-Address = 192.168.0.5
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_passwd: Added User-Password: mike
rlm_passwd: Added Group: fast
rlm_passwd: Adding Auth-Type: MS-CHAP
modcall[authorize]: module raddb_userlist returns ok
Re: ippool bug or config problem?
On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: ippool assign the same ip address for two different users. May be my config is broken? When i use large pool (1-254), i have the same bug after restarting radiusd. - Now I try send auth packet with radclient (user mmike): Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmike MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the corresponding ip allocated stale and will free it. As a result it will get reallocated to another user. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: ippool bug or config problem?
Tuesday, September 24, 2002, 7:29:03 PM, [EMAIL PROTECTED] wrote: On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote: ippool assign the same ip address for two different users. May be my config is broken? When i use large pool (1-254), i have the same bug after restarting radiusd. - Now I try send auth packet with radclient (user mmike): Thread 1 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmike MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the corresponding ip allocated stale and will free it. As a result it will get reallocated to another user. Whith large pool (1-254) ippool returns differ ip for the same requests. (old db-files removed) Auth-request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = mmike MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565 MS-CHAP2-Response = 0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336 NAS-IP-Address = 192.168.0.5 NAS-Port = 0 # radiusd -xx | grep ippool ippool: session-db = /etc/raddb/pools/db.pool-1-fast ippool: ip-index = /etc/raddb/pools/db.pool-1-fast.idx ippool: range-start = 192.168.5.1 IP address [192.168.5.1] ippool: range-stop = 192.168.5.254 IP address [192.168.5.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 rlm_ippool: Initializing database Module: Instantiated ippool (ippool-1-fast) REQUEST #1 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.55 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok REQUEST #2 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.55/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.217 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok REQUEST #3 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.217/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.92 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok REQUEST #4 rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0 rlm_ippool: Found a stale entry for ip/port: 192.168.5.92/0 rlm_ippool: num: 0 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.5.233 to client on nas 192.168.0.5,port 0 modcall[post-auth]: module ippool-1-fast returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Thu, 19 Sep 2002, Homer Parker wrote:
Having a bit of a time getting an Orinoco AS-2000 to get an ip address
from the ippool module.. I authenticate just fine, it just falls through
the users file to the dial-up stuff before it gets a match... Here's some
info:
users file
DEFAULT NAS-IP-Address == 172.16.1.8, Auth-Type := Pam, Group ==
wireless64, Pool-Name := wireless64
DEFAULT Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64
DEFAULT Group == wireless128, Pool-Name := wireless128
DEFAULT Group == wireless192, Pool-Name := wireless192
DEFAULT Group == wireless256, Pool-Name := wireless256
DEFAULT Auth-Type := Pam, Huntgroup-Name == wireless64, Pool-Name :=
wireless64
DEFAULT Huntgroup-Name == wireless128, Pool-Name := wireless128
DEFAULT Huntgroup-Name == wireless192, Pool-Name := wireless192
DEFAULT Huntgroup-Name == wireless256, Pool-Name := wireless256
radiusd.conf
authorize {
preprocess
files
}
authenticate {
pam
}
I am not sure that you can do group membership checks with the pam module. Try
using the unix module for that (just put it in the instantiate section to
register it's groupcmp function).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Fri, 20 Sep 2002 11:45:51 +0300 (EEST) Kostas Kalevras [EMAIL PROTECTED] wrote: I am not sure that you can do group membership checks with the pam module. Try using the unix module for that (just put it in the instantiate section to register it's groupcmp function). I'll give that a try, thanks! --- Homer Parker LAN/WAN, Wireless Networking, PC Sales/Service Linux, OS/2, Windows9x, Windows NT/2000 Support PC Services 129 W 8th #101 Russell, KS 67665 785.483.7602 [EMAIL PROTECTED] http://www.pcsrvc.com Either you can say I'm for Open Source, open standards, or I'm against standards. Either you can say I'm for giving customers and communities a choice or I'm against giving customers and communities a choice. - Sam Palmisano, IBM President and COO at LinuxWorld Expo 2001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ippool
Having a bit of a time getting an Orinoco AS-2000 to get an ip address
from the ippool module.. I authenticate just fine, it just falls through
the users file to the dial-up stuff before it gets a match... Here's some
info:
users file
DEFAULT NAS-IP-Address == 172.16.1.8, Auth-Type := Pam, Group ==
wireless64, Pool-Name := wireless64
DEFAULT Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64
DEFAULT Group == wireless128, Pool-Name := wireless128
DEFAULT Group == wireless192, Pool-Name := wireless192
DEFAULT Group == wireless256, Pool-Name := wireless256
DEFAULT Auth-Type := Pam, Huntgroup-Name == wireless64, Pool-Name :=
wireless64
DEFAULT Huntgroup-Name == wireless128, Pool-Name := wireless128
DEFAULT Huntgroup-Name == wireless192, Pool-Name := wireless192
DEFAULT Huntgroup-Name == wireless256, Pool-Name := wireless256
#DEFAULTSimultaneous-Use := 2
# Fall-Through = 1
#DEFAULT Auth-Type := Reject, Huntgroup-Name == mail
#DEFAULT Huntgroup-Name := local, Pool-Name := wireless64
#Filter-Id = locallan,
#Fall-Through = 1
#DEFAULTAuth-Type := Pam
#Service-Type = Framed-User,
#Framed-Protocol = PPP,
#Framed-IP-Address = 255.255.255.254,
#Framed-IP-Netmask = 255.255.255.255,
#Framed-Compression = Van-Jacobson-TCP-IP,
#Session-Timeout = 36,
#Idle-Timeout = 900,
#Framed-MTU = 576
With the dialup stuff commented, I do not get authenticated.. As you can
see, I'm trying several different ways to get a hit...
huntgroups
pop1NAS-IP-Address == 172.16.1.8
wireless64 Group = wireless64
wireless128 Group = wireless128
wireless192 Group = wireless192
wireless256 Group = wireless256
The user I'm testing with is in group wireless64 on the radius server. I
used something similar with Cistron to put people into groups that were
mail only (no Internet access), etc... Can't find any documentation that
says it works any differently now...
radiusd.conf
modules {
ippool wireless64 {
range-start = 64.123.115.131
range-stop = 64.123.115.143
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless64
ip-index = ${raddbdir}/db.wireless64
}
ippool wireless128 {
range-start = 64.123.115.193
range-stop = 64.123.115.254
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless128
ip-index = ${raddbdir}/db.wireless128
}
ippool wireless192 {
range-start = 64.123.115.149
range-stop = 64.123.115.160
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless192
ip-index = ${raddbdir}/db.wireless192
}
ippool wireless256 {
range-start = 64.123.115.162
range-stop = 64.123.115.187
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless256
ip-index = ${raddbdir}/db.wireless256
}
pam {
pam_auth = radiusd
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
authorize {
preprocess
files
}
authenticate {
pam
}
accounting {
detail
radutmp
wireless64
wireless128
wireless192
wireless256
}
session {
radutmp
}
post-auth {
wireless64
wireless128
wireless192
wireless256
}
Any help appreciated...
---
Homer Parker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Thu, 19 Sep 2002 15:02:45 -0500 Homer Parker [EMAIL PROTECTED] wrote: Having a bit of a time getting an Orinoco AS-2000 to get an ip address from the ippool module.. I authenticate just fine, it just falls through the users file to the dial-up stuff before it gets a match... Here's some info: I forgot the versions... Have tried with .70 and CVS as of 1pm CST 9-19... --- Homer Parker LAN/WAN, Wireless Networking, PC Sales/Service Linux, OS/2, Windows9x, Windows NT/2000 Support PC Services 129 W 8th #101 Russell, KS 67665 785.483.7602 [EMAIL PROTECTED] http://www.pcsrvc.com Either you can say I'm for Open Source, open standards, or I'm against standards. Either you can say I'm for giving customers and communities a choice or I'm against giving customers and communities a choice. - Sam Palmisano, IBM President and COO at LinuxWorld Expo 2001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool : dealocation problem
Hi,
I´m using freeradius 0.5+cvs20020408-1 in my debian box.
Checking my logs ippool tell me it´s clear the ip address from your
db, but I create one pool with 3 ip addresses, when I connect on the
4 time ippol doesn´t return any ip for me.
My NAS send Start and Stop acct packets for the radius, in debug radius
tell-me :
rlm_ippool: Deallocated entry for ip/port: xxx.xxx.28.252/82
rlm_ippool: num: 0
If you need more detailed debug output tell-me, I prefer do not put it here to
keep my mail small.
my config is something like:
modules {
ippool classe28 {
range-start = xxx.xxx.28.131
range-stop = xxx.xxx.28.246
netmask = 255.255.255.128
cache-size = 115
session-db = ${raddbdir}/db.classe28
ip-index = ${raddbdir}/db.ndx_classe28
}
ippool sidenet {
range-start = xxx.xxx.28.249
range-stop = xxx.xxx.28.252
netmask = 255.255.255.248
cache-size = 3
session-db = ${raddbdir}/db.sidenet
ip-index = ${raddbdir}/db.ndx_sidenet
}
...
}
authorize {
...
classe28
sidenet
...
}
accouting {
...
classe28
sidenet
...
}
and in my db I have the following config:
mysql select * from radcheck where UserName = 'cassiano';
++--+---+--+--+
| id | UserName | Attribute | Value| op |
++--+---+--+--+
| 1 | cassiano | User-Password | | == |
++--+---+--+--+
1 row in set (0.00 sec)
mysql select * from usergroup where UserName = 'cassiano';
++--+---+
| id | UserName | GroupName |
++--+---+
| 1 | cassiano | DEFAULT |
| 2 | cassiano | 768k |
| 39 | cassiano | sidenet |
++--+---+
3 rows in set (0.00 sec)
mysql select * from radgroupcheck;
++---+--+--+--+
| id | GroupName | Attribute| Value| op |
++---+--+--+--+
| 1 | DEFAULT | Simultaneous-Use | 1| := |
| 2 | DEFAULT | Auth-Type| PAP | := |
| 6 | home | Pool-Name| classe28 | := |
| 7 | sidenet | Pool-Name| sidenet | := |
++---+--+--+--+
4 rows in set (0.00 sec)
mysql select * from radgroupreply;
++---+---+-+--+--+
| id | GroupName | Attribute | Value | op | prio |
++---+---+-+--+--+
| 16 | DEFAULT | Idle-Timeout | 0 | =|0 |
| 6 | DEFAULT | Fall-Through | Yes | =|0 |
| 8 | 256k | X-Ascend-Data-Rate| 256000 | =|0 |
| 9 | 128k | X-Ascend-Data-Rate| 10 | =|0 |
| 10 | 64k | X-Ascend-Data-Rate| 62000 | =|0 |
| 13 | 768k | X-Ascend-Data-Rate| 768000 | =|0 |
| 14 | 1024k | X-Ascend-Data-Rate| 100 | =|0 |
| 15 | 384k | X-Ascend-Data-Rate| 38 | =|0 |
| 17 | DEFAULT | Session-Timeout | 0 | =|0 |
| 18 | DEFAULT | Acct-Interim-Interval | 0 | =|0 |
++---+---+-+--+--+
10 rows in set (0.00 sec)
mysql
I have missed something?
Thank´s for freeradiu´s people (core and modules) for your great software.
PS: sorry about my tarzan´s english :P
--
Cassiano Aquino [EMAIL PROTECTED]
World Wide Security Networks http://www.wwsecurity.net
KeyID# C9FD0B69 @ wwwkeys.nl.pgp.net
VoIP# 5524311
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL modified to use SQL...
If anyone interested, i modified rlm_ippool.c to work with SQL. This code was made to solve my problem, I needed Ippool to work (it worked, but wasnt releasing ip for some reason) and I needed a database that I could access From the web. This code will NOT work with other method for authorize than SQL. If you use another method with this code The module will NOT release ips from bad username/passwords. Also the sql information is hard coded you will need to edit it. And the last thing, to avoid running the STOP multiple times, I hard coded the code to run the STOP on one instance only. For example, if you have three instances called a, b and c, you can edit the code to do the STOP for a only. Otherwise it will run For the tree of them which is unnecessary. http://core.friendspr.com/~elec/rlm_ipsql.c http://core.friendspr.com/~elec/Makefile.in http://core.friendspr.com/~elec/configure.in Abel Alejandro
IPPOOL is not giving all the ip addresses.
IPPOOL seems that it cannot give all the ip addresses on the range,
it starts giving addresses but if there are 50 ip's it only gives 10.
FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs).
ippool arecibo {
session-db = ${dbdir}/arecibo.db
ip-index = ${dbdir}/arecibo-ip.db
range-start = 196.12.182.65
range-stop = 196.12.182.121
netmask = 255.255.255.192
cache-size = 1024
}
That is the configuration for the ippool, it runs fine, it assigns addresses
and everything looks okay.
However looking it in debug mode, I see a not very normal behaviour. It
start giving the address
on random sequences for example, instead of first assign 196.12.182.65 it
give 196.12.182.73 (first time, with virgin db).
I modified rlm_ippool.c to be a little more verbose, and on the creation of
the database it does create
the ip address list in order. Like this:
Adding IP 196.12.182.65 state 0
Adding IP 196.12.182.66 state 0
Adding IP 196.12.182.67 state 0
Adding IP 196.12.182.68 state 0
Until it reaches 196.12.182.121 (which is correct.)
In the other hand when looking for ip address (virgin db, all ip are suposed
to be state 0)
it search them in random order. Like this:
rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328
Found IP 196.12.182.114 state 1
Found IP 196.12.182.82 state 0
It started with 114 then jumped back to 82.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote:
IPPOOL seems that it cannot give all the ip addresses on the range,
it starts giving addresses but if there are 50 ip's it only gives 10.
Hmm, from what i tested right now it will give out all the ips.
FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs).
ippool arecibo {
session-db = ${dbdir}/arecibo.db
ip-index = ${dbdir}/arecibo-ip.db
range-start = 196.12.182.65
range-stop = 196.12.182.121
netmask = 255.255.255.192
cache-size = 1024
}
That is the configuration for the ippool, it runs fine, it assigns addresses
and everything looks okay.
However looking it in debug mode, I see a not very normal behaviour. It
start giving the address
on random sequences for example, instead of first assign 196.12.182.65 it
give 196.12.182.73 (first time, with virgin db).
That has to do with the gdbm library. The db is not a linked list but a hash and
there isn't any way to tell how they will be ordered inside the file.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
I modified rlm_ippool.c to be a little more verbose, and on the creation of
the database it does create
the ip address list in order. Like this:
Adding IP 196.12.182.65 state 0
Adding IP 196.12.182.66 state 0
Adding IP 196.12.182.67 state 0
Adding IP 196.12.182.68 state 0
Until it reaches 196.12.182.121 (which is correct.)
In the other hand when looking for ip address (virgin db, all ip are suposed
to be state 0)
it search them in random order. Like this:
rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328
Found IP 196.12.182.114 state 1
Found IP 196.12.182.82 state 0
It started with 114 then jumped back to 82.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:06 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: IPPOOL seems that it cannot give all the ip addresses on the range, it starts giving addresses but if there are 50 ip's it only gives 10. Hmm, from what i tested right now it will give out all the ips. Okay one more thing I got now from the logs. Right now I have rm -rf the db* And restarted radiusd, a (cmd: cat radius.log | grep = Stop | wc -l) reports 66 stop's, but I don't see a rlm_ippool: Deallocated entry for ip/port: not even one in the radius.log It seems radiusd can not deallocate ip's? *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: Okay one more thing I got now from the logs. Right now I have rm -rf the db* And restarted radiusd, a (cmd: cat radius.log | grep = Stop | wc -l) reports 66 stop's, but I don't see a rlm_ippool: Deallocated entry for ip/port: not even one in the radius.log It seems radiusd can not deallocate ip's? That is a debugging message and it will not normally show up in the radius.log -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: RE: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: Okay one more thing I got now from the logs. Right now I have rm -rf the db* And restarted radiusd, a (cmd: cat radius.log | grep = Stop | wc -l) reports 66 stop's, but I don't see a rlm_ippool: Deallocated entry for ip/port: not even one in the radius.log It seems radiusd can not deallocate ip's? That is a debugging message and it will not normally show up in the radius.log Forgot to mention, I am running radiusd -X radius.log *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
On Wed, 22 May 2002, Abel Alejandro wrote: Forgot to mention, I am running radiusd -X radius.log Stupid question. Is the ippool module listed in the accounting section in radiusd.conf? The accounting packet should be an accounting stop for a nas/port combination that has an allocated ip assigned to it. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPPOOL is not giving all the ip addresses.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, May 22, 2002 9:41 AM To: [EMAIL PROTECTED] Subject: RE: IPPOOL is not giving all the ip addresses. On Wed, 22 May 2002, Abel Alejandro wrote: Forgot to mention, I am running radiusd -X radius.log Stupid question. Is the ippool module listed in the accounting section in radiusd.conf? The accounting packet should be an accounting stop for a nas/port combination that has an allocated ip assigned to it. Yes its. The ippool module is called 'arecibo' and its in both authorize and accounting. For example, when I started radiusd this morning the first IP to be assigned was 196.12.182.73. Then radiusd got the Acct-Status-Type = Stop for 196.12.182.73 and it said modcall[accounting]: module arecibo returns ok But no deallocationg was done. *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
Echo FreeRadius [EMAIL PROTECTED] wrote: For example we are in the process of putting in 4 Nortel CVX 1800's with 1288 lines each all in one large roll over (5152 lines) in the GTA (Greater Toronto Area) From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10 different ISP's ... Anyway we wouldn't want each ISP to have to assign 1288 IP's to each NAS as this would be a large waste of IP addresses. If we can have radius assign IP's then this greatly reduces the number of IP's allocated. This means that a particular IP address can be assigned on the fly to any one of 4 NAS boxes. In order to route the packet to the correct NAS, you've got to add a new route for that IP. This means (as Miquel said) thousands of routes, and hundreds of route flaps. I'm not sure how else to do it. Bridging and a smart switch may help, but then you've got to forcibly expire arp entries in the switch, and add new ones, when an IP address moves from NAS to NAS. That may be hard. Again for redundancy and performance we will likely have 2-4 radius servers per company depending on the redundancy level they require. The sharing of IP's between radius server IPpools is a great asset. It's also hard. You get into consistency issues, where the sharing may only done every so often, but customers may switch IP's and re-dial more often than that. I would think about the issues VERY carefully before implementing such a large and complicated network. Be very sure that you can do everything needed to make it work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
In article 00a101c1fd56$61050be0$b800a8c0@kelvindell, Echo FreeRadius [EMAIL PROTECTED] wrote: For example we are in the process of putting in 4 Nortel CVX 1800's with 1288 lines each all in one large roll over (5152 lines) in the GTA (Greater Toronto Area) From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10 different ISP's Each ISP wants their customers to receive an address form their IP block so it resolves back to their company. This is done for several reasons controlling access to SMTP servers and other resources as well as just for appearance so that their customers can't see that we use the same dial-up ports. So you create 1 pool for each ISP on each CVX. The CVX supports multiple pools, and you can tell it which pool to use using a radius attribute. If you have 4 CVXes, just make each pool 25% of the max. number of dialin lines an ISP may use. Well maybe a bit larger to allow for not-perfect distribution of clients over the 4 CVXes. Mike. -- Insanity -- a perfectly rational adjustment to an insane world. - R.D. Lang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using ippool with two radius servers?
Ah, you only have one terminal server with 30.000 ports on it? In that case, route the /17 to that NAS and be done with it. But you likely have tens or hundreds of NASes. Either you're way ahead of me, or you really need to think this over. I think I'm ahead of you :-) Believe me, routing is not an issue here, I do have a /17 block with summarized pools in a way that I only need one static route per NAS (there are 20 of them). No need to use dinamic routing. Okay, you have a fixed pool assigned to each NAS. I still fail to see why you don't want the NAS to each handle the assignment of their own pools? But then what the heck do I know about building a big network... I have the same requirment (ippool over multiple radius servers). SOmetimes allocating IPs from the NAS will just not work. For example say we have 4000 dialin ports. We allocate the IPs from the NAS for those users. All good. But we have a different bunch of users. Eg Sat routed users. They need a different IP Pool. There are not enough customers to warrent putting another pool on each NAS box. This is where IPpool works nicley. Most bighish ISP's need more than 1 radius server. We have 6 load balanced behind a layer 4 switch. Simon Allard (Senior Tool Monkey) IHUG Ph (09) 358-5067 Email: [EMAIL PROTECTED] I'm out of my mind right now, but feel free to leave a message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using ippool with two radius servers?
Title: Using ippool with two radius servers? Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use? Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. Gelson
Re: Using ippool with two radius servers?
At 03:51 PM 5/15/2002 -0300, Gelson Dias Santos wrote: Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use? Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. Why would you not want the NAS to handle their own ip pools? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
In article [EMAIL PROTECTED], Gelson Dias Santos [EMAIL PROTECTED] wrote: Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use? Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. In that case you are also talking about 30.000 routes in your internal routing protocol - and with that many dialup ports, hundreds of route-flaps per second. It won't work. Your network and routers will fall over and die screaming. Mike. -- Insanity -- a perfectly rational adjustment to an insane world. - R.D. Lang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using ippool with two radius servers?
At 05:28 PM 5/15/2002 -0300, Gelson Dias Santos wrote: -Original Message- From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available. In that case you are also talking about 30.000 routes in your internal routing protocol - and with that many dialup ports, hundreds of route-flaps per second. It won't work. Your network and routers will fall over and die screaming. Why should I have 30.000 host routes All I have is one /17 summarized route. All those IP's are on the same CIDR block. Uhm. Unless you have only one NAS, you'll have major issues. Each user will get a /32 ip. If you have many NAS and the /32's are handed out by the radius server, then you need to have all the NAS telling each other about which /32's they have connected. If that is not clear, you need to study routing, route summarization, and ip subnetting some more. Back to the original question; can I have two Radius server managing the same IP address pool? No. ( And you really really really don't want to for 30,000 ips ). -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ippool with two radius servers?
Gelson Dias Santos [EMAIL PROTECTED] wrote: Back to the original question; can I have two Radius server managing the same IP address pool? It's difficult. Both RADIUS servers have to be kep in PERFECT synchronization, otherwise duplicate IP's are assigned. Your best bet may be to come up with some other solution... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Fri, 10 May 2002, Ben Casado wrote: Guys; Every so often I need to reboot the server because the system accepts the requests, authenticates the users, but it doesn't assign anymore addresses. The client dies as ppp cannot complete. Any suggestions Ben From what i 've seen from the logs you 've sent the access server will send a NAS-Identifier attribute and not a NAS-IP-Address attribute in Access and Accounting requests. I 've changed the module to be able to handle this case (the key is now a string instead of an uint32). Do a cvs update and see how it works. Remember though to first delete the ip pool databases you may have since their structure has changed. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Guys; Every so often I need to reboot the server because the system accepts the requests, authenticates the users, but it doesn't assign anymore addresses. The client dies as ppp cannot complete. Any suggestions Ben *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Mon, 6 May 2002, Ben Casado wrote: We fixed an issue that we had with accounting and the daemon ran ok for a bit, but then it crashed with a segmentation fault. The only way that we were able to bring it up was by cleaning all the .db files but we are sure that this is not the right way to get this fixed. Any ideas/suggestions Ben gdb sbin/radiusd core When sending an email dont just write a one line description of what happened. Send back debuging output. Remember that the ip pool module is in experimental state. It is allowed to crash at this stage. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Mon, 6 May 2002, Ben Casado wrote:
Acct-Status-Type = Stop
NAS-Identifier = Arecibo
Attr-172818435 = 01002D41D706939B
Service-Type = Framed-User
NAS-Port = 16387
NAS-Port-Type = Async
Class = 0x653934
Called-Station-Id = 7879594236
Calling-Station-Id = 7878159057
Acct-Delay-Time = 0
Framed-IP-Address = 196.12.182.107
User-Name = go42r10
Framed-Protocol = PPP
Acct-Input-Octets = 146103
Acct-Output-Octets = 1032717
Acct-Session-Id = C07FCD70:0A71
Acct-Session-Time = 1223
Acct-Input-Packets = 1332
Acct-Output-Packets = 1246
Acct-Authentic = RADIUS
Acct-Link-Count = 1
Login-IP-Host = 0.0.0.0
Login-Service = PortMaster
Login-TCP-Port = 0
X-Ascend-Modem-PortNo = 33619970
X-Ascend-Modem-SlotNo = 5
X-Ascend-Disconnect-Cause = 45
X-Ascend-Data-Rate = 28800
X-Ascend-Xmit-Rate = 50667
X-Ascend-PreSession-Time = 25
rlm_ippool: Deallocated entry for ip/port: 196.12.182.92/16387
rlm_ippool: num: 0
Accounting: logout: login entry for NAS UNKNOWN-NAS port 16387 not found
Sending Accounting-Response of id 139 to 10.50.2.1:2048
rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=141,
length=252
Accounting-Request packet sent to a non-accounting port from client
10.50.2.1:2048 - ID 141 : IGNORED
rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=146,
length=252
Accounting-Request packet sent to a non-accounting port from client
10.50.2.1:2048 - ID 146 : IGNORED
rad_recv: Access-Request packet from host 10.50.2.1:2048, id=195, length=104
User-Password = \200e\3558\212Q\266\345e#\323{\270-'\202
NAS-Identifier = Arecibo
User-Name = go42r10
Called-Station-Id = 7879594236
Calling-Station-Id = 7878956159
NAS-Port = 16392
NAS-Port-Type = Async
Framed-Protocol = PPP
Service-Type = Framed-User
rlm_sql: Reserving sql socket id: 4
rlm_sql: Released sql socket id: 4
rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/16392
rlm_ippool: num: 1
rlm_ippool: Allocated ip 196.12.182.92 to client on nas 10.50.2.1,p
From the output you sent it seems to be working just great. It deallocates ip
196.12.182.92 and then it reassigns it to another user.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
I have the core.. It is 139mb which is what I had left of memory, what can we do now? - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 07, 2002 6:23 AM Subject: Re: IPPOOL On Mon, 6 May 2002, Ben Casado wrote: We fixed an issue that we had with accounting and the daemon ran ok for a bit, but then it crashed with a segmentation fault. The only way that we were able to bring it up was by cleaning all the .db files but we are sure that this is not the right way to get this fixed. Any ideas/suggestions Ben gdb sbin/radiusd core When sending an email dont just write a one line description of what happened. Send back debuging output. Remember that the ip pool module is in experimental state. It is allowed to crash at this stage. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
here is some of the usual crash output. I would like to help as much as i can to get this resolved. Ben stat system name:SunOS release:5.8 node name: radius version:Generic_108528-13 machine name: sun4u time of crash: Tue May 7 10:38:39 2002 age of system: 23 min. panicstr: panic registers: pc: 0 sp: 0 u PER PROCESS USER AREA FOR PROCESS 0 PROCESS MISC: command: sched, psargs: sched start: Tue May 7 10:15:30 2002 mem: 0, type: exec vnode of current directory: 359fe18 OPEN FILES, FLAGS, AND THREAD REFCNT: cmask: 0022 RESOURCE LIMITS: cpu time: unlimited/unlimited file size: unlimited/unlimited swap size: unlimited/unlimited stack size: 8388608/unlimited coredump size: unlimited/unlimited file descriptors: 256/1024 address space: unlimited/unlimited SIGNAL DISPOSITION: 1: default 2: default 3: default 4: default 5: default 6: default 7: default 8: default 9: default 10: default 11: default 12: default 13: default 14: default 15: default 16: default 17: default 18: default 19: default 20: default 21: default 22: default 23: default 24: default 25: default 26: default 27: default 28: default 29: default 30: default 31: default 32: default 33: default 34: default 35: default 36: default 37: default 38: default 39: default 40: default 41: default 42: default 43: default 44: default 45: default proc list PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS list not found in symbol table proc PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS 0 t 0 0 0 0 0 96 sched load sys lock 1 s 1 0 0 0 0 58 init load 2 s 2 0 0 0 0 98 pageoutload sys lock nowait 3 s 3 0 0 0 0 60 fsflushload sys lock nowait 4 s 261 1 261 261 0 58 sacload jctl 5 s 206 1 206 206 0 58 utmpd load 6 s 153 1 153 153 0 58 automountd load 7 s44 14444 0 52 syseventd load 8 s46 14646 0 51 syseventconfd load 9 s 151 1 151 151 1 40 statd load 10 s 110 1 110 110 0 58 rpcbindload 11 s 198 1 198 198 0 58 powerd load 12 s 168 1 168 168 0 58 syslogdload 13 s 179 1 179 179 0 51 nscd load 14 s 145 1 145 145 0 58 inetd load 15 s 185 1 185 185 0 58 lpschedload nowait 16 s 149 1 149 149 0 50 lockd load 17 s 176 1 176 176 0 53 cron load 18 s 305 145 305 305 0 48 in.telnetd load 19 s 287 244 287 287 0 58 mibiisaload 20 s 215 213 213 0 0 42 smcbootload jctl 21 s 213 1 213 0 0 32 smcbootload jctl 22 s 216 1 216 216 0 48 vold load jctl 23 s 253 1 253 253 0 58 snmpXdmid load nowait 24 s 252 1 252 252 0 54 dmispd load 25 s 258 1 0 0 0 0 safe_mysqldload 26 s 242 1 242 242 0 48 dtloginload jctl 27 s 244 1 244 244 0 58 snmpdx load nowait 28 s 266 242 266 266 0 59 Xsun load 29 s 262 1 262 262 0 54 ttymon load 30 s 267 261 261 261 0 58 ttymon load jctl 31 s 286 258 0 0 101 58 mysqld load 32 s 288 242 288 288 0 10 dtloginload 33 s 312 307 312 307 0 48 kshload 34 s 290 1 288 288 0 59 fbconsole load 35 s 302 288 302 302 0 59 dtgreetload 36 s 307 305 307 307 100 42 sh load 37 s 303 1 303 303 0 58 sendmail load jctl 38 p 349 312 349 307 0 58 crash load kmastat cachebufbufbufmemory alloc alloc namesize in use totalin use succeed fail - -- -- -- - - - kmem_magazine_1 16 58508 819258 0 kmem_magazine_3 32333508 16384 333 0 kmem_magazine_7 64113127 8192 113 0 kmem_magazine_15 128177189 24576 177 0 kmem_magazine_31 256 0 0 0 0 0 kmem_magazine_47 384
Re: IPPOOL
Nope guys the real output from the core could not be read. The earlier results were NOT from the core, we get: # crash core dumpfile = core, namelist = /dev/ksyms, outfile = stdout crash: core is not a kernel core file (bad magic number 7f454c46) crash: cannot open kvm - dump file core # act -d core act 7.17 (Source code Copyright (c) 1997-2000 Sun Microsystems Inc.) kvm_open: core is not a kernel core file (bad magic number 7f454c46) kvm_open failed - Original Message - From: Ben Casado [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 07, 2002 7:36 AM Subject: Re: IPPOOL here is some of the usual crash output. I would like to help as much as i can to get this resolved. Ben stat system name:SunOS release:5.8 node name: radius version:Generic_108528-13 machine name: sun4u time of crash: Tue May 7 10:38:39 2002 age of system: 23 min. panicstr: panic registers: pc: 0 sp: 0 u PER PROCESS USER AREA FOR PROCESS 0 PROCESS MISC: command: sched, psargs: sched start: Tue May 7 10:15:30 2002 mem: 0, type: exec vnode of current directory: 359fe18 OPEN FILES, FLAGS, AND THREAD REFCNT: cmask: 0022 RESOURCE LIMITS: cpu time: unlimited/unlimited file size: unlimited/unlimited swap size: unlimited/unlimited stack size: 8388608/unlimited coredump size: unlimited/unlimited file descriptors: 256/1024 address space: unlimited/unlimited SIGNAL DISPOSITION: 1: default 2: default 3: default 4: default 5: default 6: default 7: default 8: default 9: default 10: default 11: default 12: default 13: default 14: default 15: default 16: default 17: default 18: default 19: default 20: default 21: default 22: default 23: default 24: default 25: default 26: default 27: default 28: default 29: default 30: default 31: default 32: default 33: default 34: default 35: default 36: default 37: default 38: default 39: default 40: default 41: default 42: default 43: default 44: default 45: default proc list PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS list not found in symbol table proc PROC TABLE SIZE = 3898 SLOT ST PID PPID PGID SID UID PRI NAMEFLAGS 0 t 0 0 0 0 0 96 sched load sys lock 1 s 1 0 0 0 0 58 init load 2 s 2 0 0 0 0 98 pageoutload sys lock nowait 3 s 3 0 0 0 0 60 fsflushload sys lock nowait 4 s 261 1 261 261 0 58 sacload jctl 5 s 206 1 206 206 0 58 utmpd load 6 s 153 1 153 153 0 58 automountd load 7 s44 14444 0 52 syseventd load 8 s46 14646 0 51 syseventconfd load 9 s 151 1 151 151 1 40 statd load 10 s 110 1 110 110 0 58 rpcbindload 11 s 198 1 198 198 0 58 powerd load 12 s 168 1 168 168 0 58 syslogdload 13 s 179 1 179 179 0 51 nscd load 14 s 145 1 145 145 0 58 inetd load 15 s 185 1 185 185 0 58 lpschedload nowait 16 s 149 1 149 149 0 50 lockd load 17 s 176 1 176 176 0 53 cron load 18 s 305 145 305 305 0 48 in.telnetd load 19 s 287 244 287 287 0 58 mibiisaload 20 s 215 213 213 0 0 42 smcbootload jctl 21 s 213 1 213 0 0 32 smcbootload jctl 22 s 216 1 216 216 0 48 vold load jctl 23 s 253 1 253 253 0 58 snmpXdmid load nowait 24 s 252 1 252 252 0 54 dmispd load 25 s 258 1 0 0 0 0 safe_mysqldload 26 s 242 1 242 242 0 48 dtloginload jctl 27 s 244 1 244 244 0 58 snmpdx load nowait 28 s 266 242 266 266 0 59 Xsun load 29 s 262 1 262 262 0 54 ttymon load 30 s 267 261 261 261 0 58 ttymon load jctl 31 s 286 258 0 0 101 58 mysqld load 32 s 288 242 288 288 0 10 dtloginload 33 s 312 307 312 307 0 48 kshload 34 s 290 1 288 288 0 59 fbconsole load 35 s 302 288 302 302 0 59 dtgreetload 36 s 307 305 307 307 100 42 sh load 37 s 303 1 303 303 0 58 sendmail load
Re: IPPOOL
On Tue, 7 May 2002, Ben Casado wrote: Nope guys the real output from the core could not be read. The earlier results were NOT from the core, we get: # crash core dumpfile = core, namelist = /dev/ksyms, outfile = stdout crash: core is not a kernel core file (bad magic number 7f454c46) crash: cannot open kvm - dump file core # act -d core act 7.17 (Source code Copyright (c) 1997-2000 Sun Microsystems Inc.) kvm_open: core is not a kernel core file (bad magic number 7f454c46) kvm_open failed gdb radiusd core bt -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Tue, 7 May 2002, Ben Casado wrote: #0 0xfef706a0 in exit () from /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1 #1 0x397f4 in ippool_authorize (instance=0x12e748, request=0x821bfb8) at rlm_ippool.c:495 #2 0x1fb54 in call_modsingle (component=4, sp=0x12e4a0, request=0x821bfb8, default_result=6) at modcall.c:205 #3 0x1fcfc in modcall (component=1, c=0x12e4a0, request=0x821bfb8) at modcall.c:288 #4 0x1fba8 in call_modgroup (component=1, g=0x12e4a0, request=0x821bfb8, default_result=3) at modcall.c:227 #5 0x1fcac in modcall (component=1, c=0x129118, request=0x821bfb8) at modcall.c:281 #6 0x1f370 in indexed_modcall (comp=1, idx=0, request=0x821bfb8) at modules.c:456 #7 0x1f6e4 in module_authorize (autz_type=0, request=0x821bfb8) at modules.c:633 #8 0x1c084 in rad_authenticate (request=0x821bfb8) at auth.c:518 #9 0x17340 in rad_respond (request=0x821bfb8, fun=0x1bf24 rad_authenticate) at radiusd.c:1526 #10 0x21af4 in request_handler_thread (arg=0x821bd38) at threads.c:172 Ok, do a cvs update and see what happens now. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Sun, 5 May 2002, Ben Casado wrote: we downloaded what we thought was the latest prior to making it.. we did a) downloaded and installed the cvs application (1.11.2) b) and executed a download with it!! any suggestions which file to check to see if we did NOT get the latest! Ben In the server distribution root: 5:20pm /src/cvs/radiusd grep Pool-Name raddb/dictionary ATTRIBUTE Pool-Name 1073string If your output is different then you need to upgrade. Either do a cvs update or grab the latest CVS snapshot from the ftp site. Your rlm_ippool.c should also be at least revision 1.3. You can find that by doing something like: 5:23pm /src/cvs/radiusd grep rcsid src/modules/rlm_ippool/rlm_ippool.c static const char rcsid[] = $Id: rlm_ippool.c,v 1.4 2002/05/03 22:10:54 kkalev Exp $; -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
psss... i thought it worked but something weird, Seems that people connect, and disconnect, but the ip's from the people that disconnect do not become available for reuse??? Can you guys check that? Ben - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 06, 2002 10:25 AM Subject: Re: IPPOOL On Sun, 5 May 2002, Ben Casado wrote: we downloaded what we thought was the latest prior to making it.. we did a) downloaded and installed the cvs application (1.11.2) b) and executed a download with it!! any suggestions which file to check to see if we did NOT get the latest! Ben In the server distribution root: 5:20pm /src/cvs/radiusd grep Pool-Name raddb/dictionary ATTRIBUTE Pool-Name 1073 string If your output is different then you need to upgrade. Either do a cvs update or grab the latest CVS snapshot from the ftp site. Your rlm_ippool.c should also be at least revision 1.3. You can find that by doing something like: 5:23pm /src/cvs/radiusd grep rcsid src/modules/rlm_ippool/rlm_ippool.c static const char rcsid[] = $Id: rlm_ippool.c,v 1.4 2002/05/03 22:10:54 kkalev Exp $; -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Title: Re: IPPOOL we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? That's not the idea behind the ip_pool module. The idea is to assign ip's from the same pool to all the access servers and not maintain separate pools for each nas. In any case if you want to assign different addresses to each nas you can Hummm... how do I route ip packets to users on different nas servers if they are on the same pool, hence on the same subnet? I mean, if user 1 connects on nas 1 and gets ip 192.168.1.1, then users 2 connects on nas 2 and gets the next ip, 192.168.1.2, how will my routers, servers etc know where to send their reply packets? Wen we have two different pools it's easy, just set a static route pointing the whole pool to the right server. With one big pool, how do I do it? I don't want to use RIP or anything like that to propagate tousands of host routes. Gelson
Re: IPPOOL
At 05:33 PM 5/6/2002 -0300, Gelson Dias Santos wrote: we have tried various things but cannot get it to give addresses based on the nas identifier. what are we doing wrong? That's not the idea behind the ip_pool module. The idea is to assign ip's from the same pool to all the access servers and not maintain separate pools for each nas. In any case if you want to assign different addresses to each nas you can Hummm... how do I route ip packets to users on different nas servers if they are on the same pool, hence on the same subnet? I mean, if user 1 connects on nas 1 and gets ip 192.168.1.1, then users 2 connects on nas 2 and gets the next ip, 192.168.1.2, how will my routers, servers etc know where to send their reply packets? Generally handled by a dynamic routing protocol between your NAS and/or a common router. Dynamic routing protocols include OSPF, RIPv1, RIPv2, IS-IS, ... The exact choice is up to you ( as is the NAS configuration ). The main concept to remember is that each of your users is *NOT* on the same subnet, though their IP's may come from a sequential block of addresses. Each user is on their own /32 ( 255.255.255.255 ) subnet. Wen we have two different pools it's easy, just set a static route pointing the whole pool to the right server. With one big pool, how do I do it? I don't want to use RIP or anything like that to propagate tousands of host routes. Then let your NAS assign the addresses. You can run NAS assigned dynamic addresses with a dynamic protocol just fine. If you don't want to announce ( and withdraw ) thousands of host routes into your IGP, then don't user server assigned addresses, let the NAS handle it. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Mon, 6 May 2002, Ben Casado wrote: psss... i thought it worked but something weird, Seems that people connect, and disconnect, but the ip's from the people that disconnect do not become available for reuse??? Can you guys check that? Ben Could you please send some debuging output. I would be especially interested in the debug output of the handling of an accounting-stop packet for one of those disconnects. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Acct-Status-Type = Stop
NAS-Identifier = Arecibo
Attr-172818435 = 01002D41D706939B
Service-Type = Framed-User
NAS-Port = 16387
NAS-Port-Type = Async
Class = 0x653934
Called-Station-Id = 7879594236
Calling-Station-Id = 7878159057
Acct-Delay-Time = 0
Framed-IP-Address = 196.12.182.107
User-Name = go42r10
Framed-Protocol = PPP
Acct-Input-Octets = 146103
Acct-Output-Octets = 1032717
Acct-Session-Id = C07FCD70:0A71
Acct-Session-Time = 1223
Acct-Input-Packets = 1332
Acct-Output-Packets = 1246
Acct-Authentic = RADIUS
Acct-Link-Count = 1
Login-IP-Host = 0.0.0.0
Login-Service = PortMaster
Login-TCP-Port = 0
X-Ascend-Modem-PortNo = 33619970
X-Ascend-Modem-SlotNo = 5
X-Ascend-Disconnect-Cause = 45
X-Ascend-Data-Rate = 28800
X-Ascend-Xmit-Rate = 50667
X-Ascend-PreSession-Time = 25
rlm_ippool: Deallocated entry for ip/port: 196.12.182.92/16387
rlm_ippool: num: 0
Accounting: logout: login entry for NAS UNKNOWN-NAS port 16387 not found
Sending Accounting-Response of id 139 to 10.50.2.1:2048
rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=141,
length=252
Accounting-Request packet sent to a non-accounting port from client
10.50.2.1:2048 - ID 141 : IGNORED
rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=146,
length=252
Accounting-Request packet sent to a non-accounting port from client
10.50.2.1:2048 - ID 146 : IGNORED
rad_recv: Access-Request packet from host 10.50.2.1:2048, id=195, length=104
User-Password = \200e\3558\212Q\266\345e#\323{\270-'\202
NAS-Identifier = Arecibo
User-Name = go42r10
Called-Station-Id = 7879594236
Calling-Station-Id = 7878956159
NAS-Port = 16392
NAS-Port-Type = Async
Framed-Protocol = PPP
Service-Type = Framed-User
rlm_sql: Reserving sql socket id: 4
rlm_sql: Released sql socket id: 4
rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/16392
rlm_ippool: num: 1
rlm_ippool: Allocated ip 196.12.182.92 to client on nas 10.50.2.1,p
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 06, 2002 6:33 PM
Subject: Re: IPPOOL
On Mon, 6 May 2002, Ben Casado wrote:
psss... i thought it worked but
something weird,
Seems that people connect, and disconnect, but the ip's from the people
that
disconnect do not become available for reuse???
Can you guys check that?
Ben
Could you please send some debuging output. I would be especially
interested in
the debug output of the handling of an accounting-stop packet for one of
those
disconnects.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
***
***
Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
Brought to you by ICENetworks.com, eScan and
MailScan
***
***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL
We fixed an issue that we had with accounting and the daemon ran ok for a bit, but then it crashed with a segmentation fault. The only way that we were able to bring it up was by cleaning all the .db files but we are sure that this is not the right way to get this fixed. Any ideas/suggestions Ben *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
On Sat, 4 May 2002, Ben Casado wrote:
also,
I get this error now.
Module: Loaded files
/usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT:
Unknown attribute Pool-Name
Errors reading /usr/local/etc/raddb/users
Ben
You will have to upgrade to the latest cvs if you are using freeradius 0.5.
Now what do I mean with an instance for each nas server:
ippool nas1 {
session-db = manati.db
ip-index = nas1.db
range-start = 196.12.162.1
range-stop = 196.12.162.127
netmask = 255.255.255.128
cache-size = 150
}
ippool nas2 {
session-db = manati2.db
ip-index = nas2.db
range-start = 196.12.162.128
range-stop = 196.12.162.254
netmask = 255.255.255.128
cache-size = 150
}
I think you get the picture. You assign a different ip range to each nas server
in each module instance.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
we downloaded what we thought was the latest prior to making
it..
we did
a) downloaded and installed the cvs application (1.11.2)
b) and executed a download with it!!
any suggestions which file to check to see if we did NOT get the latest!
Ben
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, May 05, 2002 5:52 AM
Subject: Re: IPPOOL
On Sat, 4 May 2002, Ben Casado wrote:
also,
I get this error now.
Module: Loaded files
/usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT:
Unknown attribute Pool-Name
Errors reading /usr/local/etc/raddb/users
Ben
You will have to upgrade to the latest cvs if you are using freeradius
0.5.
Now what do I mean with an instance for each nas server:
ippool nas1 {
session-db = manati.db
ip-index = nas1.db
range-start = 196.12.162.1
range-stop = 196.12.162.127
netmask = 255.255.255.128
cache-size = 150
}
ippool nas2 {
session-db = manati2.db
ip-index = nas2.db
range-start = 196.12.162.128
range-stop = 196.12.162.254
netmask = 255.255.255.128
cache-size = 150
}
I think you get the picture. You assign a different ip range to each nas
server
in each module instance.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
***
***
Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
Brought to you by ICENetworks.com, eScan and
MailScan
***
***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
This is what we have did to the radiusd.conf file. With this we only get
addresses form that range, and that is not what we want.
===
ippool {
session-db = manati.db
ip-index = 196.12.162.64
range-start = 196.12.162.65
range-stop = 196.12.162.126
netmask = 255.255.255.224
cache-size = 5000
}
===
we have tried various things but cannot get it to give addresses based on
the nas identifier. what are we doing wrong?
Thanks
Ben
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 03, 2002 7:17 AM
Subject: Re: IPPOOL
On Thu, 2 May 2002, Ben Casado wrote:
We are trying to configure our radius to give out the addresses instead
of
the comm servers. For that we have downloaded the software and compiled
it
with the rlm_ippool.
Can someone direct us to what we need to do next?
Thanks in advanced,
Ben
Read the comments in radiusd.conf for the ippool module? They are quite
descriptive of what you need to do.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
***
***
Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
Brought to you by ICENetworks.com, eScan and
MailScan
***
***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Ben Casado [EMAIL PROTECTED] wrote: We are trying to configure our radius to give out the addresses instead = of the comm servers. For that we have downloaded the software and = compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Run it in debugging mode, and send it test packets. The FAQ says how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
At 09:20 PM 5/2/2002 -0400, Ben Casado wrote: We are trying to configure our radius to give out the addresses instead of the comm servers. For that we have downloaded the software and compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Configure rlm_ippool according to the examples and documentation provided. You'll probably have to play with it a while. And for the record, I'm against the radius server attempting to assign ip's. It may work in very small environments, but it does not scale. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL
We have a
question about the ippools,we
have this in the radiusd.conf:ippool
{
session-db =
"${confdir}/ippool.db"
ip-index =
"manati"
range-start =
196.12.162.65
range-stop =
196.12.162.126
netmask =
255.255.255.224
cache-size = 5000 }ippool
pool2
{
session-db =
"${confdir}/ippool.db2"
ip-index =
"ponce"
range-start =
196.12.176.1
range-stop =
196.12.162.126
netmask =
255.255.255.128
cache-size = 5000
}--we get in the radiusd
-xxModule: Loaded IPPOOLippool: session-db =
"/usr/local/etc/raddb/ippool.db"ippool: ip-index =
"manati"ippool: range-start = 196.12.162.65 IP address
[196.12.162.65]ippool: range-stop = 196.12.162.126 IP address
[196.12.162.126]ippool: netmask = 255.255.255.224 IP address
[255.255.255.224]ippool: cache-size = 5000Module: Instantiated
ippool
(ippool)=Regardless of
what nas server we use we always get: rlm_ippool: num: 1 andIPs from
top onerad_recv: Access-Request packet from host 66.108.198.79:4035,
id=42,length=47 User-Name =
"go42r10" User-Password =
"cj9k\310\353\332\241\201\304"_7\244\373\274"rlm_ippool: num:
1rlm_ippool: Allocated ip 196.12.162.122 to client on nas
66.108.198.79,port0---Can
you help us?we have 7 nas servers are expect different addresses but it
is not working.Ben
***
***
Scanned by an email protection software that checks: Content, Attachments, Security and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***
Re: IPPOOL
On Fri, 3 May 2002, Ben Casado wrote:
This is what we have did to the radiusd.conf file. With this we only get
addresses form that range, and that is not what we want.
===
ippool {
session-db = manati.db
ip-index = 196.12.162.64
range-start = 196.12.162.65
range-stop = 196.12.162.126
netmask = 255.255.255.224
cache-size = 5000
}
===
we have tried various things but cannot get it to give addresses based on
the nas identifier. what are we doing wrong?
Thanks
Ben
That's not the idea behind the ip_pool module. The idea is to assign ip's from
the same pool to all the access servers and not maintain separate pools for each
nas. In any case if you want to assign different addresses to each nas you can
create one instance of the ippool module for each nas. Then in your authorize
section make sure you have the files (users file) module before the ip pool
modules. In your users file do something like this:
DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := pool1
DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := pool2
while your authorize section will look like this:
authorize {
files
pool1
pool2
[...]
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
Ok, but what do you mean by this?
create one instance of the ippool module for each nas
Ben
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, May 04, 2002 9:54 AM
Subject: Re: IPPOOL
On Fri, 3 May 2002, Ben Casado wrote:
This is what we have did to the radiusd.conf file. With this we only get
addresses form that range, and that is not what we want.
===
ippool {
session-db = manati.db
ip-index = 196.12.162.64
range-start = 196.12.162.65
range-stop = 196.12.162.126
netmask = 255.255.255.224
cache-size = 5000
}
===
we have tried various things but cannot get it to give addresses based
on
the nas identifier. what are we doing wrong?
Thanks
Ben
That's not the idea behind the ip_pool module. The idea is to assign ip's
from
the same pool to all the access servers and not maintain separate pools
for each
nas. In any case if you want to assign different addresses to each nas you
can
create one instance of the ippool module for each nas. Then in your
authorize
section make sure you have the files (users file) module before the ip
pool
modules. In your users file do something like this:
DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := pool1
DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := pool2
while your authorize section will look like this:
authorize {
files
pool1
pool2
[...]
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
***
***
Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
Brought to you by ICENetworks.com, eScan and
MailScan
***
***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPPOOL
also,
I get this error now.
Module: Loaded files
/usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT:
Unknown attribute Pool-Name
Errors reading /usr/local/etc/raddb/users
Ben
- Original Message -
From: Ben Casado [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, May 04, 2002 5:17 PM
Subject: Re: IPPOOL
Ok, but what do you mean by this?
create one instance of the ippool module for each nas
Ben
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, May 04, 2002 9:54 AM
Subject: Re: IPPOOL
On Fri, 3 May 2002, Ben Casado wrote:
This is what we have did to the radiusd.conf file. With this we only
get
addresses form that range, and that is not what we want.
===
ippool {
session-db = manati.db
ip-index = 196.12.162.64
range-start = 196.12.162.65
range-stop = 196.12.162.126
netmask = 255.255.255.224
cache-size = 5000
}
===
we have tried various things but cannot get it to give addresses based
on
the nas identifier. what are we doing wrong?
Thanks
Ben
That's not the idea behind the ip_pool module. The idea is to assign
ip's
from
the same pool to all the access servers and not maintain separate pools
for each
nas. In any case if you want to assign different addresses to each nas
you
can
create one instance of the ippool module for each nas. Then in your
authorize
section make sure you have the files (users file) module before the ip
pool
modules. In your users file do something like this:
DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := pool1
DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := pool2
while your authorize section will look like this:
authorize {
files
pool1
pool2
[...]
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
***
***
Scanned by an email protection software that checks: Content,
Attachments,
Security and Viruses
Brought to you by ICENetworks.com, eScan and
MailScan
***
***
***
***
Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
Brought to you by ICENetworks.com, eScan and
MailScan
***
***
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
***
***
Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
Brought to you by ICENetworks.com, eScan and
MailScan
***
***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***
-
List info/subscribe
IPPOOL
We are trying to configure our radius to give out the addresses instead of the comm servers. For that we have downloaded the software and compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Thanks in advanced, Ben *** *** Scanned by an email protection software that checks: Content, Attachments, Security and Viruses Brought to you by ICENetworks.com, eScan and MailScan *** ***
Re: IPPOOL
On Thu, 2 May 2002, Ben Casado wrote: We are trying to configure our radius to give out the addresses instead of the comm servers. For that we have downloaded the software and compiled it with the rlm_ippool. Can someone direct us to what we need to do next? Thanks in advanced, Ben Read the comments in radiusd.conf for the ippool module? They are quite descriptive of what you need to do. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
